Audit Objective

Determine whether the Brentwood Union Free School District (District) Board of Education (Board) and officials ensured computerized data was safeguarded by monitoring network user accounts, providing network users with information technology (IT) security awareness training and implementing an IT contingency plan.

Key Findings

The Board and District officials did not adequately monitor nonstudent network user accounts, provide IT security awareness training as required by a Board-adopted policy or implement an IT contingency plan.

As a result, the District’s computerized data was not adequately safeguarded. In addition, the District has an increased risk that the network may be accessed by unauthorized individuals, data will be lost and the District may not be able to recover from a network disruption or disaster.

In addition to sensitive IT control weaknesses that we communicated confidentially to District officials, we also found that officials did not:

• Disable 486 of the 3,525 enabled nonstudent network user accounts (14 percent) that we reviewed and determined were not needed.
• Establish written procedures for granting, changing and disabling network user account access.

Key Recommendations

• Periodically review network user accounts and disable accounts that are not needed.
• Provide the Board-required IT security awareness training.
• Develop a comprehensive IT contingency plan.

District officials generally agreed with our recommendations and indicated that they have initiated or plan to initiate corrective action.