[read complete report - pdf]

Audit Objective

Determine whether the District’s network was adequately secure to protect the student management system (SMS) against unauthorized use, access and loss.

Key Findings

District officials did not:

• Establish written procedures for password management, wireless security, remote access and managing user access rights.
• Disable unneeded network user accounts and adequately restrict user permissions to the network and user computers based on job duties.
• Develop a written disaster recovery plan.

Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.

Key Recommendations

• Adopt comprehensive procedures over password management, wireless security and remote access.
• Develop procedures for adding, removing and modifying user access rights to the network and user computers.
• Evaluate user accounts and permissions and ensure unneeded user accounts are disabled and unnecessary permissions are removed.
• Develop a disaster recovery plan.

District officials agreed with our recommendations and indicated they had either already taken, or planned to take, corrective action.