Determine whether Ulster Board of Cooperative Educational Services (BOCES) officials adequately managed and monitored network user accounts in order to help prevent unauthorized use, access and loss.
BOCES officials did not adequately manage and monitor network user accounts to help prevent unauthorized use, access, or loss. As a result, BOCES had an increased risk of inappropriate access by users with malicious intent. In addition to sensitive information technology (IT) control weaknesses that were communicated confidentially to BOCES officials, we found that officials did not:
- Disable 17 unneeded network user accounts, including seven former employee accounts and 10 accounts not used by active employees, that had last log on dates ranging from November 2016 to December 2021.
- Review and disable 76 potentially unneeded user accounts, including 34 shared accounts, 31 service accounts, eight vendor accounts and three service accounts.
- Develop written procedures for granting, removing and modifying network user account access and ensure these procedures are being followed.
- Periodically review existing network user accounts and disable user accounts when access is no longer needed.
BOCES officials agreed with our recommendations and indicated they plan to initiate corrective action.