York Central School District – Network Access Controls (2022M-93)

Issued Date
October 07, 2022

[read complete report – pdf]

Audit Objective

Determine whether York Central School District (District) officials ensured network access controls were adequate.

Key Findings

District officials did not ensure that network access controls were adequate. Specifically:

  • District officials did not comply with Board policy to ensure adequate network access control procedures were established including a comprehensive written disaster recovery plan.
  • The District had 139 unneeded network user accounts and one account with unnecessary network administrative permissions.
  • Officials paid $360,896 for information technology (IT) services in 2020-21 without documenting the specific services the IT vendor was contracted to provide.

In addition, sensitive network access control weaknesses were communicated confidentially to officials.

Key Recommendations

  • Ensure officials enforce compliance with the data, network and security access policy.
  • Disable unneeded network user accounts in a timely manner, and regularly review user accounts for necessity and appropriateness.
  • Set written expectations for the District’s specific IT service needs.

District officials generally agreed with our recommendations and indicated they are initiating corrective action. Appendix B includes our comment on issues raised in the District’s response letter.