Audit Objective
Determine whether the Dryden Central School District’s (District) Board of Education (Board) and District officials adequately safeguarded personal, private and sensitive information (PPSI) from abuse or loss.
Key Findings
The Board and District officials did not adequately safeguard PPSI. Officials did not:
- Ensure information technology (IT) policies were up-to-date with current technology changes, existing policies were enforced (or enforceable).
- Regularly review user accounts and disable any unnecessary accounts, maintain up-to-date IT asset inventory records or enter into adequate written contracts with all IT service providers.
In 2018, the District was the victim of a ransomware attack. The Director of Information Technology Services (IT Director) failed to determine whether any data was taken or notify either those affected by the security breach or the Board and Superintendent of the attack.
In addition, sensitive IT control weaknesses were communicated confidentially to officials.
Key Recommendations
- Review and modify IT policies to ensure they are enforceable within their IT environment.
- Evaluate all existing user accounts, periodically review for necessity and appropriateness, and adequate written contracts are entered into with all IT service providers.
District officials agreed with our recommendations and indicated they will take corrective action.