DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Two recent NYS audits of k-12 districts’ information technology security

Posted on July 5, 2024 by Dissent

The NYS Comptroller’s Office recently released more audits of school districts. Here are two of them:

Whitney Point Central School District – Information Technology (IT) (Broome County)

Audit Period

July 1, 2021 – February 24, 2023.
We extended our audit period to August 31, 2023 to review backup restoration results and November 16, 2023 to review updates to certain user accounts.

Audit Objective

Determine whether Whitney Point Central School District (District) officials adequately managed nonstudent network user accounts and developed and adopted a comprehensive information technology (IT) contingency plan.

Key Findings

District officials did not adequately manage nonstudent network user accounts, which are network user accounts not specifically assigned to a student (e.g., authorized staff, third-party vendors and shared accounts). Officials also did not adopt an IT contingency plan and were unaware of all the network users that had access to the District’s network. When nonstudent network user accounts are not adequately managed and an IT contingency plan is not adopted, the District has an increased risk that it could suffer a serious interruption to operations due to the risk to the network and potential inability to communicate during a disruption.

In addition to sensitive IT control weaknesses that we confidentially communicated to officials, District officials did not disable 19 nonstudent network user accounts (4 percent) that were not needed and/or used in more than five years. All of these user accounts were subsequently deleted during our audit fieldwork.

Key Recommendations

  • Develop written procedures for managing nonstudent network user accounts that include periodically reviewing user access and disabling unneeded and/or unused accounts.
  • Adopt a comprehensive IT contingency plan, update the plan as needed and distribute it to all responsible parties.

District officials generally agreed with our recommendations and have indicated they planned to initiate corrective action. Appendix B includes our comment on an issue that was raised in the District’s response letter.

Read the complete report (pdf).


Charter School of Educational Excellence – Information Technology

Audit Period

July 1, 2021 – May 24, 2023

Audit Objective

Determine whether the Charter School of Educational Excellence (School) Board of Trustees (Board) and officials secured student data to help protect it from unauthorized access and developed and adopted a comprehensive information technology (IT) contingency plan.

Key Findings

The Board and officials did not adequately secure student data to help protect it from unauthorized access or develop an IT contingency plan. As a result, there was an increased risk of unauthorized access to student personal, private and sensitive information (PPSI) and personally identifiable information (PII), and that the School could suffer a serious interruption to operations since its ability to communicate during a disruption or disaster could affect the timely processing of its business functions. In addition to sensitive IT control weaknesses which we communicated confidentially to School officials, we found:

  • School employees did not have guidance on how to properly identify and secure sensitive student data.
  • Three out of six tested users of the cloud-based application used for School operations stored sensitive student data without adequate protection, and 12 of the 125 users of the cloud-based Student Information System (SIS) had excessive or unnecessary access to view and modify sensitive student data.

Key Recommendations

  • Review, revise (if necessary), adopt and communicate the data classification policy to employees.
  • Ensure all access to sensitive student data is based on needs and job responsibilities.
  • Develop a written IT contingency plan.

School officials agreed with our recommendations and have initiated, or indicated they planned to initiate, corrective action.

Read the complete report (pdf)

Category: Commentaries and AnalysesEducation SectorU.S.

Post navigation

← Louisiana Special School District ransomware attack possibly compromised workers’ personal information
Ransomware group who hit Indonesian government apologizes, hands over encryption key →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.