Determine whether Franklin Central School District (District) officials adequately managed network and local user accounts and software and developed an information technology (IT) contingency plan.
District officials did not adequately manage network user accounts, periodically compare installed software to an authorized software inventory or develop an IT contingency plan. In addition to finding sensitive information technology control weaknesses, which we communicated confidentially to officials, we found that:
- Nine of the District’s network user accounts (8 percent) were not needed. This created additional network entry points that, if accessed by attackers, could be used to inappropriately access and view sensitive information and compromise IT resources.
- District staff did not have sufficient documented guidance or plans to follow to recover data and resume essential operations in a timely manner.
- Develop written procedures for managing computers and network user accounts.
- Periodically compare installed software to an authorized software inventory list.
- Develop and adopt a comprehensive written IT contingency plan, update the plan as needed and distribute it to all responsible parties.
District officials generally agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.