In May, the NYS Comptroller’s Office released an audit conducted to determine if the New York State Education Department (SED) consistently follows all laws and regulations regarding the safety and privacy of students’ data, and whether SED is properly monitoring school districts to ensure they are complying with the legislation and regulations that govern data privacy and security.
The audit of the SED covered the period from March 2020 through November 2022, and the key findings from that audit were:
- The Department did not provide adequate oversight of school districts’ compliance with the notification requirements for data incidents.
- The Department did not provide sufficient oversight of school districts’ compliance with other key requirements of Part 121.
- The Department has not completed a data classification for all the types of information it manages, processes, or stores, some of which contain student PII.
- We identified weaknesses in technical controls that need to be corrected to ensure the selected Department and school district information systems and their associated data are not at risk.
So to put it less diplomatically, districts weren’t in compliance and the state wasn’t really providing the needed oversight of certain requirements.
That was an audit of the SED. There was also an audit of the Office of Information Technology Services released in May 2023 that attempted to determine whether the Office of Information Technology Services has security controls in place to ensure appropriate management and monitoring of its Active Directory environment. The audit covered the period from January 2021 through March 2023. From the summary of key findings:
Generally, we determined ITS did not have certain security controls in place according to several ITS policies and standards to ensure appropriate management and monitoring of its Active Directory environment. Due to the confidential nature of our audit findings, we communicated the details of these findings with six recommendations in a separate, confidential report to ITS officials for their review and comment.
Now let’s take a few minutes to get caught up with audits of the school districts themselves. The following are snippets from audits released by Comptroller DiNapoli’s office in 2023 that looked at data security, ITsec, and/or privacy of student data:
Montauk Union Free School District – January 2023. “Since 2013-14, external auditors have annually recommended that the District develop an IT contingency plan. However, the District never developed the plan and could not provide a reasonable explanation for failing to do so.”
Young Women’s College Prep Charter School of Rochester – January 2023. “School officials did not ensure that network and financial software access controls were adequate. As a result, data and personal, private and sensitive information (PPSI) are at greater risk for unauthorized access, misuse or loss.”
Orange Ulster Board of Cooperative Educational Services – January 2023. “BOCES officials did not establish adequate internal controls over network user accounts to help prevent unauthorized use, access and loss.”
Discovery Charter School – February 2023. “School officials did not ensure that network and financial software access controls were adequate. As a result, data and personal, private and sensitive information (PPSI) are at greater risk for unauthorized access, misuse, or loss.”
Eastchester Union Free School District – March 2023. “District officials did not establish adequate controls over user accounts to help prevent unauthorized use, access and loss nor did they establish an adequate IT contingency plan.” As one finding for the audit period between June 2020 and August 2021, the auditors found “unneeded network user accounts, including 181 for students no longer in the District. These students left the District between June 2020 and August 2021.”
Oceanside Union Free School District – March 2023. “Six of 40 employees used District computers to access websites, such as shopping, entertainment, personal email, online gaming and social networking, in violation of the District’s AUP. Internet browsing increases the likelihood that users will be exposed to malicious software that may compromise data confidentiality, integrity or availability.”
Bayport-Blue Point Union Free School District – April 2023. “District officials did not establish adequate network controls for nonstudent user accounts to help prevent unauthorized access. As a result, the District has an increased risk of unauthorized access to and use of the District network and potential loss of important data.”
North Salem Central School District – June 2023.”District officials did not ensure network user accounts were adequately managed…. District officials should have ensured IT staff disabled 181 unneeded network user accounts. Seven of these users left the District between 2011 and 2019.”
Hilton Central School District – June 2023. “In addition to sensitive network access control weaknesses that we confidentially communicated to officials, we found that… The District had 230 unneeded enabled network user accounts, including those for former students, former employees and others who were no longer providing services to the District.”
Amherst Central School District – June 2023. “District officials did not adequately secure user account access to the network or properly manage user accounts and permissions in financial and student information applications….. As many as 1,570 accounts were unneeded but were not disabled… Four accounts had unnecessary network administrative access.”
East Williston Union Free School District – June 2023. For the audit period ending January 11, 2022, the auditors found “District officials did not adequately manage and monitor nonstudent network user accounts to help prevent unauthorized use, access and loss…. 222 of the enabled nonstudent network user accounts (32 percent) were not needed or disabled. Most of these accounts should have been disabled in February 2021.”
Chenango Valley Central School District – June 2023. “In addition to finding sensitive IT control weaknesses, which we communicated confidentially to officials, we found that sixty-eight, or 12 percent, of the District’s nonstudent network user accounts were no longer needed.”
West Hempstead Union Free School District – July 2023. “District officials did not establish adequate controls over nonstudent network user accounts to help prevent unauthorized use, access and loss. Officials did not disable 60 of the District’s enabled nonstudent network accounts (11 percent) that were not needed. Twenty-two of these accounts (37 percent) have not been used in more than five years, with the oldest being last used more than 10 years ago.”
Ulster Board of Cooperative Educational Services – August 2023. “BOCES officials did not adequately manage and monitor network user accounts to help prevent unauthorized use, access, or loss…. Officials did not disable 17 unneeded network user accounts, including seven former employee accounts and 10 accounts not used by active employees, that had last log on dates ranging from November 2016 to December 2021. Officials did not review and disable 76 potentially unneeded user accounts, including 34 shared accounts, 31 service accounts, eight vendor accounts and three service accounts.”
Hicksville Union Free School District – September 2023. “District officials did not properly manage network user account controls to help maintain continuity of business office operations and prevent unauthorized computer use, access and loss. Officials also did not establish written procedures for granting, verifying, changing and disabling network user account access, including business office network user account access.”
Kiryas Joel Village Union Free School District – September 2023. “District officials did not adequately secure user account access to the network and shared network folders to help safeguard PPSI…. Officials did not disable 35 unnecessary former employee, shared and service network user accounts which account for 11 percent of the District’s enabled accounts. The majority of these accounts belonged to former employees and were last used to log into the network between June 2015 and August 2022. They also did not adequately secure shared network folder access, resulting in users having unnecessary access to multiple forms of PPSI in eight shared folders.”
DataBreaches first started covering audits of the NY State Education Department and school districts in 2010. The results were dismal then, and they continue to be dismal. There is no need to wonder why school districts are the victims of so many cyberattacks when they are sitting ducks without adequate resources and expertise to properly secure personal and sensitive data of employees and students, and the state isn’t all over them to get them into compliance.
It is September of 2023 and there has been no NYS comptroller’s audit of the NYC Education Department IT security since… 2004? And if you look at the NYC Comptroller’s Office to see their audits in the education, guess what you won’t find there, either?
There has been increasing awareness of the need to monitor vendors and other security issues affecting the privacy and security of student (and employee data), but where are the serious audits of the city’s infosecurity programs and controls? When will those audits be conducted and released? And when will SED really ensure that districts comply with privacy and security laws and regulations?