Audit Objective
Did Roosevelt Children’s Academy Charter School (School) officials adequately secure and protect information technology (IT) assets against unauthorized access, use and loss?
Audit Period
July 1, 2023 – March 20, 2025
Understanding the Audit Area
School officials must secure and protect information technology assets to comply with certain New York State laws that mandate safeguards for personal, private, sensitive student/staff information (PPSI).1 Protecting IT assets is crucial to maintain trust with students and families, as data breaches can lead to identify theft and loss of confidence in a school’s ability to safeguard sensitive information. The cost associated with data breaches can be significant which can strain school budgets. Implementing a robust cybersecurity measure fosters a culture of security awareness among staff and students. Continuous training helps prevent accidental breaches, which are often caused by human error. By prioritizing the security of IT assets, schools can protect sensitive information, comply with legal requirements, maintain trust, and avoid financial repercussions.
In fiscal year 2024, the School paid an outside IT vendor $158,102 to provide IT services, for managing the network and computers for the entire school. Additionally, the vendor was responsible for the School’s servers, firewall and all IT equipment and managed all user accounts and permissions. The School had 248 enabled network user accounts.
Audit Summary
School officials did not establish adequate controls to secure and protect IT systems and assets against unauthorized access, use and loss. As a result, School officials cannot be assured that the School’s IT systems are secured and protected against unauthorized access, use and loss, and there is an increased risk that the school could lose important data and suffer a serious interruption in operations.
School officials have not implemented comprehensive procedures for managing and monitoring user access to the school’s network and computers. Because there are no written procedures to document, authorize or confirm user account changes, 51 unneeded accounts went unnoticed. When unneeded user accounts remain enabled, the school has an increased risk that disgruntled employees or attackers could use these accounts as entry points to access PPSI and compromise IT resources.
Although School officials set up web-filtering software to restrict obscene materials and unlawful activity based on website category, they did not monitor employee Internet use. We reviewed Internet histories on 14 School employee computers and determined that nine employees used the computers to access websites for personal use, such as entertainment, personal finance, email, shopping, travel and other miscellaneous personal use. One of these users conducted personal business activities using the school computer. In addition, School officials did not provide IT security awareness training to help ensure employees understand IT security measures and their roles in safeguarding data from potential abuse or loss and protecting the School’s IT systems.
Although the Director of Technology was responsible for overseeing the services provided by the IT vendor, School officials did not have procedures to monitor and review the services performed by the IT vendor. The Director of Technology was unable to provide documentation related to the monitoring of the IT vendor’s compliance with the consulting agreement. In addition, the Board of Trustees (Board) did not develop adequate IT policies or procedures.
Weaknesses in oversight, other internal controls and policies increase the risk that hardware or software systems may be lost, damaged or compromised by unauthorized or inappropriate access and use.
Sensitive IT control weaknesses were communicated confidentially to officials.
The report includes 12 recommendations that, if implemented, will improve the School’s IT security and protect systems against unauthorized access, use and loss. School officials generally agreed with our findings and indicated they plan to initiate corrective action.
We conducted this audit pursuant to Article V, Section 1 of the State Constitution and the State Comptroller’s authority as set forth in Section 2854 of the New York State Education Law, as amended by Chapter 56 of the Laws of 2014. Our methodology and standards are included in Appendix C.
The Board has the responsibility to initiate corrective action. We encourage the Board to prepare a written corrective action plan (CAP) that addresses the recommendations in this report and forward it to our office within 90 days. For more information on preparing and filing your CAP, please refer to our brochure, Responding to an OSC Audit Report, which you received with the draft audit report. We encourage the Board to make the CAP available for public review.
1 PPSI is any information to which unauthorized access, disclosure, modification, destruction or use – or disruption of access or use – could have or cause a severe impact on critical functions, employees, customers, third-parties or other individuals or entities.