[read complete report - pdf]

Audit Objective

Determine whether Phelps-Clifton Springs Central School District (District) officials ensured network access controls were secure.

Key Findings

District officials did not ensure that the District’s network access controls were secure.

Officials did not:

• Regularly review network user accounts and permissions to determine whether they were appropriate or needed to be disabled. As a result, we identified 139 unneeded user accounts, 36 unneeded generic or shared user accounts and five user accounts with unnecessary administrator permissions.
• Maintain hardware or software inventory records.

In addition, sensitive information technology (IT) control weaknesses were communicated confidentially to officials.

Key Recommendations

• Regularly review network user accounts and disable those that are unnecessary.
• Maintain detailed, up-to-date inventory records for all computer hardware and software.

District officials agreed with our recommendations and indicated they have initiated or planned to initiate corrective action.