Determine whether Young Women’s College Prep Charter School of Rochester (School) officials ensured network and financial software access controls were adequate.
School officials did not ensure that network and financial software access controls were adequate. As a result, data and personal, private and sensitive information (PPSI) are at greater risk for unauthorized access, misuse or loss.
In addition to sensitive information technology (IT) control weaknesses that were confidentially communicated to officials, we found that:
- Fourteen percent or 10 of the School’s network user accounts were not needed. Unneeded network user accounts are additional entry points for someone to inappropriately access the School’s network.
- Three network user accounts had unnecessary network administrative permissions.
- Two non-administrator financial software user accounts unnecessarily had full access, including the ability to delete transactions. This provided the ability for users to access and potentially alter data and conceal inappropriate activity.
- The Board of Trustees (Board) did not adopt an adequate written IT contingency plan or provide IT security awareness training.
- Properly manage network and financial software user accounts.
- Develop a written IT contingency plan and provide periodic IT security awareness training.
School officials agreed with our recommendations and indicated they will initiate corrective action.