Issued Date
November 08, 2024
Audit Objective
Determine whether Edgemont Union Free School District (District) officials disabled unnecessary user accounts in a timely manner.
Key Findings
The IT Director did not disable unnecessary user accounts in a timely manner. As a result, the District had an increased risk of unauthorized access to and use of the network and could potentially lose important data. In addition to sensitive information technology (IT) control weaknesses that we communicated confidentially to officials, we reviewed all 665 nonstudent network user accounts and determined that District officials did not:
- Disable 34 unneeded network user accounts that had last login dates ranging from July 29, 2021 to July 1, 2023. The accounts included:
- 14 former employee accounts,
- 12 consultant accounts, and
- Eight service accounts.
- Develop written procedures for adding, modifying or disabling nonstudent network user accounts.
Key Recommendations
- Ensure that written procedures for disabling network user account access are implemented and followed.
- Maintain a list of authorized user accounts and routinely evaluate and disable any unneeded network user accounts in a timely manner.
District officials generally agreed with our findings and recommendations and indicated they will initiate corrective action.