Audit Objective
Determine whether Amherst Central School District (District) officials secured user account access to the network and managed user accounts and permissions in financial and student information applications.
Key Findings
District officials did not adequately secure user account access to the network or properly manage user accounts and permissions in financial and student information applications. As a result, there is a significant risk that network resources, financial data and student information could be inappropriately altered, accessed, or used. In addition to sensitive control weaknesses that were communicated confidentially, officials did not disable unnecessary.
- Network user accounts or revoke unnecessary network user account access.
- As many as 1,570 accounts were unneeded but were not disabled.
- Four accounts had unnecessary network administrative access.
- Application user accounts or properly restrict permissions in the financial and student information applications.
Key Recommendations
- Ensure that unnecessary network user accounts are disabled in a timely manner.
- Limit application permissions based on an account user’s job responsibilities.
District officials agreed with our findings and indicated they plan to initiate corrective action.