Determine whether Waterville Central School District (District) officials adequately managed network user accounts and developed an information technology (IT) contingency plan.
District officials did not adequately manage network user accounts or develop a written IT contingency plan that details how District officials would respond to IT disruptions. As a result, officials had active but unneeded network user accounts that could be used as entry points for individuals to gain unauthorized access to the District’s IT systems, and the lack of a comprehensive written IT contingency plan impairs the District’s ability to recover from an unexpected IT disruption.
In addition to finding sensitive IT control weaknesses that were confidentially communicated to officials, we found that officials did not:
- Develop written procedures for granting, changing and disabling user access rights to the network.
- Perform periodic reviews of all network user accounts to determine whether they were appropriate or needed. As a result, 11 percent of the District’s non-student user accounts were unneeded and should have been disabled.
- Develop written network user account access procedures and periodically review and evaluate all network user accounts.
- Develop and adopt a comprehensive written IT contingency plan.
District officials generally agreed with our recommendations and indicated they have taken or plan to take corrective action.