Audit Objective
Did Levittown Union Free School District (District) officials adequately manage nonstudent network accounts and permissions?
Audit Period
July 1, 2023 – March 6, 2025
Understanding the Audit Area
School districts rely on information technology (IT) systems (including IT assets and networks) for storing and processing important financial and non-financial information, accessing the Internet and communicating through email. These systems hold data that are valuable, such as (but not limited to) student and employee names, dates of birth, addresses, medical information and social security numbers. Network user accounts provide access to network resources and should be actively managed to minimize the risk of unauthorized use, access and loss. Network user accounts are potential entry points for attackers because, if compromised, they could be used to inappropriately access and view personal, private, sensitive information (PPSI)1 on the network, make unauthorized changes to official school district records or deny legitimate access to network resources.
The District’s IT system includes 2,972 enabled nonstudent network user accounts.
Audit Summary
District officials did not adequately manage nonstudent network accounts and permissions. As a result, the District had an increased risk of unauthorized access, which could lead to loss of the District's data and network resources. The audit determined that officials did not:
- Disable five of 2,972 nonstudent user accounts that were no longer needed.
- Adopt a policy requiring the use of dedicated administrative accounts.
- Adopt a policy or procedures for software updates to help safeguard nonstudent network accounts and permissions.
By not adequately managing nonstudent network accounts and permissions, the District’s network is at greater risk of cyberattacks and unauthorized access. In addition, by not having dedicated administrative accounts, there can be an increased risk of privileged accounts being exposed to attackers. Also, without a software update policy and procedures, officials have less assurance that outdated computer software will be identified and remediated in a timely manner. Outdated computer software potentially introduces nonstudent network accounts and permissions to the risk of being exploited by attackers who actively seek software known to have vulnerabilities and weaknesses.
Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.
The report includes five recommendations that, if implemented, will improve the District’s management of nonstudent network accounts and permissions, and reduce the risk of unauthorized or inappropriate access. District officials generally agreed with our recommendations and plan to initiate corrective action.
We conducted this audit pursuant to Article V, Section 1 of the State Constitution and the Office of the New York State Comptroller’s (OSC) authority as set forth in Article 3 of the New York State General Municipal Law (GML). Our methodology and standards are included in Appendix C.
The Board has the responsibility to initiate corrective action. A written corrective action plan (CAP) that addresses the findings and recommendations in this report must be prepared and provided to our office within 90 days, pursuant to Section 35 of GML, Section 2116-a (3)(c) of the New York State Education Law and Section 170.12 of the Regulations of the Commissioner of Education. To the extent practicable, implementation of the CAP must begin by the end of the next fiscal year. For more information on preparing and filing your CAP, please refer to our brochure, Responding to an OSC Audit Report, which you received with the draft audit report. The CAP should be posted on the District’s website for public review.
1 PPSI is any information to which unauthorized access, disclosure, modification, destruction or use – or disruption of access or use – could have or cause a severe impact on critical functions, employees, customers, third-parties or other individuals or entities.