The Comptroller Targets Electronic Security Issues

The Comptroller recently audited school districts and BOCES to address electronic access issues related to facilities and information. Security risks arise when former employees or non-employees (such as vendors and contractors) retain access to school premises, databases, or educational platforms after their association with the school district ends.

For instance, the Comptroller found that a BOCES failed to adequately monitor and manage building access badges. The BOCES issued electronic ID badges to authorized users, which were verified through a Building Access System (BAS) at entry points. However, the audit revealed that 48 out of 87 former or non-employee badge accounts were not deactivated. Additionally, duplicate accounts in the building system and physical badges were created for 25 current employees; and 15 of 25 shared accounts were not properly deactivated despite the corresponding electronic badges being unaccounted for. The Comptroller concluded that the BOCES did not properly manage or monitor building access badges and lacked written procedures for granting, changing, and deactivating electronic badge accounts.

Following the audit, the Comptroller’s office emphasized the importance of the Safe Schools Against Violence Act (SAVE Act), which mandates that educational institutions incorporate school building security, including technology devices like building access badges, into their safety plans. Schools and BOCES are required to establish written procedures for these devices, defining authorized personnel for granting access, categorizing individuals eligible for building access, designating employees to monitor and manage active accounts, and establishing a process for revocation and deactivation of electronic badge accounts as well as the collection of physical building access badges. The Comptroller’s Office advised that inactive accounts be promptly deactivated and that all building access accounts undergo periodic review by designated personnel.

In a separate audit concerning different BOCES, the Comptroller’s Office reviewed 1,333 enabled non-student network user accounts, including 956 individual accounts and 377 service and shared accounts, to determine if unneeded accounts were promptly deactivated. Non-student network accounts are used by BOCES employees, vendors, and contractors for job-related activities. Of the 1,333 accounts tested, the audit determined that 101 enabled non-student network accounts were no longer needed and should have been deleted to prevent potential unauthorized access to personal, private, and sensitive information. It recommended that shared network user accounts be allowed sparingly due to potential accountability issues when multiple users access the same account. The audit also revealed that BOCES did not have a written policy for granting, modifying, and disabling non-student network user accounts that are no longer required. Therefore, it recommended that accounts no longer in use be immediately disabled and that written procedures be established for managing accounts.

Another outcome of the Comptroller’s recent audits is the emphasized importance of promptly identifying, inventorying, and recording user information for all school district or BOCES-owned IT devices assigned to authorized individuals to prevent further security breaches. The Comptroller’s Office stressed that IT inventory should be properly recorded and maintained, including detailed information regarding each device’s make, model, serial number, purchase or lease date, assigned user, and location.