Duanesburg Central School District – Information Technology (2021M-40)

Issued Date
November 19, 2021

[read complete report - pdf]

Audit Objective

Determine whether Duanesburg Central School District (District) officials ensured information technology (IT) systems were adequately secured to protect against unauthorized use, access and/or loss.

Key Findings

District officials did not ensure IT systems were adequately secured and protected against unauthorized use, access and/or loss. District officials did not:

  • Adequately manage user accounts and permissions.
  • Provide cybersecurity awareness training to employees.

After sharing our findings, the Management Information Systems Director (Director) disabled the 13 (5 percent) of the user accounts we reviewed because they were unneeded. Officials also prepared IT cybersecurity training, which employees completed by February 2021.

Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.

Key Recommendation

  • Regularly review network and local user accounts for appropriate permissions and disable those that are unnecessary, and ensure that annually employees receive IT security awareness training.

District officials generally agreed with our recommendations and have initiated, or indicated they planned to initiate corrective action.