Determine whether Kiryas Joel Village Union Free School District (District) officials secured user account access to the network and shared network folders to help safeguard personal, private and sensitive information (PPSI).
District officials did not adequately secure user account access to the network and shared network folders to help safeguard PPSI. As a result, there is an increased risk of unauthorized access to the network and PPSI stored on shared network folders. In addition to sensitive information technology (IT) weaknesses communicated confidentially to officials, we found that officials did not:
- Disable 35 unnecessary former employee, shared and service network user accounts which account for 11 percent of the District’s enabled accounts. The majority of these accounts belonged to former employees and were last used to log into the network between June 2015 and August 2022.
- Adequately secure shared network folder access, resulting in users having unnecessary access to multiple forms of PPSI in eight shared folders.
- Maintain a data inventory to properly protect IT resources, including data containing PPSI.
- Develop procedures to disable network user accounts when no longer needed and periodically check all network user accounts for necessity.
- Conduct a comprehensive data inventory and limit access to shared network folders based on assigned job duties and responsibilities.
District officials generally agreed with our recommendations and indicated they planned to initiate corrective action. Appendix B includes our comment on an issue raised in the District’s response.