Audit Objective

Determine whether North Tonawanda City School District (District) officials properly secured user account access to the network and managed user account permissions in financial and student information applications.

Key Findings

District officials properly managed user account permissions in the financial application but did not properly secure user account access to the network or manage user account permissions in the student information application. As a result, there is a significant risk that network resources and student information could be inappropriately altered, accessed or used. In addition to sensitive information technology (IT) control weaknesses that were communicated confidentially to officials, we found that District officials did not:

• Disable 246 unnecessary network user accounts.
• Properly manage permissions for 517 user accounts in the student information application by ensuring accounts were locked or disabled when an employee separated from the District.
• Educate users on data privacy and security awareness.
• Develop an IT contingency plan and as a result, District officials lacked preparedness for a cyberattack.

Key Recommendations

• Ensure that unnecessary network user accounts are disabled as soon as they are no longer needed.
• Ensure user accounts in the student information application are locked or disabled when the employee separates from the District.

District officials agreed with our recommendations and indicated that they have initiated or plan to initiate corrective action.