[read complete report - pdf]

Audit Objective

Determine whether Oneida-Herkimer-Madison Board of Cooperative Educational Services (BOCES) officials ensured:

• Security awareness training was provided,
• Information technology (IT) assets were accessed for appropriate purposes, and
• IT controls over BOCES’ network and financial system were adequate to safeguard information.

Key Findings

BOCES officials did not regularly provide formalized IT security awareness training, assess computer usage to confirm IT assets were used for appropriate purposes or establish adequate controls to safeguard information contained in the network and financial system.

• Personal Internet use was found on computers.
• Network and application user accounts were not properly managed.
• No Disaster Recovery Plan was developed.

Sensitive IT control weaknesses were communicated confidentially to BOCES officials.

Key Recommendations

• Provide periodic IT security awareness training.
• Monitor employee Internet use.
• Develop stronger IT controls.

BOCES officials agreed with our findings and indicated they plan to initiate corrective action.