Determine whether Horseheads Central School District (District) officials ensured network access controls were secure.
District officials did not ensure that the District’s network access controls were secure. Officials:
- Paid BOCES more than $2 million in the 2019-20 fiscal year for IT services but did not enter into a service level agreement (SLA) to clearly identify BOCES responsibilities and services to be provided. As a result, officials were unable to determine exactly what services they paid for, if the District was appropriately billed or receiving the best value for IT services.
- Did not establish formal policies or procedures to add or disable user accounts. As a result, there were 230 inactive user accounts, of which 138 were unneeded, and there were an excessive number of generic accounts.
- Did not provide IT security awareness training to employees.
- Regularly review network user accounts and disable those that are unnecessary.
- Develop an SLA to address the District’s specific needs and expectations for IT services.
- Ensure that officials and employees receive adequate IT security awareness training.
District officials partially agreed with our recommendations. Appendix B includes our comments on issues raised in the District’s response.