Auditors with the comptroller's office reviewed the district's technology to determine if the district board of education or district officials ensured its computerized data was safeguarded through training, monitoring user accounts and adopting a written information technology (IT) contingency plan. According to the audit, the school contracts with South Central Regional Information Center to provide IT services including an assigned IT coordinator, hardware and software purchases, technical support, monitoring network user accounts and providing IT security awareness training.
Auditors looked at school records from July 1, 2019, through April 23, 2021. They looked at network resources, which included networked computers, and certain applications, which included email, to see if anything could be potential entry points for hackers to access and view personal, private and sensitive information, including grades and human resources records. Auditors reviewed the district's 273 nonstudent network user accounts and four local user accounts and found 58 nonstudent network user accounts were not needed and could be disabled, including 34 generic user accounts and the accounts for 19 former employees.
Unatego Superintendent David Richards said he wasn't surprised by the comptroller's report findings. "There are so many new rules, recommendations and guidelines that it is sometimes hard to keep up with them, particularly during a pandemic," Richards said.
The audit also said the district did not provide safety training and the board did not adopt an IT contingency plan. The audit did say safety training was planned for a Superintendent's Day at the beginning of the 2020-21 school year, but the district used those days to set up remote learning during the COVID-19 pandemic. Richards said the district held "a very useful program for all staff with the assistance of the South Central RIC from Broome-Tioga BOCES" in October.
Richards said the district is "working with our managed information technology people at BT BOCES to develop our IT contingency plan and expect to have it completed by the end of this school year."
The board of education also passed a Corrective Action Plan in response to the audit during its March 21, meeting. The plan said:
- The district is developing a procedure whereby creation and removal of user access to the network is tied to human resources and will be based on employment status.
- The district's director of technology and staff at South Central RIC will review network accounts on a quarterly basis. All unnecessary accounts will be disabled in a timely manner.
- The district's director of technology and other district officials will review district user accounts on a quarterly basis. All unnecessary accounts will be disabled in a timely manner.
- The district will continue to offer annual IT security training.
- The district will work with the South Central RIC staff to assign specific IT responsibilities while collaborating to develop and adopt a comprehensive written IT contingency plan.
©2022 The Daily Star (Oneonta, N.Y.). Distributed by Tribune Content Agency, LLC.
