[read complete report - pdf]

Audit Objective

Determine whether Tully Central School District (District) officials ensured network access controls over non-student user accounts were secure.

Key Findings

District officials did not ensure that the District’s network access controls over non-student user accounts were secure.

• Officials did not develop written procedures for granting, changing and revoking access rights.
• Officials did not regularly review enabled non-student user accounts to determine whether they were appropriate or needed. As a result, the District had 47 unneeded network user accounts, including 24 that were created for former employees or third-party consultants who no longer work for the District.
• Unneeded network user accounts can be potential entry points for attackers and could be used to inappropriately access the District’s information technology systems.

Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.

Key Recommendations

• Develop and adhere to written procedures for granting, changing, revoking and reviewing network user account access.
• Disable unneeded network user accounts in a timely manner.

District officials agreed with our recommendations and indicated they would take corrective action.