Issued Date
October 07, 2022
Audit Objective
Determine whether York Central School District (District) officials ensured network access controls were adequate.
Key Findings
District officials did not ensure that network access controls were adequate. Specifically:
- District officials did not comply with Board policy to ensure adequate network access control procedures were established including a comprehensive written disaster recovery plan.
- The District had 139 unneeded network user accounts and one account with unnecessary network administrative permissions.
- Officials paid $360,896 for information technology (IT) services in 2020-21 without documenting the specific services the IT vendor was contracted to provide.
In addition, sensitive network access control weaknesses were communicated confidentially to officials.
Key Recommendations
- Ensure officials enforce compliance with the data, network and security access policy.
- Disable unneeded network user accounts in a timely manner, and regularly review user accounts for necessity and appropriateness.
- Set written expectations for the District’s specific IT service needs.
District officials generally agreed with our recommendations and indicated they are initiating corrective action. Appendix B includes our comment on issues raised in the District’s response letter.