An audit released Friday by the New York State Comptroller's office identified potential areas of weakness in the East Hampton School District's information technology practices, noting that a potential "risk of unauthorized access, lost data, and inability to recover from a network disruption" could occur.
District officials, who agreed with certain parts of the auditors' findings and disagreed with others, said Monday that they welcomed the analysis and are viewing it through a constructive lens.
Audits like this "are incredibly valuable to us," said Adam Fine, the district superintendent. "We use that information to improve our practices."
State officials typically swoop into school districts every five to seven years to examine key parts of their operations. For instance, the comptroller's office released an audit of the Cold Spring Harbor School District on Sept. 1 that alleged the district failed to properly record, tag, and account for capital assets, and in June, it said the East Quogue School District wasn't properly tracking employees' accrued vacation and sick time.
In East Hampton's case, auditors explored the district's use of two "central network management tools" for more than 10 years, which Mr. Fine identified as one Microsoft-based system and one Google-based system for finances and employee information, respectively. This "has created security concerns," the state said in recommending that the district consolidate the systems.
However, Mr. Fine said the two systems are not compatible with each other. "We even double-checked with the company. That migration will never fully take place."
Another of the auditors' findings in East Hampton concerned "3,725 enabled network user accounts, including 3,132 student accounts, 483 individual nonstudent accounts, and 110 shared and service accounts." Ninety-one percent of those accounts, auditors said, had not been logged into within the last six months. "Accounts grant access to sensitive information, and unneeded accounts should be disabled to protect district data," auditors wrote in their report.
"We have a different view than the comptroller's office does on this," said Sam Schneider, East Hampton's assistant superintendent for business. "We view these accounts as completely disabled for the outside world. The users cannot access them, but they remain in our system so they can be used for archival purposes."
Mr. Fine gave an example: If a student graduates but then needs access to his or her academic records years down the line, that information can actually be retrieved from an old, disabled account. "But we're obviously looking at it again," he said.
State auditors also faulted East Hampton for what it said was a lack of "security awareness" training for employees. "Therefore, users may not understand their responsibilities and are more likely to be unaware of situations that could compromise the district's I.T. network and data."
Mr. Fine said the district now has plans to implement more training, and Mr. Schneider said the district has a robust cybersecurity insurance policy in place.
"We recognize the fact that people who are not here anymore should not have access to our system, and Adam and I are in agreement that they don't," Mr. Schneider said. "I think the audit was right to say we need to improve our I.T. security training program."
Auditors also asserted the district doesn't have an "I.T. contingency plan," saying that "without a contingency plan, officials have less assurance that, in the event of a disruption or disaster such as a ransomware attack, employees and other responsible parties would be able to react quickly and effectively."
East Hampton's official policy manual does contain a chapter titled "Information Security Breach and Notification," though it was last updated in 2013. A new plan is in development; according to the audit report, the school "board and district officials have been developing an I.T. contingency plan; however, according to the systems administrator, the board has not yet adopted the plan because the board and district officials have been unable to agree on wording."
Mr. Fine said the audit will be a topic of discussion on next Tuesday's school board agenda, and that a corrective action plan -- required, at this point, by the comptroller's office -- is in the works. "I don't view any negatives from the audit," he said. "Even though there are disagreements in two interpretations of our system, it forced us to refocus our attention. . . . We value the feedback."