Network User Account Controls Audit - September 2022

Report of Examination (2022M-77) issued September 9, 2022, by the New York State Office of the State Comptroller, Division of Local Government and School Accountability

[read complete report - pdf]

Audit Objective

Determine whether Nassau Board of Cooperative Educational Services (BOCES) officials established adequate controls over non-student network user accounts to help prevent unauthorized use, access and/or loss.

Key Findings

BOCES officials did not establish adequate controls over network user accounts. As a result, BOCES has an increased risk of unauthorized access to and use of the BOCES network and potential loss of important data. In addition to sensitive information technology (IT) control weaknesses that were confidentially communicated to officials, we found BOCES officials did not:

  • Disable 73 unnecessary individual non-student network user accounts and three service accounts with administrative rights.
  • Establish written procedures for granting, verifying, changing and disabling network user account access.

Key Recommendations

  • Evaluate all non-student network user accounts and ensure unneeded user accounts are disabled in a timely manner.
  • Establish written procedures for granting, verifying, changing and disabling non-student network user account access.
  • Establish and implement a system in which nonemployee network user accounts and service accounts are disabled after a specified period without a valid user login.

BOCES officials generally agreed with our findings and indicated they plan to initiate corrective action.