Auditor Galloway issues report on top school data security risks

Top 5 cybersecurity concerns identified in Cyber Aware School audits
October 13, 2016

Missouri State Auditor Nicole Galloway has released a list of the top five data security risks identified in Missouri schools. The concerns were identified  through the Cyber Aware School audit initiative, which was designed to increase safeguards against unauthorized access to student records and information. This was accomplished by analyzing school data protection practices, identifying areas of concern and making recommendations to improve the security of information in public schools across the state.

"Missouri schools have access to a lot of information on students and their families, which means they have a responsibility to keep that information protected," Auditor Galloway said. "When I first announced the Cyber Aware School audit initiative, I hoped it would bring attention to critical data protection practices, and assist schools across the state as they worked toward securing weaknesses and increasing safeguards in their systems. Now that we've compiled the most common concerns, I believe this report can serve as a guiding tool for district leaders who want to take action to better protect student data, but until now, weren't sure where to start."

The report examines how well school districts complied with data security standards and best practices, and highlights the following five common data security areas of concern:

Data management program- Some districts had not fully established a comprehensive program or set of processes designed to help ensure sensitive data is formally managed so that student data is available to those that need it while at the same time ensuring individual student privacy is maintained.

Account management- Policies and procedures for authorizing, reviewing and removing user access to systems and data were not fully established or documented and employees and staff in some districts were allowed to share user accounts and passwords, or were not required to change their passwords on a regular basis.

Security precautions- Some districts did not have an individual appointed to serve as a security administrator or did not have a formal program for offering training or guidance to staff on important data security issues and risks.

Incident response planning- Some districts did not have a formal plan or guidelines in place to respond to a data breach or security incident or to promptly resume business functions or computer processing after a disruptive incident.

Vendor contracts- In some cases, districts have entered into contracts with third-party vendors to provide technology services, but the contracts were not written in a way that provided information or assurances of the cyber protections that would be taken with information accessible to the vendor. In some cases, districts did not have monitoring processes in place to ensure third-party vendors complied with district security requirements.

The list was compiled based on information in a summary report released today by the State Auditor's Office. The summary report is a compilation of audits completed as part of the Cyber Aware School audit initiative, and is available online here.

Since taking office, Auditor Galloway has made cybersecurity a priority across all components of government, including Missouri schools. The Cyber Aware School audits are part of an ongoing emphasis on data protection practices and keeping Missourians' information secure. Last fall, an audit of the Department of Elementary and Secondary Education found the department was unnecessarily transmitting and storing student social security numbers in its Missouri Student Information System (MOSIS)- a practice the department has ended. The State Auditor's Office has also incorporated data security reviews into the standard audit process. 

October is National Cybersecurity Awareness Month. National Cybersecurity Awareness Month was designed to engage and educate public and private sector partners with the goal of raising awareness about cybersecurity and increasing protections against cyber incidents.