Determine whether Adirondack Central School District (District) officials implemented adequate information technology (IT) controls over the District’s network to help safeguard personal, private, and sensitive information (PPSI).
District officials did not establish adequate IT controls to help safeguard PPSI. In addition to sensitive IT control weaknesses communicated confidentially, we found:
- An IT service provider was paid $526,500 but officials did not have a written service level agreement (SLA) to clearly identify the provider’s responsibilities and specific services to be provided.
- Officials did not implement adequate IT controls to manage network user accounts. Of the 343 network accounts reviewed, 64 accounts were not needed.
- The Board did not adopt an IT contingency plan. Therefore, a cyber incident could result in the loss of data and serious operational interruption.
- The District had three policies that detail the proper usage of IT assets. The polices are not consistent and seven of 13 computers were used for personal use.
- Establish adequate polices, plans and agreements needed to protect the Districts IT network and data.
District officials generally agreed with our recommendations and indicated they are initiating corrective action. Appendix B includes our comment on an issue raised in the District’s response letter.