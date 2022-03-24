LAFARGEVILLE — A state audit of the LaFargeville Central School District found fault with some procedures and programs in the district’s Information Technology Department.
The audit covered a two-year period, from July 1, 2019, to June 3, 2021.
Key findings suggest district officials did not establish adequate IT controls over physical IT assets and non-student user account access to the district’s network. In addition to sensitive IT control weaknesses that were communicated confidentially to officials, the audit found:
• 235 IT assets costing $108,462 were not recorded in the district’s inventory records, and seven computers, two audio systems, one projector and 10 other electronic components that cost $9,266 could not be found;
• No physical access or environmental controls over the server room;
• Improperly managed network user accounts;
• The district’s disaster recovery plan was outdated, inadequate and not tested.
District officials and staff rely on the district’s IT assets for internet access, email and maintaining confidential and sensitive financial and personnel records. The district acquires IT assets through cooperative purchasing with the Jefferson-Lewis-Hamilton-Herkimer-Oneida Board of Cooperative Educational Services Information Technology.
As of May 2021, the district’s inventory records had 1,330 IT assets, including computers, monitors, printers and other audio-visual and computer-related equipment. The disposal of all IT assets requires the board of education’s approval, and assets purchased through BOCES also require BOCES approval before disposal. The audit found that district officials did not always properly track the district’s IT assets. It selected 45 assets that cost the district $115,879 and traced them from the district’s inventory records to their physical location.
Although auditors located all 45 assets, 20 of them costing $12,131 were difficult to find because they were designated in the inventory records as located throughout the building rather than assigned to a specific numbered classroom or staff member.
Auditors selected an additional sample of 215 spare computers and other IT assets that they observed being stored in various locations and found that none were recorded in the district’s inventory records. According to lists showing cooperative purchases from BOCES, these assets cost $99,196. They also attempted to trace 20 other IT assets that cost $9,266 from the BOCES records to the district’s inventory records and their physical location. None of these assets, which included seven computers, seven wireless access points, three control panels, two audio systems and one projector, were recorded in the district’s inventory records and auditors could not physically locate any of them.
According to the report, district officials told auditors that these 20 assets were likely disposed of three years ago when the district requested its last disposal. However, when auditors reviewed the prior disposal list that was approved by the board at that time, they did not see any of these assets on that list.
With the district’s server room located within a technology classroom, when auditors performed an initial walk-through in May 2021, they observed that the door of the room was left open. District officials said the cooling system had been out of service since September 2020, so they had been leaving the door open to maintain a cooler temperature. Because the door was not locked, the servers were accessible to anyone inside the school building.
The system was repaired in late June 2021, and auditors subsequently observed that the door was locked. If access to the servers is not controlled, the risk increases that unauthorized access to students’ and employees’ personal information could be obtained, and records could be altered or destroyed or the servers could be damaged.
Key recommendations from the audit include the implementation of procedures to properly account for physical IT assets throughout the district; the establishment of physical security and environmental controls over the server room; immediately disabling unneeded network user accounts and regularly reviewing and updating network user accounts for necessity and appropriateness; and the development and adoption of a written IT contingency plan.
Overall, district officials generally agreed with the audit’s recommendations. Superintendent Troy Decker issued a short response in which he stated that the district appreciated the chance to respond to the audit, agreed with audit findings and made changes to have components of its action plan completed in the near future.
The complete audit report can be found at wdt.me/LCSDaudit.
