Determine whether Marlboro Central School District (District) officials established adequate controls over network user accounts and settings.
District officials did not establish adequate controls over network user accounts and settings.
- Officials did not regularly review network user accounts and permissions to determine whether they were appropriate or needed to be disabled.
- 79 percent (71 network user accounts and 14 generic and/or shared user accounts) of the reviewed accounts were unneeded or questionable accounts.
- Officials developed a data security plan in January 2010 that included password security and user account management policies and procedures; however, the Board did not adopt the policy and the practice was not implemented.
Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.
- Develop written procedures for managing system access.
- Restrict the use of shared network user accounts.
District officials agreed with our recommendations and indicated they are taking corrective action.