The New York State comptroller’s office found cracks in East Hampton School District’s Information Technology Department that increased the risk of unauthorized access and lost data, and an inability to recover from a network disruption.
“District officials secured user account access to the financial application but did not secure user account access to the network or develop an IT contingency plan,” Comptroller Thomas DiNapoli’s report read. “We confidentially communicated sensitive IT weaknesses to officials, and the district’s use of two central network management tools for over 10 years has created security concerns due to lack of monitoring of all accounts on both tools.”
The state office also reported that accounts grant access to sensitive information, officials did not provide IT security awareness training to district IT users, and 91 percent, or 3,395, of the district’s enabled network user accounts were not logged into in the last six months.
“Therefore, users may not understand their responsibilities and are more likely to be unaware of situations that could compromise the district’s IT network and data,” the state reported in its findings. “Unneeded accounts should be disabled to protect district data.”
While Superintendent Adam Fine said the district did not agree with all of the comptroller’s office’s findings, it did ultimately decide on a corrective action plan, which is detailed in a response posted on the district’s website.
In replying to the use of two central network managements systems, Fine said he disagreed with the characterization of the practice as a “migration” and said the district purposefully moved from Microsoft to Google-based programming, but that the use of two parallel systems was necessary when finding out a number of software programs, specifically, he said, one of the district’s important management programs, did not run on Google.
In response to the enabled network user accounts, the superintendent said many of them were inactive, and that no one has access to them.
“We keep them for archive purposes to provide employees and students with work when they request,” he said. “This allows us to access the work product of past staff and allows former students to request copies of work they accomplished during their time here.”
Fine said that while Network and Systems Administrator Chuck Westergard has since deleted a number of accounts, it’s a practice the district would still like to keep.
When it came to IT security awareness training, though, Fine did say that’s an area he believes the district needs to improve upon. “We do some passive training consistently throughout the year, but they would really like us to implement a formal process, and I totally agree with that,” Fine said, pointing to the institution of annual IT security training for all employees.
He said a policy committee, made up of himself, three Board of Education members, Assistant Superintendent for Business Sam Schneider and the district clerk is scheduled to meet for the first time in October to consider drafts of a recommended policy. The anticipated completion date for this is March 30, 2024.
“I think [we all agree] that the process is good for us,” Fine said. “It’s all about checks and balances.”
Board Vice President Christina DeSanti said the audit couldn’t have come at a better time.
“Information technology and cybersecurity were going to be our next topic of discussion, so we thought this was great,” she said.
Schneider said this is one of six audits completed this past year.
“This audit as showed that, for the most part, our cybersecurity is very strong,” he said. “It’s an area that really wasn’t getting a lot of attention from government agencies five years ago, and this helps protect our data.”
