Audit Objective
Did Syracuse City School District (District) officials adequately manage nonstudent network user accounts and develop and adopt an information technology (IT) contingency plan?
Audit Period
July 1, 2024 – May 16, 2025
Understanding the Audit Area
School district officials must manage network user accounts and create IT contingency plans to help protect personal, private, sensitive student/staff information (PPSI),1 prevent unauthorized access/breaches, ensure operational continuity during disasters, meet statutory requirements, and maintain public trust. Unmanaged network user accounts are potential entry points for attackers and other unauthorized individuals, and the lack of a contingency plan can paralyze a school district’s operations. These measures help safeguard against financial loss and ensure critical functions continue, protecting the entire school district community.
As of November 15, 2024, the District had 6,386 enabled nonstudent network user accounts.
Audit Summary
District officials did not adequately manage nonstudent network user accounts. As of November 15, 2024, 488 of the District’s 6,386 enabled nonstudent network user accounts (8 percent) were not needed and should have been disabled. We determined that 433 of the unneeded network user accounts (89 percent) had never been logged into or not been logged into for over six months. Furthermore, 157 service and shared user accounts had not been logged into for at least five years. In addition, 15 of 33 nonstudent network user accounts (45 percent) that had administrative permissions were unnecessary.
The unneeded network user accounts are additional entry points into the District’s network and, if accessed by an attacker, could be used to inappropriately access the District’s network to view PPSI, make unauthorized changes to District records; or deny legitimate access to the District’s network and records. In addition, a compromised network user account with administrative permissions could cause greater damage than the compromised lesser privileged user account because administrative accounts have full control over the network, including the ability to add new users and change passwords and permissions.
IT department officials initiated corrective action during our audit to disable unnecessary nonstudent network user accounts. As of May 16, 2025, IT department officials disabled 371 of the 488 unneeded network user accounts (76 percent) identified during the audit.
In addition, the Board of Education (Board) and District officials did not develop and adopt an IT contingency plan to help minimize the risk of data loss or suffering a serious interruption of services. As a result, officials have less assurance that, in the event of a disruption or disaster (e.g., a ransomware attack), employees and other responsible parties would be able to react quickly and effectively to help resume, restore, repair and/or rebuild critical IT systems or data in a timely manner.
Sensitive IT control weaknesses were communicated confidentially to officials.
The report includes six recommendations that, if implemented, will improve the District’s management of nonstudent network user accounts and contingency planning. District officials agreed with our recommendations and indicated they have initiated or plan to initiate corrective action, and their response is included in Appendix B.
We conducted this audit pursuant to Article V, Section 1 of the State Constitution and the State Comptroller’s authority as set forth in Article 3 of the New York State General Municipal Law (GML). Our methodology and standards are included in Appendix C.
The Board has the responsibility to initiate corrective action. A written corrective action plan (CAP) that addresses the findings and recommendations in this report must be prepared and provided to our office within 90 days, pursuant to Section 35 of GML, Section 2116-a (3)(c) of the New York State Education Law and Section 170.12 of the Regulations of the Commissioner of Education. To the extent practicable, implementation of the CAP must begin by the end of the next fiscal year. For more information on preparing and filing your CAP, please refer to our brochure, Responding to an OSC Audit Report, which you received with the draft audit report. The CAP should be posted on the District’s website for public review.
1 PPSI is any information to which unauthorized access, disclosure, modification, destruction or use – or disruption of access or use – could have or cause a severe impact on critical functions, employees, customers, third parties or other individuals or entities.