DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

NYS Comptroller releases two more school district IT audits

Posted on December 20, 2019 by Dissent

By now, regular readers may wonder why I continue to post IT audits of New York school districts when the results have generally been so poor.  Where’s the good news, you wonder?

There really has been none or extremely little.  Which is exactly why I will continue to post these — until people wake up and start yelling at their school boards to do a better job of protecting student data and student privacy — and that necessarily includes IT.

Let’s start with the summary of the DeRuyter Central School District:, which was conducted to determine whether District officials ensured students’ personal, private and sensitive information (PPSI) was adequately protected from unauthorized access, use and loss.

Key Findings

District officials did not:

  • Limit or monitor employees’ personal Internet browsing and their use of social media on District computers.
  • Provide IT security awareness training to employees.
  • Restrict user permissions to the network and the student information system software application (SIS) based on job duties.
  • Disable unneeded network and local user accounts.

Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.

Key Recommendations

  • Review and update the acceptable computer use policy and monitor employees’ personal Internet browsing and use of social media.
  • Provide formal IT security awareness training to employees.
  • Evaluate network and SIS user permissions to ensure users only have the permissions needed for their job duties and disable any unneeded user accounts.

District officials generally agreed with our recommendations and indicated they planned to initiate corrective action.

You can access the full report here.

Now let’s look at the audit of Roosevelt Union Free School District, which was conducted to determine whether District officials established adequate controls to help prevent and properly respond to a malicious attack of the District’s Information Technology (IT) system. From their summary:

Key Findings

  • The Board did not appoint a Chief Information Officer responsible for all IT matters.
  • The Board did not adopt a disaster recovery plan.
  • The District’s IT Department did not provide employees and officials with IT security awareness training.

Key Recommendations

  • Consider appointing a Chief Information Officer to be responsible for ensuring computerized data is secure, identifying and recommending technology solutions to the Board, ensuring IT users are appropriately trained and supervising IT Department staff.
  • Adopt a disaster recovery plan.
  • Ensure that computer users receive IT security awareness training and follow up training when District IT policies are updated.
  • District officials disagreed with certain findings in our report. Our comments on issues raised in the District’s response are included in Appendix B.

You can access the full report here. Not all of the state’s recommendations are listed in the bulleted list above, so you may want to really read the whole report.

Related posts:

  • Kept in the Dark — Meet the Hired Guns Who Make Sure School Cyberattacks Stay Hidden
  • Audits of New York schools and the State Education Department reveal ongoing significant concerns
  • Recent NYS audits of K-12 school districts’ infosecurity
Category: Commentaries and AnalysesEducation Sector

Post navigation

← Over 267 million Facebook users had their names, phone numbers, and profiles exposed thanks to a public database, researcher says
Fashion rental company HURR Collective exposed user information through misconfigured plugin →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hunters International to provide free decryptors for all victims as they shut down (1)
  • SEC and SolarWinds Seek Settlement in Securities Fraud Case
  • Cyberattacks Disrupt Iran’s Bread Distribution, Payments Remain Frozen
  • Hacker with ‘political agenda’ stole data from Columbia, university says
  • Keymous+ Hacker Group Claims Responsibility for Over 700 Global DDoS Attacks
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • DOJ investigates ex-ransomware negotiator over extortion kickbacks
  • Hackers Using PDFs to Impersonate Microsoft, DocuSign, and More in Callback Phishing Campaigns
  • One in Five Law Firms Hit by Cyberattacks Over Past 12 Months
  • U.S. Sanctions Russian Bulletproof Hosting Provider for Supporting Cybercriminals Behind Ransomware

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t
  • Oregon Amends Its Comprehensive Privacy Statute
  • Wisconsin Supreme Court’s Liberal Majority Strikes Down 176-Year-Old Abortion Ban

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.