[read complete report - pdf]

Audit Objective

Determine whether the Board of Education (Board) and Valley Central School District (District) officials ensured the District’s information technology (IT) systems were adequately secured and protected against unauthorized use, access and loss.

Key Findings

The Board and District officials did not ensure IT systems were adequately secured and protected.

• District officials did not monitor compliance with the District’s computer acceptable use policy.
• The District did not have a contingency plan to recover in the event of a significant service interruption.
• The Board did not physically control access to or establish environmental controls over the server room.

Sensitive IT control weaknesses were communicated confidentially to officials.

Key Recommendations

• Monitor compliance with the computer acceptable use policy.
• Adopt a contingency plan so that users know their duties during a significant service interruption.
• Establish physical security and environmental controls over the server room.

District officials generally agreed with our recommendations and indicated they planned to initiate corrective action.