GREENVILLE — State Comptroller Thomas P. DiNapoli released an audit on Friday that determined that the Greenville Central School District did not establish adequate policies and procedures regarding employee network access.
The state audit began on July 1, 2019, with the goal of determining whether district officials had implemented adequate network user account controls to prevent unauthorized use of access to its system. computer science.
The audit, which was originally scheduled to end on February 8, 2021, has been extended to March 31, 2021 so that state auditors can perform computer testing in the district.
The audit found that the district failed to develop a comprehensive acceptable use policy and monitor employee computer use.
The report also found that the district failed to disable 64 unnecessary network user accounts, which included former student and employee accounts.
The state comptroller’s report made key recommendations, including direction that the district should ensure that Greenville’s Acceptable Use Policy “clearly outlines what is acceptable for use of district computers.” , is updated to include district employees and is regularly reviewed and monitored for compliance.”
The report also recommends that the district “design and implement procedures to monitor employee computer use and implement procedures to ensure policy compliance.”
On Friday, Greenville Central School District Superintendent Michael Bennett deferred questions about the state audit until the Greenville School Board holds its next meeting on Monday. The audit preceded Bennett’s tenure with the district, which began March 7.
In a letter to the State Comptroller’s Office dated April 12, Bennett responded to a draft state audit report.
“The audit results were found to be both accurate and informative and we take this opportunity to make necessary improvements to our practices and formalize some of our unwritten procedures,” Bennett wrote.
Bennett said the district would implement an acceptable policy for employee use of district devices and its network and he estimated that the school board would approve the policies recommended in the audit during the calendar year. .
“The Chief Technology Officer (Scott Gardiner) will then put procedures in place to ensure these policies are followed,” Bennett wrote.
During the audit, the Comptroller’s Office reviewed the 190 district network accounts that had not been used within six months of the start of the audit to determine if they were still needed.
“We found that 27 of 190 user accounts belonged to former employees or students who should have been deactivated,” according to the report. “We also reviewed the 68 generic accounts and found that 37 (54%) were no longer needed.” The report notes that district staff did not deactivate unnecessary accounts.
The district should periodically review user access to its network and disable user accounts that are no longer needed, according to the audit. The report recommends that the district immediately deactivate the 27 user accounts belonging to former students and staff members and 37 other unnecessary generic accounts identified by the auditors.
The Comptroller’s report notes that school districts should establish acceptable use policies for network access because browsing the Internet increases the likelihood of users being exposed to malware that could compromise the privacy of district data. or the integrity of its network.
According to the audit, the district had an acceptable use policy that stated that network use by employees should be limited to district needs, according to the audit. The district policy did not “describe appropriate use or address acceptable personal use, such as personal shopping and online banking, and/or accessing personal social media and travel websites” .
According to the report, district officials and supervisors did not monitor employees’ Internet use or implement procedures to monitor staff members’ personal Internet use.
Auditors examined the Internet browsing history of five district computers used by five employees and found evidence of personal use on all five computers.