From the Office of the New York State Comptroller, this follow-up report on the New York State Education Department shows ongoing concerns that have not been addressed at all or only addressed partially:
Issued: November 13, 2018
Link to full audit report 2018-F-17
To determine the extent of implementation of the two recommendations included in our initial audit report, Security Over Critical Information Systems (Report 2016-S-69).
Our initial audit report, which was issued on July 19, 2017, determined whether the security controls over critical State Education Department (Department) information systems were sufficient to minimize the various risks associated with unauthorized access to these systems and their associated data. The audit covered the period September 29, 2016 through March 30, 2017. We determined that, although the Department had taken a number of steps to secure its critical information systems and associated data, there was still a risk that unauthorized persons could access these systems. We found the Department had not taken fundamental steps to secure its critical systems, such as completing a full data classification process, adopting adequate information security policies and procedures, and improving certain technical controls over its critical systems.
- Department officials have not made significant progress in correcting the problems we identified in the initial report. Of the two recommendations, one has been partially implemented and one has not been implemented.
- Officials are given 30 days after the issuance of the follow-up review to provide information on any actions that are planned to address the unresolved issues discussed in this review.
Other Related Audit/Report of Interest
State Education Department: Security Over Critical Information Systems (2016-S-69)