ALBANY — In an audit report released Tuesday by the state comptroller’s office, Indian River Central School and Lowville Academy and Central School were two of six state schools identified for inappropriate computer access to sensitive student data.
Employees were able to change student grades and attendance records without proper authorization, the audit said.
“Student academic and personal information must be protected by school districts,” state Comptroller Thomas P. DiNapoli said. “Each of the districts identified in this audit should take the simple and immediate steps necessary to improve their controls over personal, private and sensitive information. In the meantime, I have directed my audit division to expand the scope of this audit and begin examining school districts from every region of the state.”
School districts maintain and use students’ personal information for a variety of educational purposes. School districts use software applications, often referred to as Student Information Systems, to store and manage student data in a centralized database.
In the audit, Mr. DiNapoli wrote that “none of the districts had adopted written policies and procedures for adding users, establishing users’ access rights, deactivating or modifying user accounts and monitoring user access. Also, none of the districts had an effective process in place for adding and changing user rights.”
Indian River Central School District officials responded to the audit and wrote the “district is in agreement with the findings of the audit that pertain to Indian River. The district is in the process of developing and documenting interventions that address the recommendations detailed in the report. We have initiated collaboration to address specific recommendations contained in the report with the Regional Information Center (MORIC).”
Lowville Academy and Central School District officials said the district “takes all of the findings and recommendations seriously and will continue to strive to ensure that all of our procedures are in line with best practice protocol. While some discrepancies were identified, the Mohawk Regional Information Center has provided assistance and direction in resolving these discrepancies.”
For attendance records, Mr. DiNapoli said Indian River and Lowville both had improperly used the computer system to change information.
“We found that attendance records were changed 185 times at Indian River and 31 times at Lowville using a former employee’s user account,” Mr. DiNapoli wrote. “Officials told us that former employees’ usernames and passwords were shared with other employees so they could update the SIS after the employees left district employment. We also found that a generic user account was used to view a student’s Individualized Education Program (IEP) at Indian River. Officials do not know who accessed the IEP because the account was not assigned to a specific individual.”
Other school districts reviewed were Altmar-Parish-Williamstown Central, Madison Central, Poland Central and Westhill Central.
The audit said several school computer system users in each district had access to functions that were outside the scope of their responsibility. Auditors found that users in multiple school districts, including outside vendors, were able to make grade changes without proper documentation or authorization. According to the audit, 19 of 40 grade changes from Indian River were made by a Mohawk Regional Information Center employee who was not assigned the responsibility to change grades and there was no documentation to support these grade changes.
Auditors also found that Indian River was one of four districts that had features within its computer system that allowed users to assume the identity or the account of other users as well as inherit increased rights or permissions.
Jefferson-Lewis Board of Cooperative Education Services Superintendent Stephen J. Todd said, “In the current electronic climate we’re in, all districts can learn from this. I suspect all districts in our region will look at tightening their security settings accordingly.”
Mr. DiNapoli recommended each school district take immediate steps to establish written policies for student information system administration, including create a formal authorization process to add, deactivate or change user accounts and rights for monitoring user access; ensure individuals are assigned only those access rights needed to perform their job duties; evaluate user rights and permissions assigned to each system user; restrict the ability to make grade changes and ensure that documentation is retained to show who authorized the grade change; remove all unknown/generic or shared student information system accounts and deactivate the accounts of any users who are no longer employed, and periodically review available audit logs for unusual activity.
The full report can be viewed at http://wdt.me/HM6LC8.