The NYS Comptroller’s Office released a number of IT audit reports for k-12 public school districts this month. Their findings will come as no surprise to regular readers of this site.
Belleville-Henderson Central School District: You can read the complete report here (pdf), although the state omitted sensitive details from the public report that it communicated confidentially to the district. The summary was as follows:
Audit Objective
Determine whether District officials ensured employees’ personal, private, and sensitive information (PPSI) was adequately protected from unauthorized access, use and loss.
Key Findings
- District officials did not provide IT security awareness training to all employees.
- District officials did not develop procedures for managing, limiting and monitoring user accounts and permissions and securing personal, private and sensitive information.
- The District did not have a disaster recovery plan.
Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.
Key Recommendations
- Provide periodic IT security awareness training to all employees who use IT resources.
- Develop written procedures for managing access to the network and financial application.
- Develop and adopt a disaster recovery plan.
District officials agreed with our recommendations and indicated they had already taken or planned to take corrective action.
Evans-Brant Central School District: You can read the whole report here (pdf), but once again, information was excluded from the public report that was provided to the district. Here’s the summary:
Audit Objective
Determine whether information technology (IT) assets are properly safeguarded, secured and accessed for appropriate District purposes.
Key Findings
- District officials did not provide IT security awareness training for individuals who used District IT assets.
- Personal Internet use was found on computers assigned to four employees who routinely accessed personal, private and sensitive information (PPSI).
In addition, sensitive IT control weaknesses were communicated confidentially to District officials.
Key Recommendations
- Provide periodic IT security awareness training.
- Provide adequate oversight of employee Internet use to ensure it complies with Board policies and regulations.
District officials agreed with our findings and recommendations and indicated they planned to initiate corrective action.
Charlotte Valley Central School District: You can read the full report here (pdf), but here’s the summary:
Audit Objective
Determine whether the Board and District officials ensured District information technology (IT) assets and computerized data were safeguarded.
Key Findings
- The Board and District officials did not monitor computer use policies or adopt adequate IT security policies.
- District officials did not develop procedures for managing, limiting and monitoring user accounts and permissions and securing personal, private and sensitive information (PPSI).
- District officials did not provide IT security awareness training for District employees.
In addition, sensitive IT control weaknesses were communicated confidentially to District officials.
Key Recommendations
- Adopt and monitor comprehensive IT security policies.
- Develop comprehensive procedures for managing, limiting and monitoring user accounts and permissions and securing PPSI.
- Provide periodic IT security awareness training to personnel who use IT resources.
District officials generally agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.
Poughkeepsie City School District: This one had more than one purpose. You can read the full report here (pdf), but here’s the summary:
Audit Objective
Determine whether the Board provided adequate oversight of extra-classroom activity (ECA) finances and properly safeguarded and secured the District’s information technology (IT) assets.Key Findings
- Student treasurers and faculty advisors did not maintain adequate supporting documentation for 25 deposits totaling $37,256.
- The central treasurer did not prepare timely reports for the Board or the auditor.
- IT assets valued at $11,397 were not included on the inventory list and could not be located.
Key Recommendations
- Maintain documentation for all ECA receipts.
- Ensure that the central treasurer reports to the Board and the auditor in a timely manner.
- Develop written policy and procedures for controls over equipment donated and purchased.
District officials agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.