Is your school's network safe?

An audit of the West Hempstead school district’s information technology security revealed a potential “entry point” for cybercriminals.

New York State Comptroller Thomas DiNapoli’s July 2023 audit, titled “Nonstudent Network User Account Controls,” cited 11 percent of the district’s 557 nonstudent network accounts as “not needed”.

West Hempstead Superintendent Daniel Rehman, however, countered that the district “has made IT system security a priority”. In his written response, Rehman said West Hempstead is “often ahead of the curve on implementing network security measures,” and that the district has created a “multi-pronged approach” to network safety.

Rehman told the Herald that the initial purpose of the audit was to check the district’s finances. “The auditors shifted their focus toward evaluating our security measures since our financial records proved excellent,” Rehman said.

Rehman credited the Comptroller’s staff for being professional and helpful. “The audit revealed valuable insights, enabling us to identify areas for improvement and fortify our security framework, ensuring the continued protection of our organization from potential threats,” he said.

DINapoli’s audit credited West Hempstead with implementing security protocols. Still, the audit detailed instances that could lead to security breaches.

Rehman agreed, saying the district will continue to improve IT safety.

“We changed the passwords of the accounts when staff left their employment,” Rehman said. “However, the comptroller, seeking a more stringent approach, recommended the closure of these accounts altogether. We utilize enhanced security protocols, including regular password updates, and deployed a new program to automatically disable users who are no longer employed. This fortifies our defenses and protects against potential security threats. By taking this approach, we aim to strengthen our security while maintaining the necessary functionality for smooth operations.”

The audit noted that there were 53 former employee network accounts and seven network service accounts that had not been used in years, including 22 accounts that had been dormant for five or more years. The audit stated that these empty accounts could provide unauthorized access to sensitive information.

DiNapoli’s audit recommended that West Hempstead officials should limit the use of shared accounts to limit the possibility of unauthorized access. West Hempstead’s board of education should create IT security policies and procedures to secure network access. The audit states that the West Hempstead BOE “did not provide sufficient guidance to officials and employees to help safeguard” the district’s IT network.

The audit also recommends that West Hempstead conduct periodic reviews of nonstudent network accounts to identify and disable accounts no longer in use.

Rehman, in his response to the audit, stated that West Hempstead follows New York State School Boards Association’s School Policy Update guidance. Rehman added that West Hempstead had already disabled 25 accounts of former employees, and that the district disables accounts of former employees “as soon as they leave” the district.

Finally, Rehman said West Hempstead would automatically disable accounts when an employee becomes inactive by using a new software program.

To read the audit, visit the Comptroller’s website at Osc.State.Ny.Us.