Audit Objective
Determine whether West Hempstead Union Free School District (District) officials established adequate controls over nonstudent network user accounts to help prevent unauthorized use, access and loss.
Key Findings
District officials did not establish adequate controls over nonstudent network user accounts to help prevent unauthorized use, access and loss. In addition to sensitive information technology (IT) control weaknesses that were communicated confidentially to officials, we found that the Board of Education (Board) and District officials did not:
- Develop and adopt policies and procedures addressing key network user access controls, such as user account management, password security and user account controls.
- Disable 60 of the District’s enabled nonstudent network accounts (11 percent) that were not needed. Twenty-two of these accounts (37 percent) have not been used in more than five years, with the oldest being last used more than 10 years ago. These accounts include:
- 53 former employee network accounts, and
- 7 network service accounts used for hardware devices and email aliases.
Key Recommendations
- Adopt comprehensive network user account policies and procedures addressing securing user accounts with passwords and adding, disabling and changing user access.
- Periodically review user access for all nonstudent network user accounts and disable user accounts when access is no longer needed.
District officials disagreed with certain aspects of our findings and recommendations, but indicated they have initiated or plan to initiate corrective action. Appendix B includes our comments on issues raised in the District’s response letter.