Audit Objective
Determine whether the Chittenango Central School District (District) officials adequately managed nonstudent network and local user account access and developed an Information Technology (IT) contingency plan.
Key Findings
District officials did not adequately manage nonstudent network and local user account access or develop an IT contingency plan. As a result, the District’s IT system and its personal, private and sensitive information (PPSI) may be accessible to unauthorized users. Officials also have less assurance that, in the event of a disruption or disaster such as a ransomware attack, employees and other responsible parties would be able to react quickly and effectively to help resume, restore, repair and/or rebuild critical IT systems or data in a timely manner.
In addition to sensitive IT control weaknesses we confidentially communicated to officials, we determined:
- Eighty-nine (15 percent) of the District’s nonstudent network user accounts were no longer needed and should have been disabled.
- Eleven of 21 local user accounts (52 percent) reviewed on 12 District computers were no longer needed.
Key Recommendations
- Disable unneeded nonstudent network and local user accounts as soon as they are no longer needed and periodically review user accounts for necessity.
- Develop and adopt a written IT contingency plan.
District officials agreed with our recommendations and indicated they have initiated or plan to initiate corrective action.