Two more school district audits were released before the holiday.
Nanuet Union Free School District – Network User Accounts and Information Technology Contingency Plan (2022M-135)
Issued Date
December 09, 2022
Background
The District serves the Town of Clarkstown in Rockland County.
The District is governed by an elected seven-member Board of Education (Board) that is responsible for the general management and control of the District’s financial and educational affairs.
The Superintendent is the chief executive officer and is responsible, along with other administrative staff, for the day-to-day management under the Board’s direction.
The District’s Information Technology Director (IT Director) is responsible for overseeing the acquisition and use of District computer resources. The District contracted with the Lower Hudson Regional Information Center (LHRIC) for IT infrastructure support and the operation of a service desk.
Audit Period
July 1, 2020 – November 9, 2021
Audit Objective
Determine whether Nanuet Union Free School District (District) officials ensured network user accounts were needed and whether officials adopted an adequate Information Technology (IT) contingency plan.
Key Findings
District officials did not ensure network user accounts were needed, and did not adopt an adequate IT contingency plan. In addition to sensitive IT control weaknesses that we communicated confidentially to officials, we found that officials did not develop:
-
- Written procedures to identify and disable unnecessary network user accounts. As a result, we identified 18 generic accounts that should have been disabled.
- An adequate comprehensive IT contingency plan to minimize the risk of data loss or prevent a serious interruption of services.
Key Recommendations
-
- Develop written procedures for managing network user account access.
- Develop and adopt a comprehensive IT contingency plan and communicate it to appropriate officials and employees.
District officials generally agreed with our findings and indicated they plan to initiate corrective action.
Carle Place Union Free School District – Network User Account Controls (2022M-121)
Issued Date
December 16, 2022
Background
The District serves the Town of North Hempstead in Nassau County.
The District is governed by a five-member Board of Education (Board) that is responsible for managing and controlling the District’s financial and educational affairs. The Superintendent of Schools is the District’s chief executive officer and is responsible, along with other administrative staff, for the District’s day-to-day management under the Board’s direction.
The Director of Instructional Technology (Director) oversees the Office of Technology (IT office) and is responsible for establishing controls over District network user accounts. The District contracted with an outside vendor to provide two IT technicians who monitor and service the network under the Director’s supervision.
Audit Period
July 1, 2020 – February 9, 2022
Audit Objective
Determine whether Carle Place Union Free School District (District) officials established adequate controls over network user accounts.
Key Findings
District officials did not establish adequate controls over network user accounts. As a result, the District has an increased risk of unauthorized access to and use of its network and potential loss of important data. In addition to finding sensitive information technology (IT) control weaknesses that were confidentially communicated to officials, we found that District officials did not:
-
- Disable 52 unneeded employee network user accounts, 376 unneeded student network user accounts, 14 unneeded shared accounts and 25 unneeded service accounts.
- Establish written procedures for granting, verifying, changing and disabling network user account access.
Key Recommendations
-
- Establish written procedures for granting, verifying, changing and disabling network user account access.
- Disable network user accounts that are unneeded or have not been used after a specified period of inactivity.
District officials agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.