[read complete report - pdf]

Audit Objective

Determine whether Arkport Central School District (District) officials ensured network access controls were secure.

Key Findings

District officials did not ensure that the District’s network access controls were secure.

• District officials did not establish written policies or procedures to add or disable user accounts and permissions.
• The District had 92 unneeded network user accounts and nine user accounts with unnecessary administrative permissions.

In addition, sensitive IT control weaknesses were communicated confidentially to officials.

Key Recommendations

• Establish written policies or procedures for managing network user accounts.
• Regularly review network user accounts and disable those that are unnecessary.
• Assess network user permissions on a regular basis and ensure that network user accounts provide users with appropriate permissions needed to perform their job duties.

District officials generally agreed with our recommendations and indicated they will take corrective action. Appendix B includes our comment on the District’s response.