Audit Objective
Determine whether Potsdam Central School District (District) officials established adequate controls over network user accounts and developed an information technology (IT) contingency plan.
Key Findings
District officials did not establish adequate controls over network user accounts and did not develop a written IT contingency plan. As a result, the District had additional entry points for attackers to access and view personal, private and sensitive information on the network and did not have sufficient documented guidance or plans to follow to resume essential operations if an unexpected IT incident occurred.
In addition to finding sensitive IT control weaknesses that were confidentially communicated to officials, we found that:
- Of the District’s 1,909 network user accounts 1,896 network user accounts were granted unneeded administrative permissions.
- 105 network user accounts were unneeded.
Key Recommendations
- Develop written procedures for managing and reviewing network user accounts.
- Develop a comprehensive written IT contingency plan.
District officials generally agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.