Millbrook Central School District – Information Technology – User Accounts (2021M-48)

Issued Date
August 20, 2021

[read complete report - pdf]

Audit Objective

Determine whether Millbrook Central School District (District) officials established adequate controls over user accounts in order to prevent unauthorized access, use and/or loss.

Key Findings

Officials did not establish adequate controls over the District’s user accounts to prevent unauthorized use, access and loss. Officials also did not:

  • Periodically review and disable unneeded network user accounts.
    • 46 students were no longer enrolled but had active network user accounts.
    • 13 individuals left employment between 2013 and 2020 but had active network user accounts.
    • Nine generic accounts were last used between 2015 and 2018.
  • Develop a breach notification policy, as required by New York State Technology Law.

Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.

Key Recommendations

  • Develop written procedures for managing system access that include periodically reviewing user access and disabling user accounts when access is no longer needed.
  • Develop a breach notification policy.

Town officials agreed with our recommendations and indicated they will take corrective action.