As student data privacy continues its moment in the
spotlight, a darker reality often exists behind the scenes: one where school
districts treat information security, privacy and compliance as a reactionary afterthought;
where data governance programs are not properly established or implemented; where
security controls are lacking; and where third party vendors are not appropriately vetted for privacy assurances.
Despite this sounding like the making of a bad after school
special, this is happening in schools and districts all across the nation. Too
little is being done to protect student information, exposing our students and schools
to unnecessary risk.
Case in point…
The Missouri State Auditor recently conducted a
comprehensive analysis of a local school district to better understand their
position when it comes to protecting student information. What they discovered was
failure across the board.
The Boonville R-1 School District Student Data Governance
Audit was completed as part of the Cyber Aware School Audits Initiative and
designed to assess the effectiveness of privacy and security controls, with a
focus on identifying practices that improve the security of information school districts
have on students and their families.
The thorough audit was conducted in response to increasing
concern for protecting the security and privacy of information schools maintain
on students, coupled with the continued emergence of cyber threats.
Based on six core criteria, the audit was intended to evaluate
1.) The effectiveness of privacy plans and controls for safeguarding personally
identifiable information (PII); 2.) The effectiveness of information security
controls for protecting the confidentiality, integrity, and availability of systems;
and 3.) The effectiveness of compliance.
Listed below are the findings from the audit, the associated
risk for non-compliance, and recommendations for improvement provided by the
Missouri State Auditor’s office:
1. DATA
GOVERNANCE
ASSESSMENT: The district has not
established a comprehensive data governance program, therefore being unable to
ensure PII is adequately protected and safe from unauthorized access, misuse,
or inadvertent disclosure.
RISK:
Without a formal program, the district cannot ensure that PII is adequately
protected and safe from unauthorized access, misuse, or inadvertent disclosure.
RECOMMENDATION: The district should
establish and implement a formal data governance program encompassing the full
life cycle of data, from acquisition to use to disposal.
2. SECURITY
CONTROLS
ASSESSMENT: The district has not
implemented necessary security controls, leaving technology assets, including
PII at risk of inappropriate access, use and disclosure.
RISK:
Without documented and approved policies and procedures, management lacks
assurance that security controls are appropriate and properly applied.
RECOMMENDATION: The district should
formally appoint a security administrator, ensure passwords are periodically
changed, establish access control policies and procedures, formally document
responsibility for physical protection of technology resources, and fully
document and periodically review security policies and procedures.
3. USER
ACCOUNTS
ASSESSMENT: The district has not fully
established controls for creating and maintaining user accounts for accessing
system resources.
RISK:
Without appropriate account access policies and procedures, users may be
granted inappropriate or unauthorized access, which can provide opportunities
for misuse or inappropriate disclosure of sensitive data.
RECOMMENDATION: The district should establish
and document formal policies and procedures, periodically monitor user accounts
and user access to data to ensure rights remain appropriate.
4. INCIDENT
RESPONSE & CONTINUITY PLANNING
ASSESSMENT: The district has not taken all
the necessary measures to protect data in the event of a breach or other disruptive
incident. It does not have a complete incident response plan, has not adopted a
formal data breach response policy, and has not fully documented and tested a
continuity plan.
RISK:
Without comprehensive incident response and breach-related policies, management
may not be able to respond quickly and effectively. And without a tested and
functional continuity plan, management has limited assurance the organization’s
business functions and computer processing can be sustained.
RECOMMENDATION: The district should
establish and document an incident response plan, formally document and adopt a
comprehensive data breach response policy, to promote an appropriate response
in the event of a breach, develop a continuity plan, formally assign
responsibilities, and run periodically tests of the plan.
5. SECURITY AWARENESS PROGRAM
ASSESSMENT: The district has not
established a formal security and privacy awareness training program.
RISK:
Without adequate training, users may not understand system security risks and
their role in implementing related policies and controls to mitigate those
risks.
RECOMMENDATION: The district should
establish a formal security and privacy awareness training program, because those
with proper security and privacy awareness training and clear communication of
data and device use policies, can become the first line of defense against
cybersecurity incidents.
6. VENDOR
MONITORING
ASSESSMENT: The district has not
established a process for ensuring software acquired or outsourced from
information technology vendors complies with data security principles. Additionally,
the district is unable to locate a written contract with the vendor of one of
its key systems.
RISK:
Without an effective process for monitoring and managing risk and software
acquisition or outsourcing, the district has less assurance in a vendor’s
ability to deliver services effectively, securely and reliably, and to ensure
that services meet current and future data privacy and security needs.
RECOMMENDATION: The district should develop
procedures to formally monitor information technology vendors have access to, to ensure the district’s
data is properly protected and the vendor acts in accordance with contract
terms and conditions.
CONCLUSION
While this audit casts a negative light on a single
district, it illuminates the reality of what is really going on in schools and
districts across the nation, and it shows the unfortunate truth of how student
information is regularly exposed.
By establishing and implementing the proper plans and procedures,
schools and districts that proactively protect student privacy are better poised for success. In contrast, assuming it will take care of itself is a recipe for disaster.
As technology usage advances in schools, increased risk of PII
being compromised and exposed is a real and ever-present danger. The need to protect information against cyber
threats and misuse is increasingly important, and school districts need to do more to
ensure student information is safe, private, secure and protected.
Note: After failing on all six counts, the Boonville R-1
School District has addressed their areas of weakness and have issued an action
response to remedy their shortcomings. Read the full audit here >>
