NY: Audit of Frontier Central School District finds inadequate security and policies for mobile devices

An audit of Frontier Central School District by the Office of the New York State Comptroller was released yesterday. The audit covered the period July 1, 2010 — August 22, 2013 and included audit of mobile device use and security.

As background: there are six schools in operation within the District, with approximately 5,100 students and 1,000 employees.  The District has approximately 1,450 mobile computing devices, including approximately 250 portable media devices, 500 tablets and 700 laptops. These devices are assigned to administrators, teachers, technology staff and students, and some are located on carts for student classroom use.

From the Executive Summary:

We also found that District officials did not establish adequate safeguards over mobile devices, and that District employees did not use mobile devices in accordance with the District’s acceptable-use policy. For example, on 23 of the District’s 40 mobile devices that we tested, we found indications of personal use such as personal photos, music files, non-District related applications, games, and browsing history related to travel, shopping, personal email, job search and other websites. We also found personal applications on 16 of the 33 portable media players and tablets that we tested. In addition, 26 of the 33 portable media players and tablets did not require a password or passcode prior to use.

We also found that 25 of the devices that we tested had minimal to no discernible use for District purposes and were used predominantly for personal use, or not at all. We interviewed 19 District employees who had been assigned these mobile devices. Of those employees, 10 had three or more mobile devices assigned to them and eight of the 10 stated that they received no training from the District on how to use them. Also, 15 employees stated that they did not request one or more of the mobile devices that the District assigned to them. As a result of these deficiencies there is an increased risk of unauthorized users gaining access to the District’s system and/or system disruptions which could result in the corruption, loss or compromise of the District’s critical data and confidential records.

Elsewhere in the report, they note:

The District does not require password protection on portable media devices or on tablets, allowing anyone to gain access to the information on the device if it is lost, stolen or inappropriately accessed by someone other than the authorized user. The District does not limit administrative access rights, on any device, to IT staff, allowing staff to download and install any program or application to their mobile devices. In fact, the District allows employees to use a personal user ID to download applications to portable media devices and tablets, leaving no way for the District to control what applications are downloaded. Finally, the District does not have any restrictions on these devices, such as disabling certain applications including the application store and music store, and other pre-installed applications.

You can access the full report here (pdf).

About the author: Dissent