Determine whether the Liberty Central School District (District) Board of Education (Board) and District officials adequately safeguarded computerized data from unauthorized use, access and loss.
The Board and District officials did not adequately safeguard computerized data from unauthorized use, access and loss. In addition to sensitive IT control weaknesses that were communicated confidentially to officials, officials did not:
- Disable unnecessary network user accounts. As a result, the District’s risk of a system compromise is increased.
- Establish adequate information technology (IT) contracts with the District’s vendors. As a result, the roles and responsibilities of each vendor providing services may not be understood and the District may pay for duplicated services.
- Ensure the IT contingency plan was kept up to date. As a result, in the event of a cyberattack or disaster, officials may not be able to restore critical IT systems, applications or data timely.
- Provide users with comprehensive IT security awareness training. As a result, employees may not be prepared to recognize and appropriately respond to suspicious system activity.
- Regularly review network user accounts and disable unnecessary accounts.
- Establish adequate IT contracts, update the IT contingency plan and provide IT security awareness training.
District officials agreed with our recommendations and indicated they have begun corrective action.