Audit Objective
Determine whether Westhill Central School District (District) officials implemented adequate information technology (IT) controls over the District Office’s network to safeguard personal, private and sensitive information (PPSI).
Key Findings
District officials did not implement adequate IT controls over the District Office’s network to safeguard PPSI. District officials did not:
- Monitor employee Internet use.
- Eight of 10 employees’ computers we reviewed were used for personal Internet activity.
- Properly manage network user accounts.
- We examined all 31 enabled network user accounts on the District Office domain controller. Six unneeded network user accounts, seven shared user accounts and three user accounts were found with unneeded administrative permissions.
- Provide formalized IT security awareness training to staff.
Sensitive IT control weaknesses were communicated confidentially to District officials.
Key Recommendations
- Monitor employee Internet use.
- Ensure network user accounts are properly managed.
- Provide IT security awareness training.
District officials generally agreed with our audit findings and recommendations and indicated they would take corrective action.