Institutional Federal Compliance Report 2021

ANDREWM. CUOMO Governor ROBERT F. MUJICA JR. Director of the Budget

SANDRA L. BEATTIE Deputy Director

2017-18 Prior-Year Finding Summary

Prior-Year Audit Period:

State Fiscal Year Ended March 31, 2017

S tate Education Department

State Agency:

Single Audit Contact:

Karla Ravida

Title:

Principal Internal Auditor

Telephone:

518-486-5212

E-mail Address:

Karla.Ravida@nysed.gov

Prior-Year Audit Report Page Reference:

56

Prior-Year Finding Number:

2017-021

Corrective Action Planned:

As of August 2017, a Mantis ticket is created monthly listing all the tickets that were closed out in the previous month. This ticket is assigned to a manger to review and verify they were correctly implemented. NYSED ISO policies will be modified to specify that a review of Active Directory user accounts be conducted at least on an annual basis. A corresponding procedure will be developed to specify the process to be used for that review. At minimum, this review will consist of exporting all users from Active Directory by program area. These user lists and associated group memberships will be provided to the Director of Operations for each program area, who will note any users that need to be deactivated or permissions that require adjusting due to internal changes of responsibility.

Status Report on Prior-Year Finding: Corrective actions taken and implemented:

A monthly Mantis ticket is created listing all the tickets that were closed out the previous month. This ticket is assigned to a manger to review and verify they were correctly implemented. This process has been completed each month since August 2017. In response to finding 2017-021 in the U.S. Department of Education audit (audit control number ACN 02-17-88763) the New York State Education Department (NYSED) conducted a “review of access at the organization-wide network layer.” This review involved an agency-wide

State Capitol, Albany, NY 12224 │ www.budget.ny.gov