Audit Objective
Determine whether Tompkins-Seneca-Tioga Board of Cooperative Educational Services (BOCES) officials ensured network access and information technology (IT) assets were properly safeguarded.
Key Findings
BOCES officials did not ensure network access and IT assets were properly safeguarded from unauthorized use, access and loss. In addition, sensitive IT control weaknesses were communicated confidentially to officials. Officials did not:
- Periodically review and disable unneeded network user accounts resulting in 61 unnecessary accounts.
- Provide adequate IT security awareness training for all employees and contractors.
- Periodically update the IT asset inventory records.
Key Recommendations
- Establish written procedures for adding, modifying, and disabling network user accounts; regularly review existing accounts and disable any unneeded accounts.
- Preserve historical data from IT security awareness training to assess and provide adequate training to users.
- Periodically update the IT asset inventory.
BOCES officials generally agreed with our recommendations and indicated they have initiated corrective action.