Audit Objective
Determine whether the District’s network was adequately secure to protect the student management system (SMS) against unauthorized use, access and loss.
Key Findings
District officials did not:
- Establish written procedures for password management, wireless security, remote access and managing user access rights.
- Disable unneeded network user accounts and adequately restrict user permissions to the network and user computers based on job duties.
- Develop a written disaster recovery plan.
Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.
Key Recommendations
- Adopt comprehensive procedures over password management, wireless security and remote access.
- Develop procedures for adding, removing and modifying user access rights to the network and user computers.
- Evaluate user accounts and permissions and ensure unneeded user accounts are disabled and unnecessary permissions are removed.
- Develop a disaster recovery plan.
District officials agreed with our recommendations and indicated they had either already taken, or planned to take, corrective action.