NYS audit finds Holland Patent Central School District not adequately protecting PPSI
Another audit from the NYS Comptroller is worthy of note here. This one audited the Holland Patent Central School District for access to their student information system (SIS). The District operates four schools with approximately 1,500 students and 300 employees. This audit covered the period of July 1, 2015 – July 31, 2016.
According to the state, the SIS is the district’s electronic system that is used to track students’ grades (entered by District personnel), generate student report cards and maintain student permanent records (i.e., transcripts). The SIS also contains other personal, private and sensitive information (PPSI)1 about students, including their student identification numbers and medical, order of protection and custody information. The SIS audit log also contains PPSI including medical information, dates of birth and home addresses. Because District officials are responsible for preserving the confidentiality and integrity of this information, “access to the SIS audit log should be restricted to those who need it to perform their job duties.”
From their findings:
District officials granted unnecessary permissions for changing student grades, assuming accounts and identities, and viewing personal, private and sensitive information. As a result, 17 users had permissions to change grades even though they were not responsible for doing so. Because officials do not properly manage permissions or review the SIS audit logs to monitor for inappropriate activity, users could use their access for questionable activity.[…]
Two MORIC technicians who support the SIS servers but not the system itself can view the SIS audit log even though they do not need it to perform their job duties. Because the SIS does not generally create records in the audit log when users view information, we could not determine whether PPSI has been accessed inappropriately. Because officials would also be unable to use this log to detect unauthorized or inappropriate access to PPSI in the SIS, it is especially important to limit access to those who need to view this information to perform their job duties.
You can access the full report with its recommendations here (pdf).