District works to strengthen technological security, controls

During its audit of the town of Wilton and Board of Education’s internal controls, consulting firm Blum Shapiro performed an information technology (IT) general controls review, which focused on IT organization, policies and procedures, security, and system backup.
In a post-audit management letter, Blum Shapiro noted several recommendations for the education board to consider when determining the appropriate level of technology controls. The board reviewed and discussed these recommendations during its Feb. 5 meeting.


The firm’s first recommendation was to strengthen the district’s network password security.
“It would force everybody to reset their passwords and their complexity on June 20,” Technology Director Mathew Hepfer told the board, “and every 90 days, they will be forced to create a new password.”
Although this is “a move that may be very, very unpopular,” said Mr. Hepfer, “the good news is that organizations have done this for years and people get used to it.”
Access lockouts
Mr. Hepfer said the district began formalizing and strengthening its procedures to ensure access lockouts for terminated and retired employees at the end of last year.
“Our human resources department and data system analyst [James Mizera] created a protocol of what to do when someone leaves and how long we keep different accounts active,” said Mr. Hepfer.
“Most things are shut off immediately, but we’ve formalized the procedure a bit more since Blum Shapiro gave their recommendation.”

Employee maintenance

Blum Shapiro recommended that the board review employee maintenance access to “ensure proper segregation of duties between all systems.”
Mr. Hepfer said he, Financial Director Ken Post and Human Resource Director Susan Paley met with “key staff members” to discuss formalizing employee controls.

Disaster recovery

Blum Shapiro also recommended that the board formalize and test a disaster recovery plan, for which the board has already developed a plan template.
In response to Blum Shapiro’s recommendation, the board said its disaster recovery plan need to be updated “to reflect recent changes to infrastructure and also to develop a formal testing schedule,” which the schools expect to complete this school year.
“This is something we were working on, but we had actually held off on updating our formal disaster recovery plan because we were in the process of virtualizing our servers,” said Mr. Hepfer.
“We’re also in the process of changing some of our data systems for HR [human resources], so we’re kind of in a little bit of a holding pattern right now, but we have begun the process of formalizing the plan.”


Blum Shapiro’s last technology recommendation was for the board to work with legal counsel to confirm the appropriate, necessary steps and actions to prepare a compliant e-discovery plan.
The education board said it developed a formal plan for responding to Freedom of Information Act requests with its legal counsel.
“The plan includes a workflow and a formal notification procedure,” according to the board, which also noted that the schools’ email archiving server was upgraded in the fall to “more efficiently respond to requests for e-discovery."