Audit Objective
Determine whether Hastings-on-Hudson Union Free School District (District) officials ensured that unneeded network user accounts were disabled in a timely manner.
Key Findings
District officials did not ensure that unneeded network user accounts were disabled in a timely manner. As a result, 21 percent of the District’s network user accounts were unneeded and additional entry points that could have been used to inappropriately access the network and view personal, private and sensitive information (PPSI), make unauthorized changes to records, deny legitimate access to electronic information, or gain access to or control over other information technology (IT) functions.
In addition to sensitive IT control weaknesses we communicated confidentially to District officials, we found that officials did not:
- Convey management’s expectations for managing network user accounts through written policies and procedures.
- Disable 551 unneeded network user accounts. These accounts had last log on dates ranging from March 2014 to November 2022.
Key Recommendations
- Convey management’s expectations for managing network user accounts through written policies and procedures.
- Routinely evaluate network user accounts for necessity, disable any unneeded accounts and monitor staff to ensure unneeded accounts are disabled in a timely manner.
District officials agreed with our findings and recommendations and indicated they plan to initiate corrective action.