[read complete report - pdf]

Audit Objective

Determine whether New Lebanon Central School District (District) officials established adequate internal controls over network user accounts to prevent unauthorized use, access and loss.

Key Findings

Officials did not establish adequate controls over the District’s network user accounts to protect against unauthorized use, access and loss. Officials did not:

• Disable 26 unneeded generic accounts of the 48 generic network accounts examined.
• Ensure acceptable use policy (AUP) compliance.
• Monitor the use of the information technology (IT) resources.
• Provide IT security awareness training to all employees using IT resources.

Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.

Key Recommendations

• Develop and implement written procedures for granting, changing and disabling user permissions and monitoring compliance with the AUP.
• Maintain an authorized network user list and routinely evaluate and disable unneeded accounts.

District officials agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.