NYS Comptroller releases two more school district IT audits
By now, regular readers may wonder why I continue to post IT audits of New York school districts when the results have generally been so poor. Where’s the good news, you wonder?
There really has been none or extremely little. Which is exactly why I will continue to post these — until people wake up and start yelling at their school boards to do a better job of protecting student data and student privacy — and that necessarily includes IT.
Let’s start with the summary of the DeRuyter Central School District:, which was conducted to determine whether District officials ensured students’ personal, private and sensitive information (PPSI) was adequately protected from unauthorized access, use and loss.
District officials did not:
- Limit or monitor employees’ personal Internet browsing and their use of social media on District computers.
- Provide IT security awareness training to employees.
- Restrict user permissions to the network and the student information system software application (SIS) based on job duties.
- Disable unneeded network and local user accounts.
Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.
- Review and update the acceptable computer use policy and monitor employees’ personal Internet browsing and use of social media.
- Provide formal IT security awareness training to employees.
- Evaluate network and SIS user permissions to ensure users only have the permissions needed for their job duties and disable any unneeded user accounts.
District officials generally agreed with our recommendations and indicated they planned to initiate corrective action.
You can access the full report here.
Now let’s look at the audit of Roosevelt Union Free School District, which was conducted to determine whether District officials established adequate controls to help prevent and properly respond to a malicious attack of the District’s Information Technology (IT) system. From their summary:
- The Board did not appoint a Chief Information Officer responsible for all IT matters.
- The Board did not adopt a disaster recovery plan.
- The District’s IT Department did not provide employees and officials with IT security awareness training.
- Consider appointing a Chief Information Officer to be responsible for ensuring computerized data is secure, identifying and recommending technology solutions to the Board, ensuring IT users are appropriately trained and supervising IT Department staff.
- Adopt a disaster recovery plan.
- Ensure that computer users receive IT security awareness training and follow up training when District IT policies are updated.
- District officials disagreed with certain findings in our report. Our comments on issues raised in the District’s response are included in Appendix B.
You can access the full report here. Not all of the state’s recommendations are listed in the bulleted list above, so you may want to really read the whole report.