Audit Objective
Determine whether Millbrook Central School District (District) officials established adequate controls over user accounts in order to prevent unauthorized access, use and/or loss.
Key Findings
Officials did not establish adequate controls over the District’s user accounts to prevent unauthorized use, access and loss. Officials also did not:
- Periodically review and disable unneeded network user accounts.
- 46 students were no longer enrolled but had active network user accounts.
- 13 individuals left employment between 2013 and 2020 but had active network user accounts.
- Nine generic accounts were last used between 2015 and 2018.
- Develop a breach notification policy, as required by New York State Technology Law.
Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.
Key Recommendations
- Develop written procedures for managing system access that include periodically reviewing user access and disabling user accounts when access is no longer needed.
- Develop a breach notification policy.
Town officials agreed with our recommendations and indicated they will take corrective action.