Determine if the Menands Union Free School District (District) Board of Education (Board) and District officials adequately safeguarded computerized data from unauthorized use, access and loss.
District officials did not adequately safeguard computerized data from unauthorized use, access and loss and although the District paid IT vendors $106,460 for IT services, officials did not have clear contract language that identified the IT vendors’ roles and responsibilities. As a result, gaps in IT security practices occurred.
The Board and District officials also did not:
- Monitor internet usage; we found questionable internet use on three of six users’ computers examined.
- Provide IT security awareness training to employees.
- Adopt a breach notification policy that is required by New York State Technology Law.
Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.
- Revise IT vendor contracts to define roles and responsibilities.
- Provide IT security awareness training.
- Develop and adopt a breach notification policy.
District officials agreed with our recommendations and indicated they are taking corrective action.