Determine whether Mount Pleasant Central School District (District) officials established adequate controls over user accounts in order to prevent unauthorized use, access and/or loss.
District officials did not establish adequate controls over the District’s user accounts to prevent unauthorized use, access and/or loss. Officials did not:
- Monitor compliance with the District’s acceptable use policy (AUP).
- Adequately manage network user accounts.
Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.
- Develop and implement procedures to monitor compliance with the AUP.
- Develop written procedures for managing system access that include periodically reviewing user access and disabling network user accounts when access is no longer needed.
- Evaluate all existing network accounts, disable any deemed unnecessary and periodically review for necessity and appropriateness.
District officials generally agreed with our recommendations and initiated or indicated they plan to initiate corrective action.