Audit Objective
Determine whether Whitney Point Central School District (District) officials adequately managed nonstudent network user accounts and developed and adopted a comprehensive information technology (IT) contingency plan.
Key Findings
District officials did not adequately manage nonstudent network user accounts, which are network user accounts not specifically assigned to a student (e.g., authorized staff, third-party vendors and shared accounts). Officials also did not adopt an IT contingency plan and were unaware of all the network users that had access to the District’s network. When nonstudent network user accounts are not adequately managed and an IT contingency plan is not adopted, the District has an increased risk that it could suffer a serious interruption to operations due to the risk to the network and potential inability to communicate during a disruption.
In addition to sensitive IT control weaknesses that we confidentially communicated to officials, District officials did not disable 19 nonstudent network user accounts (4 percent) that were not needed and/or used in more than five years. All of these user accounts were subsequently deleted during our audit fieldwork.
Key Recommendations
- Develop written procedures for managing nonstudent network user accounts that include periodically reviewing user access and disabling unneeded and/or unused accounts.
- Adopt a comprehensive IT contingency plan, update the plan as needed and distribute it to all responsible parties.
District officials generally agreed with our recommendations and have indicated they planned to initiate corrective action. Appendix B includes our comment on an issue that was raised in the District’s response letter.