DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

NYS Comptroller IT audit reports on public school districts reveals concerning lack of security

Posted on October 16, 2019 by Dissent

The NYS Comptroller’s Office released a number of IT audit reports for k-12 public school districts this month. Their findings will come as no surprise to regular readers of this site.

Belleville-Henderson Central School District: You can read the complete report here (pdf), although the state omitted sensitive details from the public report that it communicated confidentially to the district. The summary was as follows:

Audit Objective

Determine whether District officials ensured employees’ personal, private, and sensitive information (PPSI) was adequately protected from unauthorized access, use and loss.

Key Findings

  • District officials did not provide IT security awareness training to all employees.
  • District officials did not develop procedures for managing, limiting and monitoring user accounts and permissions and securing personal, private and sensitive information.
  • The District did not have a disaster recovery plan.

Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.

Key Recommendations

  • Provide periodic IT security awareness training to all employees who use IT resources.
  • Develop written procedures for managing access to the network and financial application.
  • Develop and adopt a disaster recovery plan.

District officials agreed with our recommendations and indicated they had already taken or planned to take corrective action.

Evans-Brant Central School District: You can read the whole report here (pdf), but once again, information was excluded from the public report that was provided to the district. Here’s the summary:

Audit Objective

Determine whether information technology (IT) assets are properly safeguarded, secured and accessed for appropriate District purposes.

Key Findings

  • District officials did not provide IT security awareness training for individuals who used District IT assets.
  • Personal Internet use was found on computers assigned to four employees who routinely accessed personal, private and sensitive information (PPSI).

In addition, sensitive IT control weaknesses were communicated confidentially to District officials.

Key Recommendations

  • Provide periodic IT security awareness training.
  • Provide adequate oversight of employee Internet use to ensure it complies with Board policies and regulations.

District officials agreed with our findings and recommendations and indicated they planned to initiate corrective action.

Charlotte Valley Central School District: You can read the full report here (pdf), but here’s the summary:

Audit Objective

Determine whether the Board and District officials ensured District information technology (IT) assets and computerized data were safeguarded.

Key Findings

  • The Board and District officials did not monitor computer use policies or adopt adequate IT security policies.
  • District officials did not develop procedures for managing, limiting and monitoring user accounts and permissions and securing personal, private and sensitive information (PPSI).
  • District officials did not provide IT security awareness training for District employees.

In addition, sensitive IT control weaknesses were communicated confidentially to District officials.

Key Recommendations

  • Adopt and monitor comprehensive IT security policies.
  • Develop comprehensive procedures for managing, limiting and monitoring user accounts and permissions and securing PPSI.
  • Provide periodic IT security awareness training to personnel who use IT resources.

District officials generally agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.

Poughkeepsie City School District: This one had more than one purpose. You can read the full report here (pdf), but here’s the summary:

Audit Objective
Determine whether the Board provided adequate oversight of extra-classroom activity (ECA) finances and properly safeguarded and secured the District’s information technology (IT) assets.

Key Findings

  • Student treasurers and faculty advisors did not maintain adequate supporting documentation for 25 deposits totaling $37,256.
  • The central treasurer did not prepare timely reports for the Board or the auditor.
  • IT assets valued at $11,397 were not included on the inventory list and could not be located.

Key Recommendations

  • Maintain documentation for all ECA receipts.
  • Ensure that the central treasurer reports to the Board and the auditor in a timely manner.
  • Develop written policy and procedures for controls over equipment donated and purchased.

District officials agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.

Category: Commentaries and AnalysesEducation Sector

Post navigation

← California Amends Breach Notification Law
No Kremlin Link Found to Russian Hacker Awaiting Extradition in Israel; One of Top 100 Hackers in the World? →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.