Background
The Suffolk County Community College (College) is governed by a Board of Trustees (Board), which is composed of nine appointed members and one elected student trustee. The Board is responsible for the general oversight of operations including adopting policies to safeguard IT assets.
The Vice President for IT Services oversees IT operations and is responsible for securing IT assets, including the website and the financial and student information system. The Vice President for Business and Financial Affairs, is responsible for overseeing business operations which includes online banking.
Quick Facts | |
---|---|
2017-18 IT Appropriations | $8.1 million |
Employees | 5,002 |
Servers | 82 |
Computers (including laptops and tablets) | 4,571 |
Network User Accounts | 5,426 |
Audit Period
September 1, 2015 – October 31, 2017
Audit Objective
Determine whether College officials adequately safeguarded the College website, financial and student information system and online banking from unauthorized access and misuse.
Key Findings
- The College has:
- 824 network user accounts (15 percent) that have not been used within the last six months and do not match current employees.
- Four network user accounts with unnecessary administrative permissions and 131 financial and student information system user accounts with questionable permissions.
- Employees responsible for safeguarding the College website are not required to attend cybersecurity training.
In addition, sensitive information technology (IT) control weaknesses were communicated confidentially to College officials.
Key Recommendations
- Enforce written policy for managing network and system access.
- Ensure employees receive relevant cybersecurity training at least annually.
- Address the confidentially communicated IT recommendations.
College officials generally agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.