Sewanhaka Central High School, West Hempstead districts cited by state comptroller
Sewanhaka Central High School District school board President Michael Jaime during a meeting the the School Board at Sewanhaka High School on April 25. Credit: Newsday/Thomas A. Ferrara
One Hempstead Town school district didn’t establish an adequate information technology contingency plan and another didn’t establish adequate controls with network access, according to state comptroller audits.
A June 30 audit shows the Sewanhaka Central High School District did not establish a plan to help them adequately secure and protect business office IT systems. A July 14 audit shows that the West Hempstead district had inadequate controls over nonstudent network user accounts set up to prevent unauthorized access.
IT contingency plans help minimize the risk of interruption of services in case of sudden, unplanned disruptions, like malware or a natural disaster. The plan is “particularly important,” auditors said, because of “ongoing and increasingly sophisticated threat of ransomware attacks.” A plan includes key personnel responsibilities, training, backup procedures and communication protocols.
Auditors found Sewanhaka didn’t have a comprehensive plan addressing how officials would respond to disruptions or disasters affecting the business office’s IT system. The school board adopted a disaster recovery plan in October 2009, but auditors said it didn’t address the range of threats or sustaining critical business functions during and after a disruption.
Sewanhaka school board officials said they agreed with the audit’s findings. In a June 20 letter to auditors, board president Michael Jaime said the district had internal knowledge, processes and procedures, but the contingency plan was “deserving of attention and focus.”
In March, the board adopted an amended policy to enhance the district’s IT plan no later than October, Jaime said.
The district didn't respond to a Newsday inquiry seeking comment.
Auditors noted that West Hempstead officials didn’t establish adequate controls over nonstudent network user accounts. Additionally, the district didn’t have key network user access control procedures and didn’t disable 60 nonstudent network accounts that were unneeded — about 11% of accounts, auditors said. Twenty-two of the accounts hadn’t been used in more than five years. The oldest account was inactive for more than 10 years, auditors said.
Of the 557 non-student accounts, auditors said 182 accounts didn’t match users on the district’s payroll. More than 50 accounts were for people no longer employed; the accounts were disabled after the audit inquiry, the audit said.
In a May 22 letter to auditors, West Hempstead Superintendent Daniel Rehman said the district disagreed that it didn’t establish adequate controls, adding that the district was “ahead of the curve” in implementing security measures and has “multiple layers of robust security measures.”
Rehman said 25 of the 53 accounts scrutinized by auditors had been reactivated to retrieve information, but said they hadn’t been closed in a timely manner.
“The audit revealed valuable insights, enabling us to identify areas for improvement and fortify our security framework,” Rehman said Monday.
Brinley Hineman covers the Town of Hempstead and the City of Long Beach for Newsday. She previously was a reporter in Nashville, Tennessee, and is a West Virginia native.
Finding a financial adviser ... Best Chinese restaurants ... Get the latest news and more great videos at NewsdayTV
Finding a financial adviser ... Best Chinese restaurants ... Get the latest news and more great videos at NewsdayTV
