Determine whether Port Chester-Rye Union Free School District (District) officials adequately managed non-student network user accounts to ensure unnecessary accounts were disabled.
District officials did not adequately manage non-student network user accounts to ensure unnecessary accounts were disabled. Specifically:
- District officials did not establish comprehensive written procedures to periodically review all network user accounts, identify unnecessary network user accounts and notify the IT vendor to disable them.
- Nine former employees’ user accounts and 120 unneeded generic user accounts were not disabled on the network.
Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.
- Maintain and periodically evaluate a list of authorized network user accounts and notify the IT vendor using service requests to disable network user accounts of former employees and other users that are no longer needed.
District officials generally agreed with our recommendations and indicated they planned to take corrective action. Appendix B includes our comment on an issue raised in the District’s response.