[read complete report - pdf]

Audit Objective

Determine whether Marlboro Central School District (District) officials established adequate controls over network user accounts and settings.

Key Findings

District officials did not establish adequate controls over network user accounts and settings.

• Officials did not regularly review network user accounts and permissions to determine whether they were appropriate or needed to be disabled.
• 79 percent (71 network user accounts and 14 generic and/or shared user accounts) of the reviewed accounts were unneeded or questionable accounts.
• Officials developed a data security plan in January 2010 that included password security and user account management policies and procedures; however, the Board did not adopt the policy and the practice was not implemented.

Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.

Key Recommendations

• Develop written procedures for managing system access.
• Restrict the use of shared network user accounts.

District officials agreed with our recommendations and indicated they are taking corrective action.