Audit Objective
Determine whether Starpoint Central School District (District) officials adequately secured access to the network and properly managed user permissions to the financial and student information applications.
Key Findings
District officials did not adequately secure access to the network or properly manage user permissions to the financial and student information applications. In addition to sensitive information technology (IT) control weaknesses that were communicated confidentially to officials, District officials did not:
- Regularly review enabled network user accounts to ensure they were authorized and still needed. As a result, officials did not disable 44 former employee network user accounts. Some of the former employees left the District 13 years ago.
- Limit student information and financial application access rights and permissions based on a user’s job responsibilities.
As a result, compromised accounts may not be detected and increased opportunities for users to make unauthorized or improper changes, improperly access students’ private and personal information and/or modify accounting records to conceal malicious transactions exist.
Key Recommendations
- Regularly review network user accounts for necessity and appropriateness and disable user accounts when they are not needed.
- Limit access rights and permissions to user’s job responsibilities.
District officials generally agreed with our recommendations and indicated that they plan to take corrective action. Appendix B includes our comment on an issue raised in the District’s response.