Horseheads Central School District – Network Access Controls (2021M-127)

Issued Date
November 12, 2021

[read complete report - pdf]

Audit Objective

Determine whether Horseheads Central School District (District) officials ensured network access controls were secure.

Key Findings

District officials did not ensure that the District’s network access controls were secure. Officials:

  • Paid BOCES more than $2 million in the 2019-20 fiscal year for IT services but did not enter into a service level agreement (SLA) to clearly identify BOCES responsibilities and services to be provided. As a result, officials were unable to determine exactly what services they paid for, if the District was appropriately billed or receiving the best value for IT services.
  • Did not establish formal policies or procedures to add or disable user accounts. As a result, there were 230 inactive user accounts, of which 138 were unneeded, and there were an excessive number of generic accounts.
  • Did not provide IT security awareness training to employees.

Key Recommendations

  • Regularly review network user accounts and disable those that are unnecessary.
  • Develop an SLA to address the District’s specific needs and expectations for IT services.
  • Ensure that officials and employees receive adequate IT security awareness training.

District officials partially agreed with our recommendations. Appendix B includes our comments on issues raised in the District’s response.