State Auditor’s Cyber Aware School Audit Shows Districts Have Security Issues
The State Auditor’s office released a report on district cyber security this month. The report is part of that office’s Cyber Aware School Audits Initiative. It details the incomplete or missing measures schools have implemented to protect the student PII they collect at the district level. Five districts were audited. Similar problems were found in each. The performance audit contains recommendations that all districts should be implementing to protect the student data they collect.
Boonville R-1 School District
Waynesville R-VI School District
Cape Girardeau Public School District
Park Hill School District
Orchard Farm R-V School District
Key Findings from the report:
Data Governance – The audits found that in many cases a comprehensive data governance program was not established or completed. Data governance is an organizational approach to data and information management that is formalized as a set of policies and procedures encompassing the full life cycle of data, from acquisition to use to disposal. It includes establishing policies, procedures, and standards regarding data security and privacy protection, data access, and data sharing. Without a comprehensive data governance program, there is less assurance the data management and protection procedures in place are effective in reducing data privacy and security risks due to unauthorized access or misuse of data.
Recommendation: Establish and implement a formal data governance program encompassing the full life cycle of data, from acquisition to use to disposal.
User Accounts – The audits found controls for creating and maintaining user accounts for accessing system resources were not fully established. For example, policies and procedures for disabling or removing user accounts in a timely manner after a user ended employment were not documented, or required additional steps and policies and procedures for requesting, establishing, and maintaining user access to data and other system resources were not formally documented. Proactive monitoring for user accounts not accessed or used for a specified period of time was not performed. Periodic reviews of user access to data to ensure access remained appropriate and aligned with job duties were not performed. Certain staff shared user accounts and passwords, which meant actions taken cannot be traced back to a specific user. Without appropriate account access policies and procedures, users may have inappropriate or unauthorized access, which can provide opportunities for misuse or inappropriate disclosure of sensitive data.
- Fully establish, document, and follow policies and procedures to ensure user accounts and related access privileges are removed in a timely manner upon user termination.
- Establish and document formal policies and procedures, including requiring standard forms, for requesting, approving, and maintaining access to systems.
- Periodically monitor user account access to identify and evaluate inactive accounts.
- Periodically review user access to data and other information resources to ensure access rights remain appropriate and are commensurate with job duties and responsibilities.
- Eliminate the use of shared accounts, or establish compensating monitoring controls to mitigate the risk of lack of individual accountability for system activity.
Security Controls – In many cases the audits found not all necessary security controls were implemented, leaving district technology assets, including personally identifiable information, at risk of inappropriate access, use, and disclosure. For example, specific personnel were not formally appointed to serve as security administrator or formally assigned responsibility for creating, implementing, and maintaining security policies and procedures. Network passwords were not required to be periodically changed and controls to enforce the use of strong passwords were not required. Policies and procedures regarding user access to systems and data, including the use of logon banners and controls to manage concurrent access to systems, were not fully established. Policies and procedures to identify the types of security events to be logged and monitored were not formally documented or the documented policies needed to be enhanced. Physical security controls were not fully established to ensure protection of technology resources. Policies and procedures for certain security controls were not documented. Without a formal designation of staff responsible for security administration, and without documented and approved policies and procedures, management may not have assurance that control activities are appropriate and properly applied.
- Formally appoint a security administrator who is responsible for developing and maintaining district security policies and procedures.
- Ensure passwords are periodically changed and enhance password controls to prevent unauthorized access to computers and data.
- Fully establish access control policies and procedures by implementing logon banners for district systems to indicate appropriate use and by establishing security controls to manage and monitor the number of concurrent sessions for a single user
- Establish and document criteria for identifying which security events should be written to audit logs and monitored and investigated as security incidents.
- Formally document responsibility for physical protection of technology resources and develop policies and procedures to effectively restrict physical access.
- Fully document and periodically review security policies and procedures.
Incident Response and Continuity Planning – The audits found additional measures were necessary to protect data in the event of a breach or other disruptive incident. Policies and procedures for responding to security incidents were not formally documented, a comprehensive data breach response policy was not established, or a complete continuity plan was not documented and formally tested. Without prompt and appropriate responses to security incidents, violations could continue to occur and cause damage to an organization’s resources. Without a comprehensive data breach response policy, management may not be sufficiently equipped to respond quickly and effectively in the event of a breach, increasing the risk of potential harm to affected individuals.
- Establish and document an incident response plan that includes centrally tracking all security incidents.
- Formally document and adopt a comprehensive data breach response policy to promote an appropriate response in the event of a breach of protected student data.
- Develop a comprehensive continuity plan and formally assign responsibilities for development, implementation, and maintenance of the plan to appropriate personnel. Once established, ensure the plan is tested on a periodic basis.
Security Awareness Program – The audits found a lack of a formal security and privacy awareness training program. As education organizations implement more powerful information systems and become more reliant on electronic data, proactive security awareness programs become a priority. Uninformed users are a major threat to data security in education organizations. Without adequate training, users may not understand system security risks and their role in implementing related policies and controls to mitigate those risks.
- Establish a formal security and privacy awareness training program.
Vendor Controls – The audits found controls for monitoring vendors and contracts were not fully established. Processes did not exist to ensure software acquired or outsourced from information technology vendors complied with data security principles. In some cases, a written contract was not established with the vendor of a critical district system or the contract did not fully define expectations over securing and accessing district data. Without an effective process for monitoring and managing risk of software acquisition or outsourcing, and without a written contract that fully defines data security expectations, districts have less assurance that services meet current and future data privacy and security needs.
- Develop procedures to formally monitor information technology vendors to ensure the district’s data is properly protected and the vendor acts in accordance with contract terms and conditions.
- Establish a written contract and/or improve the existing contract with the vendor defining services provided and expectations over securing and accessing district data.
You may recall that the state Auditor Nicole Galloway found similar problems with the state’s student information system (MOSIS) putting 1.5 million student’s social security and other PII at risk. That report was released in October of last year. As these reports are based on performance audits, as opposed to financial audits, no follow-ups have been done to see if any of the recommended measures have been put in place. The push, stemming from NCLB, to collect massive amounts of data makes this an ongoing concern.
Big data is the current driver of education reform. Pasi Sahlberg and Jonathan Hasak wrote in the Washington Post’s Answer sheet ‘Big data’ was supposed to fix education. It didn’t. It’s time for ‘small data.’,
Yet for all of these good intentions, there is now more data available than can reasonably be consumed and yet there has been no significant improvement in outcomes.
And it’s not just schools and states who are collecting data. Sahlberg/Hasak notes,
“With the outpouring of data, international organizations continue to build regional and global data banks. Whether it’s the United Nations, the World Bank, the European Commission, or the Organization for Economic Cooperation and Development, today’s international reformers are collecting and handling more data about human development than before. (emphasis added) Beyond government agencies, there are global education and consulting enterprises like Pearson and McKinsey that see business opportunities in big data markets.”
Sadly, though we are collecting it we are not using it well. Sahlberg/Hasak correctly identified the problem. “Big data, at best, only reveals correlations between variables in education, not causality.”
What we have is a lot of sensitive data collection being done by people who are not sufficiently sensitized to the risk in their actions, operating in a system with incomplete or missing procedures to ensure protection of that data, where the chances of the data ultimately being misused by the policymakers it was supposed to support is high. What could go wrong?