[read complete report - pdf]

Audit Objective

Determine whether Penn Yan Central School District (District) officials ensured network access controls were secure.

Key Findings

District officials did not ensure that the District’s network access controls were secure.

Officials did not:

• Regularly review network user accounts and permissions to determine whether they were appropriate or needed to be disabled. As a result, we identified 1,094 unneeded user accounts and six user accounts with unnecessary administrator permissions.
• Enter into a service level agreement (SLA) with the District’s Information Technology (IT) service provider to clearly identify the provider’s responsibilities and services to be provided.

In addition, sensitive IT control weaknesses were communicated confidentially to officials.

Key Recommendations

• Regularly review network user accounts and disable those that are unnecessary.
• Develop an SLA to address the District’s specific needs and expectations for IT services.

District officials agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.