Suffolk County Community College - Information Technology (2018M-130)

Issued Date
November 30, 2018

[read complete report - pdf]

Audit Objective

Determine whether College officials adequately safeguarded the College website, financial and student information system and online banking from unauthorized access and misuse.

Key Findings

  • The College has:
    • 824 network user accounts (15 percent) that have not been used within the last six months and do not match current employees.
    • Four network user accounts with unnecessary administrative permissions and 131 financial and student information system user accounts with questionable permissions.
  • Employees responsible for safeguarding the College website are not required to attend cybersecurity training.

In addition, sensitive information technology (IT) control weaknesses were communicated confidentially to College officials.

Key Recommendations

  • Enforce written policy for managing network and system access.
  • Ensure employees receive relevant cybersecurity training at least annually.
  • Address the confidentially communicated IT recommendations.

College officials generally agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.