Determine whether East Bloomfield Central School District (District) officials ensured network and financial software access controls were adequate to protect District information technology (IT) systems and data.
District officials did not ensure that network and financial software access controls were adequate to protect District IT systems and data from unauthorized access or loss. Sensitive network and financial software access control weaknesses were communicated confidentially to officials. In addition:
- The District had 250 unneeded network user accounts, including two with administrative permissions, and the Assistant Superintendent for Business and Operations had excessive administrative permissions in the financial software, which allowed them to potentially control all phases of financial transactions.
- Officials paid BOCES $539,644 for IT services in 2020-21 without defining roles and responsibilities for services. As a result, the roles and responsibilities of each party may not be understood by all parties resulting in cybersecurity gaps.
- Ensure officials enforce compliance with the data, network and security access policy.
- Disable unneeded network and financial software user accounts in a timely manner, and regularly review user accounts for necessity and appropriateness.
- Set written expectations for the District’s specific IT service needs.
District officials agreed with our recommendations and indicated they will initiate corrective action.