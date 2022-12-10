POTSDAM — A state comptroller’s audit released Dec. 2 criticizes the Potsdam Central School District for inadequate IT planning that could have compromised personal, private or financial information stored on the district’s servers. In a response letter, District Superintendent Joann M. Chambers outlines the changes they’re making after getting recommendations from the comptroller’s office.
“District officials did not establish adequate controls over network user accounts and did not develop a written IT contingency plan. As a result, the district had additional entry points for attackers to access and view personal, private and sensitive information on the network and did not have sufficient documented guidance or plans to follow to resume essential operations if an unexpected IT incident occurred,” reads the audit, which covered July 1, 2020, to Dec. 31, 2021. “In addition to finding sensitive IT control weaknesses that were confidentially communicated to officials, we found that: Of the District’s 1,909 network user accounts 1,896 network user accounts were granted unneeded administrative permissions. 105 network user accounts were unneeded.”
Ms. Chambers wrote a response saying the district “recognizes the importance” of having adequate IT controls and a written IT contingency plan.
“In establishing an administrative position in the district with responsibility for computer resources and data management, the Board of Education had already taken an important first step in ensuring adequate oversight is provided. Work on the Information Technology Manual was already underway at the time the audit took place,” she wrote to the comptroller. “The recommendations provided were helpful as we implemented procedures for managing and reviewing network accounts. The steps we have taken since July 1, 2021 have reduced the likelihood attackers would be able to access and view personal, private and sensitive information on the network. The written guidance we now have in place will provide plans for us to resume essential operations if an unexpected IT incident occurred.”
The report includes six recommendations, all of which the district has addressed in a corrective action plan.
The first recommendation is for the superintendent, assistant superintendent and business manager to create a written procedure “for granting, changing, revoking, and reviewing network user access and permissions.” Ms. Chambers’s letter to the comptroller says they’ve created an IT manual that does that, and it will be presented to the Board of Education to consider for adoption by March 1. That also addresses the second recommendation — developing and distributing a “comprehensive written IT contingency plan” that is “periodically tested and updated as needed,” and the third recommendation — “develop comprehensive procedures for granting, changing, revoking, and reviewing network user access and permissions.”
The fourth recommendation is to monitor network user permissions and ensure accounts only have the access they need for their respective roles within the district. Ms. Chambers writes that all their servers are now scanned for this monthly, which started on Nov. 1. That monthly network scan also addresses the fifth recommendation, which is to evaluate existing accounts and disable any that aren’t needed, and to have procedures to detect and disable any extraneous accounts going forward.
The last recommendation from the comptroller is to restrict use of shared accounts or come up with procedures to watch who uses shared accounts and when. The superintendent’s letter says as of Nov. 1, the district reduced the number of shared accounts and those that remain are starting to be monitored when used. On Dec. 1, the district started logging the dates of use for shared accounts, and maintaining the logs for reference, Ms. Chambers wrote.
