Audit Objective
Determine whether Montauk Union Free School District (District) officials secured access to the network and financial application and developed an information technology (IT) contingency plan.
Key Findings
Although District officials restricted access to the financial application, they did not adequately secure access to the network or develop an IT contingency plan. As a result, there is an increased risk that the network may be accessed by unauthorized individuals, data will be lost and the District may not be able to recover from a network disruption or disaster. In addition to sensitive IT control weaknesses that were confidentially communicated to officials, we found:
- Twenty-five percent, or 140, of the District’s network user accounts were not needed.
- Two unknown individuals had an active network user account.
- IT security awareness training was not provided.
Since 2013-14, external auditors have annually recommended that the District develop an IT contingency plan. However, the District never developed the plan and could not provide a reasonable explanation for failing to do so.
Key Recommendations
- Periodically review network user accounts and disable any unnecessary accounts as soon as they are no longer needed.
- Provide periodic IT security awareness training.
- Develop and adopt a comprehensive written IT contingency plan.
District officials generally agreed with our recommendations and indicated they planned to initiate corrective action. Appendix B includes our comment on an issue raised in the District’s response letter.