Missouri school districts need to tighten controls over student data and other information to help ensure they do not fall into the wrong hands for the wrong purpose, a state audit said Thursday.
Using information she gleaned earlier this year from audits on five districts, including Orchard Farm in St. Charles County, state Auditor Nicole Galloway said schools need to pay more attention to cybersecurity in several areas including who has access to the information and what needs to be done when a breach is discovered.
"Missouri schools have access to a lot of information on students and their families, which means they have a responsibility to keep that information protected," Galloway said. "When I first announced the Cyber Aware School audit initiative, I hoped it would bring attention to critical data protection practices, and assist schools across the state as they worked toward securing weaknesses and increasing safeguards in their systems.
“Now that we've compiled the most common concerns, I believe this report can serve as a guiding tool for district leaders who want to take action to better protect student data, but until now, weren't sure where to start."
Galloway said the importance of keeping school information safe becomes more critical as more data are gathered and stored electronically.
“As connectivity of business activity increases and organizations become increasingly dependent on technology, including computerized systems and electronic data, no school district is exempt from cyber threats, vulnerabilities and privacy exposures,” the audit said.
“As a result, it is important to view information security and privacy as a business issue rather than strictly an information technology issue. Security threats, vulnerabilities and privacy exposures challenge every organization, creating data protection and privacy risks that must be understood, addressed and managed.”
The audit paid particular attention to what is known as personally identifiable information, or PII – data that could be traced back to individual students or others in a school district.
“Technology advances, combined with the increasing sophistication of individuals or groups with malicious intent, have increased the risk of PII being compromised and exposed,” the audit said. “Correspondingly, the number of reported security incidents involving PII in both the private and public sectors has increased dramatically in recent years.
“At the same time, school districts are increasingly reliant on technology and information sharing to interact with students and parents and to deliver essential educational services. As a result, the need to protect information, including PII, against cyber threats is increasingly important.”
Areas of concern
The audit urged more attention to several areas:
—Data controls. Without keeping a tighter rein on who has access to information, the report said, “there is less assurance the data management and protection procedures in place are effective in reducing data privacy and security risks due to unauthorized access or misuse of data.”
—User accounts. Districts need to make sure that information is available only to those who need to have it and that accounts are up to date.
“A district should have policies and procedures for authorizing, reviewing and removing user access to systems and data and document such authorizations and actions,” the audit said.
“User account access controls should limit access to only the individuals who need such access to perform their job, remove accounts no longer necessary, and include a review of user access rights periodically.”
—Security controls. The audit said that not only do passwords and access need to be closely monitored, but equipment such as computers and other technology need to be protected physically.
—Incident response and continuity planning. If a breach in security is discovered, districts need to know what to do next.
“Establishing and implementing an incident response plan, data breach response policy, and continuity plan outlining district policies and procedures for addressing potential incidents is an essential step in protecting the privacy of student data,” the audit said.
“Without a tested and functional continuity plan, management has limited assurance the organization's business functions and computer processing can be sustained during or promptly resumed after a disruptive incident.”
—Security Awareness Program. Everyone in a school district needs to be trained in the importance and the techniques of cybersecurity.
Uninformed users are a major threat to data security in education organizations,” the audit said. “Technology solutions are not always the answer for preventing a security incident or a data breach.
“Establishing a district-wide security awareness training program is an effective way to make sure employees are aware of cyber threats so they will not make costly errors that could result in a security incident or data breach.”
—Vendor controls. Besides training employees, school districts need to ensure security with companies that supply equipment and information technology.
“Vendors should meet the same security requirements that the organization itself is required to meet when processing, storing, or transmitting information or operating information systems on behalf of an organization,” the report concluded.
“The responsibility for managing risks from the use of a vendor's information system services remains with district officials.”
Besides Orchard Farm, Galloway based her conclusions on audits of schools in Boonville, Waynesville, Cape Girardeau and Park Hill.
Follow Dale on Twitter: @dalesinger