East Syracuse Minoa Central School District – Information Technology (2020M-174)

Background

The District serves the Towns of Manlius, Cicero, and Dewitt in Onondaga County and the Town of Sullivan in Madison County. The District is governed by a nine-member Board of Education (Board) responsible for the general management and control of financial and educational affairs.

The Superintendent of Schools is the chief executive officer responsible for District administration. The Executive Director of Planning, Development and Technology (IT Director) is responsible for the overall management of the District’s IT infrastructure.

Quick Facts
Network User Accounts 5,058
Non-Student Network User Accounts 990
Desktop, Laptop and Tablet Computers 5,952
Employees 664
Student Enrollment 3,386

Audit Period

July 1, 2019 – August 17, 2020

Issued Date
June 04, 2021

[read complete report - pdf]

Audit Objective

Determine whether East Syracuse Minoa Central School District (District) officials established adequate information technology (IT) controls to ensure employees’ personal, private and sensitive information (PPSI) on the financial server was adequately protected from unauthorized access, use and loss.

Key Findings

District officials did not adequately apply established IT controls to ensure PPSI was protected from unauthorized access, use and loss. District officials did not:

  • Adequately manage user accounts and permissions.
    • Five individuals left employment between 2015 and 2019 but had active user accounts.
    • Five employees had unnecessary user permissions and 16 active contractor accounts were not needed, including three accounts that were created in 2015 and 2016.
  • Ensure contractors signed the acceptable use policy (AUP) forms and retain the forms on file.

Sensitive IT control weaknesses were communicated confidentially to officials.

Key Recommendations

  • Routinely review network user accounts and disable unnecessary accounts in a timely manner.
  • Remove financial software user permissions not needed based on job duties.
  • Ensure signed AUP forms are retained.

District officials agreed with our recommendations and indicated they plan to initiate corrective action.