Audit Objective

Determine whether East Hampton Union Free School District (District) officials secured user account access to the network and financial application and developed an information technology (IT) contingency plan.

Key Findings

District officials secured user account access to the financial application but did not secure user account access to the network or develop an IT contingency plan. This increases the risk of unauthorized access, lost data, and inability to recover from a network disruption. We confidentially communicated sensitive IT weaknesses to officials, and also determined:

• The District’s use of two central network management tools for over 10 years has created security concerns due to lack of monitoring of all accounts on both tools.
• Ninety-one percent, or 3,395, of the District’s enabled network user accounts were not logged into in the last six months. Accounts grant access to sensitive information, and unneeded accounts should be disabled to protect District data.
• Officials did not provide IT security awareness training to District IT users. Therefore, users may not understand their responsibilities and are more likely to be unaware of situations that could compromise the District’s IT network and data.

Key Recommendations

• Disable unnecessary network user accounts and periodically review them for necessity.
• Provide periodic IT security awareness training to all District IT users.
• Develop and adopt a comprehensive written IT contingency plan.

District officials disagreed with certain findings in our report but indicated that they will initiate corrective action. Appendix B includes our comments on certain issues officials raised in their response.