Determine whether Somers Central School District (District) officials established adequate controls over user accounts and software updates to help prevent unauthorized use, access and loss.
District officials did not establish adequate controls over user accounts and software updates to help prevent against unauthorized use, access and loss. Sensitive IT control weaknesses were communicated confidentially to officials. In addition, officials did not:
- Periodically review all network user accounts and permissions to determine whether they were appropriate or needed to be disabled.
- 58 network user accounts had unnecessary administrative permissions.
- 111 network user accounts were unneeded and should have been disabled.
- Adopt an adequate comprehensive information technology (IT) contingency plan to minimize the risk of data loss or prevent a serious interruption of services. Consequently, in the event of a system disruption due to a disaster, ransomware attack or other event, employees have insufficient guidance to restore or resume essential operations.
- Develop written procedures for managing network user account access.
- Develop and adopt a comprehensive IT contingency plan and communicate it to appropriate officials and employees.
District officials agreed with our findings and indicated they plan to initiate corrective action.