Audit Objective
Did Glen Cove City School District (District) officials adequately manage nonstudent network user accounts?
Audit Period
July 1, 2023 – May 14, 2025
Understanding the Audit Area
School district officials must manage network user accounts to help protect personal, private, sensitive student/staff information (PPSI),1 including (but not limited to) student and employee names, dates of birth, addresses, medical information and social security numbers. Network user accounts are potential entry points for attackers and, if compromised, could be used to make unauthorized changes to official school district records and deny legitimate access to network resources. Proper network user account management can help safeguard against events that could have criminal, civil, regulatory, financial and reputational impacts on school district operations.
As of May 14, 2025, the District had 1,104 enabled nonstudent network user accounts.
Audit Summary
District officials did not adequately manage nonstudent network user accounts. As of May 14, 2025, 296 of the District’s 1,104 enabled nonstudent network user accounts (27 percent) were not needed and should have been disabled. Additionally, six unneeded nonstudent network user accounts had administrative permissions. Unneeded network user accounts, including those with elevated administrative permissions, are additional entry points into a network and, if compromised by an attacker, could be used to inappropriately access the District’s network to view and/or remove personal information accessible by that compromised network account; make unauthorized changes to District records; or deny legitimate access to the District network and records.
Sensitive IT control weaknesses were communicated confidentially to officials.
The report includes six recommendations that, if implemented, will improve the District’s management of nonstudent network user accounts and permissions. District officials agreed with our findings and indicated they plan to initiate corrective action.
We conducted this audit pursuant to Article V, Section 1 of the State Constitution and the State Comptroller’s authority as set forth in Article 3 of the New York State General Municipal Law. Our methodology and standards are included in Appendix C.
The Board has the responsibility to initiate corrective action. A written corrective action plan (CAP) that addresses the findings and recommendations in this report must be prepared and provided to our office within 90 days, pursuant to Section 35 of the New York State General Municipal Law, Section 2116-a (3)(c) of the New York State Education Law and Section 170.12 of the Regulations of the Commissioner of Education. To the extent practicable, implementation of the CAP must begin by the end of the next fiscal year. For more information on preparing and filing your CAP, please refer to our brochure, Responding to an OSC Audit Report, which you received with the draft audit report. The CAP should be posted on the District’s website for public review.
1 PPSI is any information to which unauthorized access, disclosure, modification, destruction or use – or disruption of access or use – could have or cause a severe impact on critical functions, employees, customers, third parties or other individuals or entities.