GOSHEN – Orange-Ulster BOCES officials did not establish adequate internal controls over nonstudent network user accounts to help prevent unauthorized use, access or loss, according to the findings of a state comptroller’s office audit.
The study also found sensitive information technology control weaknesses that were communicated confidentially to officials.
The review said BOCES did not disable 20 unneeded nonstudent network user accounts that had last log-on dates ranging from January 5, 2017 to October 29, 2021.
Auditors recommended development of written procedures for granting, changing and disabling network user accounts; evaluating all network user accounts and ensuring unneeded accounts are disabled in a timely manner; and developing a process to identify and follow up with employees who have not completed the required IT security awareness training.
BOCES officials agreed with the state findings and indicated they plan to initiate corrective action.
