We also released three letter reports to the following community colleges: Corning Community College [pdf], Finger Lakes Community College [pdf] and, Monroe Community College [pdf].
Purpose of Audit
The purpose of our audit was to assess software management and website, web application and supporting server vulnerabilities for the period September 1, 2013 through April 30, 2015.
Background
Software management and website security are of particular importance to larger local governments, such as community colleges, that have many different users that perform a variety of functions. Typically, colleges will have several software applications and multiple licenses for each. Community colleges need an understanding of the software they own, how it us used and how best to track user rights to ensure licensing compliance. The three community colleges (Colleges) we audited have approximately 6,000 computers between them and budgeted a total of $12.7 million for IT appropriations in the 2014-15 fiscal year.
Key Findings
- Corning Community College and Monroe Community College have not adopted adequate acceptable use policies.
- None of the Colleges maintained a comprehensive inventory list of purchased software or associated licenses.
- We found installations of nonbusiness and nonacademic related software on College computers, including gaming, instant messaging, golf management and couponing programs as well as a virus.
Key Recommendations
- Update the acceptable use policy to include guidance related to software downloads and installations and enforcement and penalties for noncompliance.
- Maintain complete, comprehensive software inventory lists.
- Monitor users to ensure compliance with the acceptable use policy and review College computers to ensure installed software is appropriate.