State K-12 Cybersecurity Audit Finds Missouri District Unprepared
By guest blogger Leo Doran.
Amid data breaches, cyberattacks that have affected statewide tests, and loud calls for legislation to protect student data, a Missouri state auditor has initiated a review of the cybersecurity measures in place at a sampling of five districts across the state.
The first of those reviews, known as Cyber Aware Schools Audits, which focused on the 1,500-student Boonville R-1 district, was released late last month. Nicole Galloway, the Missouri state auditor, said that while she gave the district credit for their full cooperation with her office, there were some significant "areas of concern."
Specifically, the auditor's report found that the district lacked a data governance plan, a dedicated IT security administrator, procedures for preventing simultaneous logins and password changes, a security awareness program for its staff, adequate monitoring of the practices of its vendors, and a written plan of action for how the district would handle a major data breach or crippling cyber-attack.
"It is a very comprehensive report", said Doug Levin, the president of EdTech Strategies LLC, a consulting group. "Clearly the auditor has developed a framework for best practices."
While Levin applauded the interest taken by the state auditor, he argued that in a perfect world state departments of education would be doing much more to come up with rules for K-12 systems' data security, and enforcing them, up front.
Part of the challenge, said Levin, citing a recent report by the U.S. Department of Education, is that nearly half of districts nationally don't have a full-time IT specialist on staff, and those that do typically face budget constraints. Another audit of local districts in Wyoming found similar flaws in district data management to those in Missouri.
Some national groups have stepped in to try to develop resources to help schools develop effective student data-privacy policies, such as CoSN's Trusted Learning Environment Seal, and Common Sense Media's guidelines for schools to test vendors' security practices. But many privacy advocates are convinced that more comprehensive and sustained efforts at the state and local level are needed.
In Missouri, Galloway says that the decision to audit five of the state's districts was inspired in part by a review of the student data practices by the state's education department. That audit found that state officials were gathering student social security numbers despite not needing them, and that they were also underprepared to address a major data breach.
In an interview, Kevin Carpenter, the Boonville official in charge of the district's technology, said he sees value in the state audit and that a critical report like the one his district received can spur a district to take the steps it needs to make its systems more secure.
Among the many changes Galloway's office suggested: The district was urged to formally appoint a security administrator, to periodically review the distribution of priviliges on digital accounts, to train its staff in cybersecurity, and to install a better system of vendor monitering.
Carpenter suggested that some districts might need additional prodding to overcome resistance from fellow K-12 officials concerned about costs, or from staff annoyed at extra security measures.
"Sometimes making things more secure makes them less easy," Carpenter explained. He said he expects to address every issue raised in the report with new policies and procedures by the end of July.
Carpenter also emphasized that he had planned for the possibility of a cyberattack and put safeguards in place, but said many were not written or formalized, because his is a small office in a relatively small district.
The good news for the Boonville district, said Carpenter, is that the cost of addressing the concerns raised by the audit will not be significant. He plans to start by researching measures taken by other districts, then refining his district's data breach response and disaster continuity plan.
EdWeek recently published a special report on data privacy that included a story on how one district responded to a security breach, as well as articles on districts' purchases of cyber insurance, and their efforts to create professional development around data privacy.
In addition to districts making big changes in their privacy policies, K-12 officials can help secure data through more modest steps, Galloway said. Those steps include regularly changing passwords and training teachers on best practices for managing student data.