[read complete report – pdf] | [read complete 2023 report – pdf]
Purpose of Review
The purpose of our review was to assess the Chittenango Central School District’s (District) progress as of October 2025, in implementing our recommendations in the audit report Chittenango Central School District – Information Technology (2023M-155), released in March 2024.
The audit determined that District officials did not adequately manage non-student network and local user account access and develop an Information Technology (IT) contingency plan. The audit included four recommendations to help District officials improve the District’s network user account management and to develop and adopt an IT contingency plan.
Background
The District serves the Towns of Cazenovia, Lenox, Lincoln and Sullivan in Madison County, and the Towns of Cicero and Manlius in Onondaga County. The District is governed by an elected nine-member Board of Education (Board), responsible for managing and controlling financial and educational affairs. The Superintendent of Schools (Superintendent) is the chief executive officer and is responsible, along with other administrative staff, for the District’s day-to-day management under the Board’s direction. The Director of Technology (Director) is responsible for managing the District’s IT network, including managing user account access to the network and computers.
Results of Review
Of the four recommendations contained in the 2023M-155 report, we determined, based on our limited procedures, that the Board of Education (Board), District officials and the Director of Technology (Director) partially implemented two recommendations and did not implement two recommendations. As a result, the District continued to have an increased risk that its IT system and personal, private and sensitive information (PPSI)1 could be accessed by unauthorized users. The District could also lose important data and suffer a serious interruption to operations that depend on its computerized environment, such as not being able to process checks to pay vendors or employees or process student grades. We also reviewed progress in implementing the recommendations related to the sensitive IT control weaknesses that we reported to officials confidentially and communicated those results confidentially to District officials.
1 PPSI is any information to which unauthorized access, disclosure, modification or destruction – or disruption of access of use – could have or cause a severe impact on critical functions, employees, customers (students), third parties or other individuals or entities.