DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

NYS Comptroller IT audit reports on public school districts reveals concerning lack of security

Posted on October 16, 2019 by Dissent

The NYS Comptroller’s Office released a number of IT audit reports for k-12 public school districts this month. Their findings will come as no surprise to regular readers of this site.

Belleville-Henderson Central School District: You can read the complete report here (pdf), although the state omitted sensitive details from the public report that it communicated confidentially to the district. The summary was as follows:

Audit Objective

Determine whether District officials ensured employees’ personal, private, and sensitive information (PPSI) was adequately protected from unauthorized access, use and loss.

Key Findings

  • District officials did not provide IT security awareness training to all employees.
  • District officials did not develop procedures for managing, limiting and monitoring user accounts and permissions and securing personal, private and sensitive information.
  • The District did not have a disaster recovery plan.

Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.

Key Recommendations

  • Provide periodic IT security awareness training to all employees who use IT resources.
  • Develop written procedures for managing access to the network and financial application.
  • Develop and adopt a disaster recovery plan.

District officials agreed with our recommendations and indicated they had already taken or planned to take corrective action.

Evans-Brant Central School District: You can read the whole report here (pdf), but once again, information was excluded from the public report that was provided to the district. Here’s the summary:

Audit Objective

Determine whether information technology (IT) assets are properly safeguarded, secured and accessed for appropriate District purposes.

Key Findings

  • District officials did not provide IT security awareness training for individuals who used District IT assets.
  • Personal Internet use was found on computers assigned to four employees who routinely accessed personal, private and sensitive information (PPSI).

In addition, sensitive IT control weaknesses were communicated confidentially to District officials.

Key Recommendations

  • Provide periodic IT security awareness training.
  • Provide adequate oversight of employee Internet use to ensure it complies with Board policies and regulations.

District officials agreed with our findings and recommendations and indicated they planned to initiate corrective action.

Charlotte Valley Central School District: You can read the full report here (pdf), but here’s the summary:

Audit Objective

Determine whether the Board and District officials ensured District information technology (IT) assets and computerized data were safeguarded.

Key Findings

  • The Board and District officials did not monitor computer use policies or adopt adequate IT security policies.
  • District officials did not develop procedures for managing, limiting and monitoring user accounts and permissions and securing personal, private and sensitive information (PPSI).
  • District officials did not provide IT security awareness training for District employees.

In addition, sensitive IT control weaknesses were communicated confidentially to District officials.

Key Recommendations

  • Adopt and monitor comprehensive IT security policies.
  • Develop comprehensive procedures for managing, limiting and monitoring user accounts and permissions and securing PPSI.
  • Provide periodic IT security awareness training to personnel who use IT resources.

District officials generally agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.

Poughkeepsie City School District: This one had more than one purpose. You can read the full report here (pdf), but here’s the summary:

Audit Objective
Determine whether the Board provided adequate oversight of extra-classroom activity (ECA) finances and properly safeguarded and secured the District’s information technology (IT) assets.

Key Findings

  • Student treasurers and faculty advisors did not maintain adequate supporting documentation for 25 deposits totaling $37,256.
  • The central treasurer did not prepare timely reports for the Board or the auditor.
  • IT assets valued at $11,397 were not included on the inventory list and could not be located.

Key Recommendations

  • Maintain documentation for all ECA receipts.
  • Ensure that the central treasurer reports to the Board and the auditor in a timely manner.
  • Develop written policy and procedures for controls over equipment donated and purchased.

District officials agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.


Related:

  • Qantas obtains injunction to prevent hacked data’s release
  • Ransomware attack disrupts Korea's largest guarantee insurer
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • Global operation targets NoName057(16) pro-Russian cybercrime network in Operation Eastwood
  • More than 100 British government personnel exposed by Ministry of Defence data leak
  • New TeleMessage SGNL Flaw Is Actively Being Exploited by Attackers
Category: Commentaries and AnalysesEducation Sector

Post navigation

← California Amends Breach Notification Law
No Kremlin Link Found to Russian Hacker Awaiting Extradition in Israel; One of Top 100 Hackers in the World? →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Bitcoin holds steady as hackers drain over $40 million from CoinCDX, India’s top exchange
  • Government will ‘robustly defend’ compensation claims from Afghans put at risk by data breach
  • Authorities released free decryptor for Phobos and 8base ransomware
  • Singapore Facing ‘Serious’ Cyberattack by Espionage Group With Alleged China Ties
  • Missouri Adopts New Data Breach Notice Law
  • Qantas obtains injunction to prevent hacked data’s release
  • Ransomware attack disrupts Korea’s largest guarantee insurer
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • Global operation targets NoName057(16) pro-Russian cybercrime network in Operation Eastwood
  • More than 100 British government personnel exposed by Ministry of Defence data leak

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Idaho agrees not to prosecute doctors for out-of-state abortion referrals
  • As companies race to add AI, terms of service changes are going to freak a lot of people out. Think twice before granting consent!
  • 𝐔𝐠𝐚𝐧𝐝𝐚 𝐨𝐫𝐝𝐞𝐫𝐬 𝐆𝐨𝐨𝐠𝐥𝐞 𝐭𝐨 𝐫𝐞𝐠𝐢𝐬𝐭𝐞𝐫 𝐚𝐬 𝐚 𝐝𝐚𝐭𝐚‑𝐜𝐨𝐧𝐭𝐫𝐨𝐥𝐥𝐞𝐫 𝐰𝐢𝐭𝐡𝐢𝐧 𝟑𝟎 𝐝𝐚𝐲𝐬 𝐚𝐟𝐭𝐞𝐫 𝐥𝐚𝐧𝐝𝐦𝐚𝐫𝐤 𝐩𝐫𝐢𝐯𝐚𝐜𝐲 𝐫𝐮𝐥𝐢𝐧𝐠.
  • Meta investors, Zuckerberg reach settlement to end $8 billion trial over Facebook privacy violations
  • ICE is gaining access to trove of Medicaid records, adding new peril for immigrants
  • Microsoft can’t protect French data from US government access
  • Texas Enacts Electronic Health Record Data Localization Law

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.