Montauk Union Free School District – Information Technology (2022M-137)
Audit Objective
Determine whether Montauk Union Free School District (District) officials secured access to the network and financial application and developed an information technology (IT) contingency plan.
Background
The District is located in the Town of East Hampton in Suffolk County and operates one school (prekindergarten through eighth grade).
The District is governed by an elected five-member Board of Education (Board) responsible for the general management and control of the District’s financial and educational affairs. The Superintendent of Schools (Superintendent) is the chief executive officer and is responsible, along with other administrative staff, for the District’s day-to-day management under the Board’s direction.
The Treasurer is responsible for managing the District’s financial operations and setting up users within the financial application. One of the District’s teachers is responsible for managing the District’s IT systems and assets (IT Director).
Audit Period
July 1, 2020 – July 15, 2022
Key Findings
Although District officials restricted access to the financial application, they did not adequately secure access to the network or develop an IT contingency plan. As a result, there is an increased risk that the network may be accessed by unauthorized individuals, data will be lost and the District may not be able to recover from a network disruption or disaster. In addition to sensitive IT control weaknesses that were confidentially communicated to officials, we found:
-
- Twenty-five percent, or 140, of the District’s network user accounts were not needed.
- Two unknown individuals had an active network user account.
- IT security awareness training was not provided.
Since 2013-14, external auditors have annually recommended that the District develop an IT contingency plan. However, the District never developed the plan and could not provide a reasonable explanation for failing to do so.
Key Recommendations
-
- Periodically review network user accounts and disable any unnecessary accounts as soon as they are no longer needed.
- Provide periodic IT security awareness training.
- Develop and adopt a comprehensive written IT contingency plan.
District officials generally agreed with our recommendations and indicated they planned to initiate corrective action. Appendix B includes our comment on an issue raised in the District’s response letter.