DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Two recent NYS audits of k-12 districts’ information technology security

Posted on July 5, 2024 by Dissent

The NYS Comptroller’s Office recently released more audits of school districts. Here are two of them:

Whitney Point Central School District – Information Technology (IT) (Broome County)

Audit Period

July 1, 2021 – February 24, 2023.
We extended our audit period to August 31, 2023 to review backup restoration results and November 16, 2023 to review updates to certain user accounts.

Audit Objective

Determine whether Whitney Point Central School District (District) officials adequately managed nonstudent network user accounts and developed and adopted a comprehensive information technology (IT) contingency plan.

Key Findings

District officials did not adequately manage nonstudent network user accounts, which are network user accounts not specifically assigned to a student (e.g., authorized staff, third-party vendors and shared accounts). Officials also did not adopt an IT contingency plan and were unaware of all the network users that had access to the District’s network. When nonstudent network user accounts are not adequately managed and an IT contingency plan is not adopted, the District has an increased risk that it could suffer a serious interruption to operations due to the risk to the network and potential inability to communicate during a disruption.

In addition to sensitive IT control weaknesses that we confidentially communicated to officials, District officials did not disable 19 nonstudent network user accounts (4 percent) that were not needed and/or used in more than five years. All of these user accounts were subsequently deleted during our audit fieldwork.

Key Recommendations

  • Develop written procedures for managing nonstudent network user accounts that include periodically reviewing user access and disabling unneeded and/or unused accounts.
  • Adopt a comprehensive IT contingency plan, update the plan as needed and distribute it to all responsible parties.

District officials generally agreed with our recommendations and have indicated they planned to initiate corrective action. Appendix B includes our comment on an issue that was raised in the District’s response letter.

Read the complete report (pdf).


Charter School of Educational Excellence – Information Technology

Audit Period

July 1, 2021 – May 24, 2023

Audit Objective

Determine whether the Charter School of Educational Excellence (School) Board of Trustees (Board) and officials secured student data to help protect it from unauthorized access and developed and adopted a comprehensive information technology (IT) contingency plan.

Key Findings

The Board and officials did not adequately secure student data to help protect it from unauthorized access or develop an IT contingency plan. As a result, there was an increased risk of unauthorized access to student personal, private and sensitive information (PPSI) and personally identifiable information (PII), and that the School could suffer a serious interruption to operations since its ability to communicate during a disruption or disaster could affect the timely processing of its business functions. In addition to sensitive IT control weaknesses which we communicated confidentially to School officials, we found:

  • School employees did not have guidance on how to properly identify and secure sensitive student data.
  • Three out of six tested users of the cloud-based application used for School operations stored sensitive student data without adequate protection, and 12 of the 125 users of the cloud-based Student Information System (SIS) had excessive or unnecessary access to view and modify sensitive student data.

Key Recommendations

  • Review, revise (if necessary), adopt and communicate the data classification policy to employees.
  • Ensure all access to sensitive student data is based on needs and job responsibilities.
  • Develop a written IT contingency plan.

School officials agreed with our recommendations and have initiated, or indicated they planned to initiate, corrective action.

Read the complete report (pdf)

Related posts:

  • Audits of New York schools and the State Education Department reveal ongoing significant concerns
  • Recent NYS audits of K-12 school districts’ infosecurity
  • Kept in the Dark — Meet the Hired Guns Who Make Sure School Cyberattacks Stay Hidden
  • New York State School District Audits Released in June
Category: Commentaries and AnalysesEducation SectorU.S.

Post navigation

← Louisiana Special School District ransomware attack possibly compromised workers’ personal information
Ransomware group who hit Indonesian government apologizes, hands over encryption key →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.