As I’ve done before, this post highlights the findings of a NYS Comptroller’s Office audit on information technology and data security. Previous audits posted on this blog have looked at public school districts and universities. This one involves a charter school – Eugenio Maria de Hostos Charter School in Rochester. The school was established in 2000 under SUNY authorization and provides kindergarten through eighth grade education. As of September 2012, the school had approximately 400 enrolled students and 90 employees. The audit covered the period July 1, 2011 – December 31, 2012 and looked at procurement and information technology. With respect to the latter, the audit found:
The Board did not adopt IT policies and procedures that address issues including breach notification, acceptable Internet and personal computer use, access rights, password security, back-up procedures, patch management, mobile device encryption and the physical security of IT components. In addition, the School did not have a comprehensive disaster recovery plan for resuming critical operations in the event of a system failure. As a result, the School’s IT data and components are at risk of loss or misuse.
[…]
We scanned the School’s servers and a select number of computers and identified one virus on a server and software programs on computers that may not have been used for School business. Additionally, without mobile device encryption or an information breach notification policy, in the event that private information is compromised, School officials and employees may not be prepared to notify affected individuals.
[…]
School officials have not adopted policies to ensure that user access rights are granted and modified appropriately or that passwords are periodically changed and complex. We found that the School has no procedures for activating, modifying or deactivating user access rights. The School’s domain server has six accounts with full administrative rights, including multiple accounts for the IT consultant. Furthermore, four of the six accounts are generically named, making it difficult to track who is making modifications as an administrator. The accountant also has full access to the School’s network. We also identified access rights still open for several employees that no longer work at the School. The combination of these problems could result in unauthorized access, manipulation, loss of data and the possibility of inappropriate use of School computers.
The audit report, available here (pdf), contained a number of recommendations for the charter school.
Obviously, this charter school is not the only school or educational entity in NYS with these types of problems. As Data Privacy Day 2014 approaches, parents and taxpayers would be well advised to see if their children’s school (district) has been recently audited for IT and data security as well as the training of personnel in privacy and security policies.