Audit Objective
Determine whether Beacon City School District (District) officials ensured network user accounts were adequately managed.
Key Findings
District officials did not ensure network user accounts were adequately managed. Unnecessary enabled network user accounts are additional entry points into a network and, if accessed by attackers, could potentially be compromised or used for malicious purposes. In addition to sensitive information technology (IT) control weaknesses that we communicated confidentially to District officials, we found that officials did not:
- Disable 281 unneeded network user accounts of the 1,280 accounts reviewed, the oldest of which was last used to log into the network in October 2017 as of September 21, 2021. The accounts included:
- 153 student accounts,
- 89 nonstudent accounts, and
- 39 shared and service accounts.
- Develop written procedures for adding, modifying or disabling shared and service accounts.
Key Recommendations
- Disable unneeded network user accounts in a timely manner and periodically review network user accounts for necessity and appropriateness of access.
District officials agreed with our recommendations and indicated they plan to initiate corrective action.