New York State Comptroller DiNapoli Releases More School District Audits
Comptroller DiNapoli released more school district audits this week. As this site has done in the past, we are listing the ones that deal with information technology. The summaries are below; the links take you to the fuller reports, but as as always: (1) the results are not good (to put it as diplomatically as I can while wanting to scream), and (2) the reports omit sensitive information that was told to the districts verbally so as not to expose them to more risk.
District officials did not establish adequate internal controls to safeguard the district’s user accounts. Specifically, network user accounts were not adequately managed. Officials did not monitor compliance with the district’s acceptable use policy. The board also did not adopt adequate information technology (IT) policies or a disaster recovery plan. Sensitive IT control weaknesses, including issues related to software updates, were communicated confidentially to officials.
Officials did not establish adequate controls over the district’s user accounts to prevent unauthorized use, access and loss. Officials also did not periodically review and disable unneeded network user accounts.
The audit found 46 unenrolled students had active network user accounts and 13 former employees who left between 2013 and 2020 also had active network user accounts. In addition, auditors found nine generic accounts last used between 2015 and 2018. Officials also did not develop a breach notification policy, as required by New York State Technology Law. Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.