Audit Objective
Determine whether Uniondale Union Free School District (District) officials adequately managed nonstudent network user accounts and permissions.
Key Findings
District officials did not adequately manage nonstudent network user accounts and permissions. As a result, the District had an increased risk of unauthorized access to and use of the network and could potentially lose important data. In addition to sensitive information technology (IT) control weaknesses that were confidentially communicated to officials, we found that the Technology Supervisor did not:
- Establish written procedures for granting, changing and disabling nonstudent network user account access, and regularly review the accounts to ensure they are necessary.
- Disable 3,471, or 71 percent, of the District’s enabled nonstudent network user accounts that were not needed, including:
- 1,824 individual user accounts, 515 of which were last used to log in to the network in 2003,
- 1,647 shared and service user accounts, and
- 12 network user accounts that had administrative permissions.
Key Recommendations
- Develop and adhere to written procedures for granting, changing and disabling nonstudent network user account access.
- Evaluate existing nonstudent network user accounts and disable them when access is no longer needed.
District officials agreed with our recommendations and indicated they plan to initiate corrective action.