A toot by Doug Levin yesterday reminded me that I haven’t posted NYS Comptroller audits of school districts in a while. So here are three to get caught up:
Jericho Union Free School District – Acceptable Use Policy (2022M-194)
Issued Date: July 21, 2023
Audit Objective
Determine whether Jericho Union Free School District (District) officials helped safeguard personal, private and sensitive information (PPSI) by developing controls and communicating an acceptable use policy (AUP) to business office staff.
Key Findings
District officials did not help safeguard PPSI by developing and communicating a comprehensive AUP to business office staff. As a result, PPSI related to District employees and finances could be exposed because some websites may be malicious or contain code to compromise a user’s computer or prompt the user to perform activities that may result in malware infection or PPSI exposure. In addition to sensitive information technology (IT) weaknesses that were communicated confidentially to officials, we found:
- All nine business office employees, including the Assistant Superintendent for Business Affairs (ASB), were not aware that they were expected to follow the Computer Network and Internet Student Acceptable Use policy or what the District considers to be appropriate and inappropriate Internet use.
- District officials did not periodically review web histories to determine whether any employee’s web browsing was inappropriate.
Key Recommendations
- Ensure the AUP is updated, or administrative regulations are developed, to provide guidance for business office staff that defines acceptable Internet use and browsing.
- Ensure business office staff who utilize computers are adequately informed of the regulations.
District officials disagreed with certain aspects of our findings and recommendations. Appendix B includes our comments on issues raised in the District’s response letter.
West Hempstead Union Free School District – Nonstudent Network User Account Controls (2023M-9)
Issued Date: July 14, 2023
Audit Objective
Determine whether West Hempstead Union Free School District (District) officials established adequate controls over nonstudent network user accounts to help prevent unauthorized use, access and loss.
Key Findings
District officials did not establish adequate controls over nonstudent network user accounts to help prevent unauthorized use, access and loss. In addition to sensitive information technology (IT) control weaknesses that were communicated confidentially to officials, we found that the Board of Education (Board) and District officials did not:
- Develop and adopt policies and procedures addressing key network user access controls, such as user account management, password security and user account controls.
- Disable 60 of the District’s enabled nonstudent network accounts (11 percent) that were not needed. Twenty-two of these accounts (37 percent) have not been used in more than five years, with the oldest being last used more than 10 years ago. These accounts include:
- 53 former employee network accounts, and
- 7 network service accounts used for hardware devices and email aliases.
Key Recommendations
- Adopt comprehensive network user account policies and procedures addressing securing user accounts with passwords and adding, disabling and changing user access.
- Periodically review user access for all nonstudent network user accounts and disable user accounts when access is no longer needed.
District officials disagreed with certain aspects of our findings and recommendations, but indicated they have initiated or plan to initiate corrective action. Appendix B includes our comments on issues raised in the District’s response letter.
Sewanhaka Central High School District – Business Office Information Technology Systems (2023M-12)
Issued Date: June 30, 2023
Audit Objective
Determine whether Sewanhaka Central High School District (District) officials developed an information technology (IT) contingency plan to help secure and protect business office IT systems in the event of a disruption or disaster.
Key Findings
District officials did not develop an IT contingency plan to help them adequately secure and protect business office IT systems in the event of a disruption or disaster.
Without a comprehensive written IT contingency plan in place that is properly distributed to all business office staff and periodically tested for efficacy, District officials have less assurance that employees and other responsible parties will react quickly and effectively to maintain business continuity. As a result, important financial and other business office data could be lost or suffer a disruption to operations.
Additional sensitive IT control weaknesses were communicated confidentially to District officials.
Key Recommendations
- Develop, adopt and test a written IT contingency plan and communicate it to appropriate officials and employees.
District officials agreed with our findings and have initiated or plan to initiate corrective action.