State audit finds North Salem Central School District officials did not adequately manage network users
An information technology audit by the New York State Comptroller’s office found lapses in North Salem Central School District officials’ handling of network user accounts. In addition to finding sensitive information technology control weaknesses, which were communicated confidentially to officials, the audit found that District officials should have developed procedures for granting, changing and disabling network user accounts and ensured that IT staff disabled unneeded network user accounts.
Eric Stark, Director of Business Administration for North Salem Central School District, said that there were two categories of users who had not been properly de-activated from the District’s system: former employees and former students. “The moment that we found out what [the auditors] were concerned about, we fixed it and put procedures in place to ensure that it doesn't happen again,” he said.
Network user accounts are potential entry points for attackers. If compromised, they could be used to inappropriately access the network and view personal, private and sensitive information, make unauthorized changes to records, deny legitimate access to electronic information or to gain access to or control over other IT functions.
According to the report, “district officials had an automated system in place to add and disable employee and student network user accounts. However, we found they did not have procedures for managing (granting, changing and disabling) network user accounts. Also, the Director and IT staff did not ensure that the automated system was working properly. In addition, the Director did not maintain a list of authorized network users or periodically review enabled network user accounts to confirm they were still needed,” the report said.
The North Salem Central School District contracts with Core BTS, an IT service management firm, for the IT Director position, which is occupied by Justin Schaef. Schaef is responsible for managing network user accounts and providing oversight of the District’s IT staff, who are provided by a second vendor. Stark noted that the IT Director role had changed hands several times over the past few years. “It’s not an excuse but probably a reason that some of these things happened,” he said. Julio Vazquez, director of human resources and curriculum for the District, is the District’s chief information officer (CIO) and is responsible for overseeing the Director and ensuring that the Director performs their duties in accordance with their contract.
Auditors reviewed all 393 non-student network user accounts and identified 163 accounts that had not been used in at least six months. When unneeded network user accounts remain enabled, they are at an increased risk to be compromised.
In a letter sent to the Comptroller’s office in response to the audit findings, Superintendent Ken Freeston wrote, “we have reviewed the key findings and are in agreement with them. The district has already disabled any unneeded network accounts and is in the process of developing procedures for granting, changing and disabling network accounts moving forward.”
Stark said that school district officials have implemented a new process for managing network accounts. Twice a year, the IT Director will review the network user list to identify employees who have left the district as well as graduating seniors and any students who have moved out of the district. The procedure will take place in July and mid-way through the school year.