Audit Objective

Determine whether Wheatland-Chili Central School District (District) officials ensured network access controls were adequate.

Key Findings

District officials did not ensure that network access controls were adequate. As a result, there is a significant risk that network resources, financial data and student information could be inappropriately altered, accessed or used. In addition to the sensitive network access control weaknesses that were communicated confidentially to officials, District officials did not:

• Comply with Board policies to help ensure adequate network access controls were in place, including a comprehensive written information technology (IT) disaster recovery plan and employee IT security awareness training.
• Review and assess the need for 292 inactive network user accounts.

In addition, the District did not have a written agreement with BOCES to itemize and define all IT services and responsibilities, including network access and server hosting, and related controls, costing approximately $120,000.

Key Recommendations

• Establish and enforce adequate written policies and procedures, including a comprehensive IT disaster recovery plan, and provide IT security awareness training to employees.
• Disable unnecessary network user accounts, modify network access timely and periodically review network user accounts for necessity.
• Work with BOCES to develop a written agreement with a detailed list and explanation of services and responsibilities.

District officials generally agreed with our findings and indicated they plan to initiate corrective action.