Audit Objective
Determine whether the Oneida City School District’s (District) network was adequately secure to protect the student information system (SIS) against unauthorized use, access and loss.
Key Findings
The District’s network was not adequately secure to protect the SIS against unauthorized use, access and loss.
- District officials did not adequately manage user accounts or administrative permissions to limit access to assets and data.
- Some District computers were used for personal activity, increasing the likelihood of the District’s network being exposed to malicious software.
- A written disaster recovery plan was not made available to us or the Board of Education for review and approval.
Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.
Key Recommendations
- Review network user accounts and permissions, disable unnecessary accounts and remove excessive permissions.
- Monitor employees’ Internet use and enforce the District’s acceptable use policy (AUP).
- Ensure that a comprehensive written disaster recovery plan is developed and shared with key District officials.
District officials agreed with our recommendations and indicated they have initiated corrective action.