DeRuyter Central School District - Information Technology (2019M-175)

Issued Date
December 13, 2019

[read complete report - pdf]

Audit Objective

Determine whether District officials ensured students’ personal, private and sensitive information (PPSI) was adequately protected from unauthorized access, use and loss.

Key Findings

District officials did not:

  • Limit or monitor employees’ personal Internet browsing and their use of social media on District computers.
  • Provide IT security awareness training to employees.
  • Restrict user permissions to the network and the student information system software application (SIS) based on job duties.
  • Disable unneeded network and local user accounts.

Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.

Key Recommendations

  • Review and update the acceptable computer use policy and monitor employees’ personal Internet browsing and use of social media.
  • Provide formal IT security awareness training to employees.
  • Evaluate network and SIS user permissions to ensure users only have the permissions needed for their job duties and disable any unneeded user accounts.

District officials generally agreed with our recommendations and indicated they planned to initiate corrective action.