Tuesday, March 29, 2016
Cybersecurity audit of Boonville School District raises concerns
Missouri State Auditor Nicole Galloway today released the first in a series of cybersecurity audits of school districts in Missouri. The audit of the Boonville School District in Cooper County raised concerns with the district's data protection practices, and includes recommendations to improve the security of student information and records.
"Schools must protect sensitive information, because if that data is compromised, there can be long-lasting and devastating financial and personal effects," Auditor Galloway said. "As a mother, I certainly don't want my children's health information or school records to end up in the wrong hands, and I know parents across Missouri feel the same way. Our auditors have completed the review of Boonville School District, and I am encouraged by the district administration's positive response and commitment to making critical changes that will better protect this information."
The audit found the district did not have an appointed security administrator, and had not properly secured sensitive technology hardware to prevent data theft or access by unauthorized users. The audit also identified concerns with a number of basic data security controls, including password change requirements, staff access to a computerized system, and monitoring of security logs to identify and address cyber threats for investigation.
Auditors recommended the district establish a data breach response policy, which could be immediately activated in the event of a cybersecurity threat or breach event. The audit also recommends the district implement a security awareness training program for district staff.
The Boonville School District in Cooper County was the first of five school districts selected for an initial round of Cyber Aware School Audits. Additional audits are in progress or planned for the following districts:
Cape Girardeau School District, Cape Girardeau County
Orchard Farm School District, St. Charles County
Park Hill School District, Platte County
Waynesville School District, Pulaski County
"My office has engaged in a collaborative process with the school districts involved in the Cyber Aware School Audits, " Auditor Galloway said. "Cybersecurity is not a status that can be achieved; It's an ongoing process, and my office will continue to work toward efforts to improve cybersecurity awareness and protections across Missouri.
Since taking office, Auditor Galloway has made cybersecurity a priority across all components of government, including Missouri schools. The Cyber Aware School Audits are part of an ongoing emphasis on data protection practices and keeping Missourians' information secure. Last fall, an audit of the Department of Elementary and Secondary Education found the department was unnecessarily transmitting and storing student social security numbers in its Missouri Student Information System (MOSIS)- a practice the department has ended. The State Auditor's Office has also incorporated data security into the standard audit process.
The complete audit report is available online here.