Determine whether York Central School District (District) officials ensured network access controls were adequate.
District officials did not ensure that network access controls were adequate. Specifically:
- District officials did not comply with Board policy to ensure adequate network access control procedures were established including a comprehensive written disaster recovery plan.
- The District had 139 unneeded network user accounts and one account with unnecessary network administrative permissions.
- Officials paid $360,896 for information technology (IT) services in 2020-21 without documenting the specific services the IT vendor was contracted to provide.
In addition, sensitive network access control weaknesses were communicated confidentially to officials.
- Ensure officials enforce compliance with the data, network and security access policy.
- Disable unneeded network user accounts in a timely manner, and regularly review user accounts for necessity and appropriateness.
- Set written expectations for the District’s specific IT service needs.
District officials generally agreed with our recommendations and indicated they are initiating corrective action. Appendix B includes our comment on issues raised in the District’s response letter.