When, if ever, will there be actual consequences for school districts that still do not practice basic security hygiene? Comptroller DiNapoli has released yet another k-12 district IT audit where the are results so bad that they won’t make them public. From the state’s summary:
Audit Objective
Determine whether Mount Pleasant Central School District (District) officials established adequate controls over user accounts in order to prevent unauthorized use, access and/or loss.
Key Findings
District officials did not establish adequate controls over the District’s user accounts to prevent unauthorized use, access and/or loss. Officials did not:
- Monitor compliance with the District’s acceptable use policy (AUP).
- Adequately manage network user accounts.
Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.
Key Recommendations
- Develop and implement procedures to monitor compliance with the AUP.
- Develop written procedures for managing system access that include periodically reviewing user access and disabling network user accounts when access is no longer needed.
- Evaluate all existing network accounts, disable any deemed unnecessary and periodically review for necessity and appropriateness.
District officials generally agreed with our recommendations and initiated or indicated they plan to initiate corrective action.
Read the full report here, but the worst stuff is not in that, either.