Determine whether Chenango Valley Central School District (District) officials adequately managed nonstudent network user accounts and developed and adopted an information technology (IT) contingency plan.
District officials did not adequately manage network user accounts or develop and adopt an IT contingency plan. In addition to finding sensitive IT control weaknesses, which we communicated confidentially to officials, we found that:
- Sixty-eight, or 12 percent, of the District’s nonstudent network user accounts were no longer needed. Unneeded network user accounts are additional entry points into a network and, if accessed by attackers, could be used to inappropriately access and view personal, private and sensitive information (PPSI) or disable the network.
- Without an IT contingency plan, the District has an increased risk that it could suffer a serious interruption to operations since the District’s ability to communicate during a disruption or disaster will affect the timely processing of its business functions.
- Develop written procedures for managing network account user access that include periodically reviewing user access and disabling unnecessary network user accounts.
- Develop and adopt a comprehensive written IT contingency plan, update the plan as needed and distribute it to all responsible parties.
District officials agreed with our recommendations and indicated they will take and have taken corrective action.