Dover school employees used district computers for personal web browsing, and officials did not monitor for inappropriate internet use.
Meanwhile, the location of the district’s computer server was not secure, which increased the risk for unauthorized access to the network.
That’s according to the state Comptroller’s Office’s audit of the Dover Union Free School District’s information technology system conducted earlier this year.
Since the audit, the district has implemented a number of the changes recommended by the comptroller, said Dover Superintendent Mike Tierney.
“As with any audit, we did not always agree with all their findings, but have discussed them with the board and administrators to find a healthy balance between safety, efficiency and usability,” Tierney said.
Dover has an acceptable computer use policy and web filters were in place, but district officials did not monitor for inappropriate use in accordance with the board policy, the Comptroller’s Office said.
And at the time of the audit, Dover’s server was located in a room that doubled as storage space for computer supplies and old computers, according to the comptroller. The room was locked, but some custodial workers had access to it.
Auditors said they also found other “IT control weaknesses,” but the information is sensitive and results were not discussed in the report. They were shared confidentially with district officials.
Dover’s IT system practices from July 2016 through March were examined.
The comptroller recommended Dover develop procedures and controls that restrict access to websites, and secure the district’s server room so that only authorized individuals have access.
Auditors examined computers assigned to seven non-instructional employees, including district office staff and administrators.
“We found that employees used six of these computers to visit social networking, shopping, travel, entertainment and blogging websites, apparently for non-school purposes, and performed other internet research and browsing of a personal nature,” auditors said in the report.
Because those types of websites are often used to spread malicious software, using them unnecessarily exposes the systems to malicious software infections, the Comptroller’s Office said.
Dover has an acceptable computer use policy, and web filters were in place. But district officials did not monitor for inappropriate use in accordance with the board policy, according to auditors.
District officials should ensure there is an adequate web filtering process in place to limit vulnerabilities resulting from internet browsing and ensure the network is used for appropriate purposes, auditors said.
Tierney said that in one instance of auditors citing social media usage, “we tell them that three of our schools and our (Parent, Teacher, Student Association) have Facebook pages.”
Another time, Dover was cited “for going on shopping sites, even though we purchase from Amazon and other sites to get the best prices,” according to the superintendent.
If server access is not controlled, there’s an increased risk of unauthorized network access and damage to the server, according to the comptroller. Hard drives in the old computers may also contain personal information about staff or students.
“This weakness leaves the district vulnerable to the manipulation or loss of data with potentially costly consequences,” auditors reported.
The district has worked to fix that issue and others, said Tierney, in a response he wrote to the Comptroller’s Office in September.
“The access to this (server) area is now restricted and the recommended inside cage is now not needed to separate the server from the IT storage,” Tierney wrote.
Nina Schutzman: firstname.lastname@example.org, 845-451-4518, Twitter: @pojonschutzman
You may be interested in:
Got milk money? Dutchess schools could have saved $77,000 on milk: audit
Poughkeepsie school fund raises questions as state audit nears
Read or Share this story: https://www.poughkeepsiejournal.com/story/news/education/2018/10/15/dover-schools-didnt-monitor-internet-use-audit/1614340002/