Taconic Hills says many issues have already been addressed
CRARYVILLE — The office of state Comptroller Thomas DiNapoli issued an audit last week that found weakness or flaws with the Taconic Hills School District’s technology systems, in particular the security of its digital information. But Information Technology Director and Network Systems Engineer Rick Juliano said this week that had the auditors dug deeper, they would have discovered that many safeguards the report recommends are already in place, though they are not yet official school board policy.
The issues raised will be addressed in the next 60 to 90 days, Superintendent Mark Sposato said in a letter to the comptroller dated January 13. The letter outlines steps the district plans to take to eliminate risk. The measures include: establishing a network breech response team, completing a Disaster Recovery Plan, and construction of a secure space for computer equipment and wiring.
The report, dated January 2011, was the end of a 13-month study the Office of the State Comptroller that began in July 2009 and to assess “the adequacy of the internal controls put in place by officials to safeguard district assets.”
Auditors looked at financial oversight procedures, cash receipts, disbursements, purchasing, payroll, personal services, and information technology. The investigation involved interviewing school district officials, tests of transactions, review of district policies and manuals, board minutes, financial records, reports and computerized data.
State auditors also reviewed internal controls over financial data entry. They then selected the area they called “most at risk,” the area of technology, for further testing. The report said that “because of the sensitivity of the information certain specific vulnerabilities are not discussed in this report, but were communicated confidentially to the district officials so they could correct problems.”
Areas of concern the report does cite include the fact that the district’s director of finance was the administrator of the financial software program, and inadequate attention by the district to data recovery, data backup and protection against computer viruses, problems faced by most organizations and individuals who use computers connected to the Internet. It said that the district has not “established adequate internal controls to effectively safeguard the district’s computer system and data.”
But Mr. Juliano, who assumed the post of network system engineer a year ago, took issue with that assessment, saying, “We do have tracking systems. We audit events internally in the network, track network remote access, and get notifications of use. We do have recovery procedures in place, even if the policy is not yet written. We perform data back-ups, we have virus protection and firewalls.
“The disaster recovery plan was 50% complete at the time of the audit,” he said.
“We have limited remote access to help buildings and grounds monitor the building. Even the superintendent doesn’t have access from home. All he has is email.”
“With budget cuts, our staff is diminished. We and some other districts are trying to figure out how to separate those duties that one person should not be doing,” Mr. Juliano said.
The Comptroller’s report and the letter of response from Superintendent Mark Sposato are posted online at www.osc.state.ny.us/localgov/audits/schools/2011/taconichills.pdf.