[read complete report – pdf] [read complete 2023 report – pdf]
Purpose of Review
The purpose of our review was to assess the Chenango Valley Central School District’s (District) progress, as of November 2025, in implementing our recommendations in the audit report Chenango Valley Central School District – Network User Accounts and Information Technology Contingency Planning (2022M-162), released in June 2023.
The audit determined that District officials did not adequately manage network user accounts or develop and adopt an IT contingency plan. In addition to finding sensitive IT control weaknesses, which we communicated confidentially to officials, we found that:
- Sixty-eight, or 12 percent, of the District’s nonstudent network user accounts were no longer needed. Unneeded network user accounts are additional entry points into a network and, if accessed by attackers, could be used to inappropriately access and view personal, private and sensitive information (PPSI)1 or disable the network.
- Without an IT contingency plan, the District has an increased risk that it could suffer a serious interruption to operations since the District’s ability to communicate during a disruption or disaster will affect the timely processing of its business functions.
The audit included three recommendations to help District officials improve its network user account management and to develop and adopt an IT contingency plan.
Background
The District serves the Towns of Chenango, Colesville, Dickinson, Fenton and Kirkwood in Broome County. The District is governed by an elected nine-member Board of Education (Board), responsible for managing and controlling financial and educational affairs. The Superintendent of Schools is the District’s chief executive officer and is responsible, along with other administrative staff, for District administration under the Board’s direction. The District contracts with the Broome-Delaware-Tioga Board of Cooperative Educational Services (BT BOCES) South Central Regional Information Center (SCRIC) to provide IT services. The District employs a full-time IT Director who acts as liaison between the District and SCRIC
Results of Review
Of the three recommendations contained in the 2022M-162 report, we determined, based on our limited procedures, that the District’s IT Director, Board and officials fully implemented one recommendation and partially implemented two recommendations. As a result, the District's PPSI and IT resources continued to have an increased risk for inappropriate access and compromise. We also reviewed progress in implementing the recommendations related to the sensitive IT control weaknesses that were reported to officials confidentially and communicated those results confidentially to District officials.
1 Personal, private and sensitive information (PPSI) is any information to which unauthorized access, disclosure, modification, destruction or use – or disruption of access or use – could have or cause a severe impact on critical functions, employees, customers, third parties or other individuals or entities.