Audit Objective
Determine whether Hudson City School District (District) officials ensured information technology (IT) systems were adequately secured against unauthorized use, access and loss.
Key Findings
District officials did not adequately secure and protect the District’s IT systems against unauthorized use, access and loss. The Board and District officials did not:
- Adopt adequate IT policies or a disaster recovery plan.
- Ensure the acceptable use policy (AUP) was complied with, monitor the use of IT resources or provide IT security awareness training. We found questionable Internet use on four of six computers tested.
- Disable 123 of the 462 enabled network accounts we examined. These 123 user accounts were unneeded and included generic and former employee accounts.
Sensitive IT control weaknesses were communicated confidentially to officials.
Key Recommendations
- Adopt comprehensive IT policies and a disaster recovery plan, and provide periodic IT security awareness training to all employees who use IT resources.
- Develop written procedures for managing system access.