Determine whether Greenville Central School District (District) officials established adequate network user account controls to prevent unauthorized use or access.
District officials did not establish adequate policies and procedures for network user accounts to prevent unauthorized use or access. Officials did not:
- Develop a comprehensive acceptable use policy (AUP) and monitor employee computer use.
- Disable 64 unneeded network user accounts, which included generic and former student and employee accounts.
Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.
- Ensure the acceptable use policy clearly states what is acceptable for District computer use, is updated to include District employees and is regularly reviewed and monitored for compliance.
- Design and implement procedures to monitor employees’ computer use and implement procedures to ensure compliance with the policy.
- Periodically review user access and disable user accounts no longer needed.
District officials agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.