Determine whether Arlington Central School District (District) officials ensured network user accounts were adequately configured and secured.
District officials did not ensure network user accounts were adequately configured and secured. In addition to sensitive information technology (IT) control weaknesses which we communicated confidentially to officials, we found District officials should have:
- Disabled 150 of the 9,989 network user accounts we examined. The 150 accounts include 116 generic accounts, 27 employee accounts, five contractor accounts, one former employee account and one account the IT Director could not identify to whom it belonged. These accounts have been unnecessarily active ranging from August 2007 to January 2020.
- Developed methods to determine who is using each shared user account at a given time.
- Regularly review enabled user accounts and ensure that unneeded user accounts are immediately disabled.
- Restrict the use of shared network user accounts and develop procedures to monitor the use of these accounts.
District officials agreed with our recommendations.