An audit from the New York State Comptroller found that multiple school districts across the state have significant issues when it comes to managing network user accounts, including issues managing user access, failing to delete old user accounts, and ensuring network security.
New York State Comptroller Thomas D. DiNapoli released a handful of audits earlier this month that examined multiple school districts, specifically examining how they manage their networks.
North Salem Central School District
In an audit of North Salem Central School District, DiNapoli was looking to determine whether school district officials ensured network user accounts were adequately managed.
The audit found that district officials did not ensure network user accounts were adequately managed. The comptroller said it found sensitive IT control weaknesses, which the comptroller’s office communicated confidentially to officials. Additionally, the comptroller found that district officials should have developed procedures for granting, changing, and disabling network user accounts and officials should have insured IT staff disabled 181 unneeded network user accounts.
In terms of recommendations, the comptroller said district officials should:
- Develop procedures for granting, changing, and disabling network user accounts, and ensure that employees implement and comply with the procedures.
- Maintain a list of authorized user accounts and routinely evaluate and disable any unneeded network user accounts.
In the audit report, the comptroller said district officials agreed with the recommendations and have initiated or indicated they planned to initiate corrective action.
Hilton Central School District
The comptroller said the goal of the audit was to determine whether Hilton Central School District officials ensured network access controls were adequate.
The audit found that district officials did not ensure that network access controls were adequate. As a result, the comptroller said that data and personal, private, and sensitive information (PPSI) are at greater risk for unauthorized access, misuse, or loss.
In addition to sensitive network access control weaknesses that were confidentially communicated to officials, the comptroller found that district officials did not establish written policies or adequate written procedures for managing network user account access, including adding or disabling user accounts and permissions, and found that district had 230 unneeded enabled network user accounts, including those for former students, former employees and others who were no longer providing services to the district.
As part of the audit, the comptroller said district officials need to:
- Establish adequate written policies and procedures for managing network user account access.
- Regularly review network user accounts and disable unneeded accounts in a timely manner.
District officials agreed with the comptroller’s findings and indicated they have initiated corrective action.
Amherst Central School District
In its audit, the comptroller explored whether Amherst Central School District officials secured user account access to the network and managed user accounts and permissions in financial and student information applications.
The comptroller’s office found that district officials did not adequately secure user account access to the network or properly manage user accounts and permissions in financial and student information applications. As a result, there is a significant risk that network resources, financial data, and student information could be inappropriately altered, accessed, or used.
As with the other audits, the comptroller said it confidentially communicated sensitive control weaknesses to district officials. Additionally, the audit found that district officials did not disable unnecessary network user accounts or revoke unnecessary network user account access and it found that as many as 1,570 accounts were unneeded but were not disabled. The audit also found that the district did not disable unnecessary application user accounts or properly restrict permissions in the financial and student information applications.
As part of the audit, the comptroller said district officials should:
- Ensure that unnecessary network user accounts are disabled in a timely manner.
- Limit application permissions based on an account user’s job responsibilities.
District officials agreed with the audit’s findings and indicated they plan to initiate corrective action.