The state comptroller has released two more school district audits of information technology.
Putnam Valley Central School District – Information Technology (2021M-154)
Audit Period July 1, 2019 – May 31, 2021. We extended the audit period forward through July 28, 2021 to complete IT testing.
Quick District Facts
- Local User Accounts 2,626
- Employees 502
- Student Enrollment 1,595
Audit Objective
Determine whether Putnam Valley Central School District’s (District) officials ensured information technology (IT) systems were adequately secured and protected against unauthorized use, access and loss.
Key Findings
District officials did not ensure IT systems were adequately secured and protected against unauthorized use, access and loss. Officials did not adopt a password security policy or manage the use of administrative accounts. As a result, the District has an increased risk of unauthorized use or access that could result in important data loss and a serious interruption in operations. Officials did not:
- Adopt an adequate password security policy to address password requirements.
- Create secondary user accounts for the IT system for three employees whose job responsibilities required administrative permissions, to be used for non-administrative activities.
In addition, sensitive IT control weaknesses were communicated confidentially to officials.
Key Recommendations
- Adopt comprehensive password security policy to address password requirements.
- Assess all local user accounts with administrative permissions and create secondary accounts to be used for non-administrative activities.
District officials generally agreed with our recommendations and indicated they planned to take corrective action.
Read the full report (pdf)
Hudson City School District – Information Technology (2020M-157)
Audit Period July 1, 2018 – January 31, 2020
Quick District Facts
- Network User Accountsa 3,292
- Computers 778
- Total Paid to IT Service Provider $142,209
- Employees and Students for the Hudson City School District 692
- Students 1,816
a These included 462 employee, 2,786 student and 44 generic accounts.
Audit Objective
Determine whether Hudson City School District (District) officials ensured information technology (IT) systems were adequately secured against unauthorized use, access and loss.
Key Findings
District officials did not adequately secure and protect the District’s IT systems against unauthorized use, access and loss. The Board and District officials did not:
- Adopt adequate IT policies or a disaster recovery plan.
- Ensure the acceptable use policy (AUP) was complied with, monitor the use of IT resources or provide IT security awareness training. We found questionable Internet use on four of six computers tested.
- Disable 123 of the 462 enabled network accounts we examined. These 123 user accounts were unneeded and included generic and former employee accounts.
Sensitive IT control weaknesses were communicated confidentially to officials.
Key Recommendations
- Adopt comprehensive IT policies and a disaster recovery plan, and provide periodic IT security awareness training to all employees who use IT resources.
- Develop written procedures for managing system access.
Read the full report (pdf)