Audit Objective 

Determine whether Garrison Union Free School District (District) officials secured the District’s network user accounts, established physical controls and maintained inventory records for information technology (IT) equipment, and developed an IT contingency plan. 

Key Findings 

District officials did not adequately secure the District’s network user accounts, establish physical controls, maintain complete and accurate inventory records for IT equipment or develop an IT contingency plan. In addition to sensitive IT control weaknesses that we communicated confidentially to District officials, we found: 

• District staff did not have sufficient documented guidance or plans to implement following an unexpected IT disruption or disaster. As a result, District officials have an increased risk they may not recover data and resume essential operations in a timely manner. 
• 40 of the 115 enabled nonstudent network user accounts (35 percent) were no longer needed. Unneeded user accounts could be used to inappropriately access and view personal, private and sensitive information (PPSI) or disable the network. 
• 10 IT assets, including nine laptops and one printer, were not properly recorded in the District’s inventory listing. 

Key Recommendations 

• Develop written procedures for managing network user account access that includes disabling unnecessary network user accounts and periodically reviewing user access.
• Maintain complete, accurate and up-to-date inventory records.
• Develop and adopt a comprehensive written IT contingency plan, update the plan as needed and distribute it to all responsible parties. 

District officials generally agreed with our recommendations and indicated they have initiated or plan to initiate corrective action.