The NYS Comptroller’s Office recently released more audits of school districts. Here are two of them:
Whitney Point Central School District – Information Technology (IT) (Broome County)
Audit Period
July 1, 2021 – February 24, 2023.
We extended our audit period to August 31, 2023 to review backup restoration results and November 16, 2023 to review updates to certain user accounts.Audit Objective
Determine whether Whitney Point Central School District (District) officials adequately managed nonstudent network user accounts and developed and adopted a comprehensive information technology (IT) contingency plan.
Key Findings
District officials did not adequately manage nonstudent network user accounts, which are network user accounts not specifically assigned to a student (e.g., authorized staff, third-party vendors and shared accounts). Officials also did not adopt an IT contingency plan and were unaware of all the network users that had access to the District’s network. When nonstudent network user accounts are not adequately managed and an IT contingency plan is not adopted, the District has an increased risk that it could suffer a serious interruption to operations due to the risk to the network and potential inability to communicate during a disruption.
In addition to sensitive IT control weaknesses that we confidentially communicated to officials, District officials did not disable 19 nonstudent network user accounts (4 percent) that were not needed and/or used in more than five years. All of these user accounts were subsequently deleted during our audit fieldwork.
Key Recommendations
- Develop written procedures for managing nonstudent network user accounts that include periodically reviewing user access and disabling unneeded and/or unused accounts.
- Adopt a comprehensive IT contingency plan, update the plan as needed and distribute it to all responsible parties.
District officials generally agreed with our recommendations and have indicated they planned to initiate corrective action. Appendix B includes our comment on an issue that was raised in the District’s response letter.
Read the complete report (pdf).
Charter School of Educational Excellence – Information Technology
Audit Period
July 1, 2021 – May 24, 2023
Audit Objective
Determine whether the Charter School of Educational Excellence (School) Board of Trustees (Board) and officials secured student data to help protect it from unauthorized access and developed and adopted a comprehensive information technology (IT) contingency plan.
Key Findings
The Board and officials did not adequately secure student data to help protect it from unauthorized access or develop an IT contingency plan. As a result, there was an increased risk of unauthorized access to student personal, private and sensitive information (PPSI) and personally identifiable information (PII), and that the School could suffer a serious interruption to operations since its ability to communicate during a disruption or disaster could affect the timely processing of its business functions. In addition to sensitive IT control weaknesses which we communicated confidentially to School officials, we found:
- School employees did not have guidance on how to properly identify and secure sensitive student data.
- Three out of six tested users of the cloud-based application used for School operations stored sensitive student data without adequate protection, and 12 of the 125 users of the cloud-based Student Information System (SIS) had excessive or unnecessary access to view and modify sensitive student data.
Key Recommendations
- Review, revise (if necessary), adopt and communicate the data classification policy to employees.
- Ensure all access to sensitive student data is based on needs and job responsibilities.
- Develop a written IT contingency plan.
School officials agreed with our recommendations and have initiated, or indicated they planned to initiate, corrective action.
Read the complete report (pdf)