ALBANY – A State Comptroller’s Office audit of the information technology department in the Millbrook Central School District found officials did not establish adequate controls over user accounts in order to prevent unauthorized access, use or loss.
The review found the district did not periodically review and disable unneeded network user accounts; that 46 students were no longer enrolled but had active network user accounts; that 13 individuals left employment between 2013 and 2020 but had active network user accounts; and nine generic accounts were last used between 2015 and 2018.
The school district also did not develop a breach notification policy as required by state law.
Key recommendations included that the district develop written procedures for managing system access that includes periodically reviewing user access and disabling user accounts when access is no longer needed; and develop a breach notification policy.
School district officials agreed with the state recommendations and indicated they would take corrective action.