Determine whether East Syracuse Minoa Central School District (District) officials established adequate information technology (IT) controls to ensure employees’ personal, private and sensitive information (PPSI) on the financial server was adequately protected from unauthorized access, use and loss.
District officials did not adequately apply established IT controls to ensure PPSI was protected from unauthorized access, use and loss. District officials did not:
- Adequately manage user accounts and permissions.
- Five individuals left employment between 2015 and 2019 but had active user accounts.
- Five employees had unnecessary user permissions and 16 active contractor accounts were not needed, including three accounts that were created in 2015 and 2016.
- Ensure contractors signed the acceptable use policy (AUP) forms and retain the forms on file.
Sensitive IT control weaknesses were communicated confidentially to officials.
- Routinely review network user accounts and disable unnecessary accounts in a timely manner.
- Remove financial software user permissions not needed based on job duties.
- Ensure signed AUP forms are retained.
District officials agreed with our recommendations and indicated they plan to initiate corrective action.