NY State Comtroller DiNapoli released more school district audits last week. As always, DataBreaches.net looked to see what audits concerned IT security.
New Rochelle City School District – Information Technology (2021M-142)
Issued Date: December 17, 2021
Audit Objective
Determine whether New Rochelle City School District (District) officials established adequate controls over network and financial application user accounts to prevent unauthorized access, use and/or loss.
Key Findings
Officials did not establish adequate controls over network and financial application user accounts to prevent unauthorized use, access and/or loss. In addition to sensitive information technology (IT) control weaknesses which we communicated confidentially to officials, we found officials did not:
-
- Adequately manage network user accounts.
- 84 former employees/vendors had active user accounts.
- 35 generic user accounts that had never been used and were unnecessary.
- Ensure District procedures were followed to communicate financial application user account changes to the vendor.
- Adequately manage network user accounts.
Key Recommendations
Develop written procedures for managing network access that include periodically reviewing user access and disabling network user accounts when access is no longer needed.
Evaluate all existing financial application user accounts, disable any deemed unnecessary and periodically review for necessity and appropriateness.
District officials generally agreed with our recommendations and indicated they planned to initiate corrective action.
Spencer-Van Etten Central School District – Information Technology (2021M-155)
Issued Date: December 17, 2021
Audit Objective
Determine whether the Spencer-Van Etten Central School District (District) officials ensured District computerized data was safeguarded.
Audit Results
District officials have generally taken adequate steps towards helping to ensure computerized data was safeguarded through managing user accounts, providing adequate training and adopting and distributing a written information technology (IT) contingency plan.
However, certain sensitive IT control weaknesses and audit recommendations were communicated confidentially to officials.
District officials agreed with our audit results.