No assessment of operating risks

DHE and ITSD officials had not conducted an assessment of the risks of operating the FAMOUS system. Accepted standards state a risk assessment helps identify potential threats and vulnerabilities, the resulting impact, and the appropriate controls needed to reduce the impact and achieve and maintain an acceptable level of risk.  (See page 4)
 

Missing security features leave student data and system at risk

DHE and ITSD officials implemented the FAMOUS system without many commonly accepted security features. The basic security features in FAMOUS consist of access rights granted to user IDs and the use of passwords to authenticate IDs. However, common security features (such as a requirement to change passwords on a scheduled basis, the capability for users to change passwords themselves, and a system-required minimum password length) required by accepted standards are not yet available to help safeguard FAMOUS. An ITSD official said DHE and ITSD staff are working on implementing additional software to manage system security which should be in place by the start of the 2006/2007 school year.  (See page 5)

Documented policies needed to ensure security of operations

DHE has developed procedures for operating the FAMOUS system but has not yet formally documented essential procedures and associated policies for these operational security controls. Formalizing operational practices and procedures with sufficient detail helps to eliminate security lapses and oversights, gives new personnel sufficiently detailed instructions, and provides a quality assurance function to help ensure operations will be performed correctly and efficiently, according to accepted standards.  (See page 6)