[read complete report - pdf]

Audit Objective

Determine whether Haverstraw-Stony Point Central School District (District) officials established adequate internal controls over user accounts to prevent unauthorized use, access and loss.

Key Findings

Officials did not establish adequate controls over the District’s user accounts to protect against unauthorized use, access and loss. Officials did not:

• Establish written procedures for granting, changing or disabling network user accounts or user permissions.
• Disable 130 unneeded generic and nonemployee network user accounts of the 475 network user accounts examined.
• Provide information technology (IT) security awareness training to all employees using IT resources.

Sensitive IT control weaknesses were communicated confidentially to officials.

Key Recommendations

• Develop and implement written procedures for granting, changing and disabling user access.
• Provide periodic IT security awareness training to all employees who use IT resources.

District officials agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.