Determine whether New Rochelle City School District (District) officials established adequate controls over network and financial application user accounts to prevent unauthorized access, use and/or loss.
Officials did not establish adequate controls over network and financial application user accounts to prevent unauthorized use, access and/or loss. In addition to sensitive information technology (IT) control weaknesses which we communicated confidentially to officials, we found officials did not:
- Adequately manage network user accounts.
- 84 former employees/vendors had active user accounts.
- 35 generic user accounts that had never been used and were unnecessary.
- Ensure District procedures were followed to communicate financial application user account changes to the vendor.
- Develop written procedures for managing network access that include periodically reviewing user access and disabling network user accounts when access is no longer needed.
- Evaluate all existing financial application user accounts, disable any deemed unnecessary and periodically review for necessity and appropriateness.
District officials generally agreed with our recommendations and indicated they planned to initiate corrective action.