Audit Objective
Determine whether Southern Westchester Board of Cooperative Educational Services (BOCES) officials secured nonstudent network user accounts, maintained adequate inventory records for information technology (IT) equipment and developed an IT contingency plan.
Key Findings
BOCES officials did not adequately secure nonstudent network user accounts, maintain complete and accurate IT inventory records and develop an IT contingency plan. As a result, BOCES officials cannot ensure that IT systems, which contain personal, private and sensitive information (PPSI), along with physical IT assets, are properly safeguarded from inappropriate use and access.
In addition to sensitive IT control weaknesses that we communicated confidentially to BOCES officials, we determined that:
- 101 enabled nonstudent network accounts were no longer needed and, if accessed by attackers, could be used to inappropriately access and view personal, private and sensitive information or disable the network.
- 16 IT assets could not be traced to or from BOCES’ inventory system and 40 IT assets were not properly recorded in the system.
Key Recommendations
- Develop written procedures for managing network user accounts.
- Maintain complete, accurate and up-to-date inventory records.
- Develop and adopt a comprehensive written IT contingency plan.
BOCES officials agreed with our findings and indicated they have initiated corrective action.