Cape school district scores well in state cyber audit; some improvements recommended
While the Cape Girardeau School District has done well in ensuring confidential student data are protected, the state auditor’s office has identified ways it can improve.
“Our team found that, although the school district has put important controls in place, more can be done to ensure sensitive information doesn’t fall into the wrong hands,” state Auditor Nicole Galloway said in a news release Tuesday, in tandem with the release of a cybersecurity audit conducted in the spring.
The audit took place from March to May as part of the agency’s Cyber Aware School Audits Initiative. The audit is the third of five to be made public in Missouri so far.
Other school districts around the state that participated in the initiative include Boonville in Cooper County, Orchard Farm in St. Charles County, Park Hill in Platte County and Waynesville in Pulaski County.
The audits were designed to analyze how well each district can ensure confidentiality and protect sensitive student information such as Social Security numbers and test scores.
One area for improvement identified in Cape Girardeau’s report is a need for a formal data-governance program.
Superintendent Jim Welker said the district’s goal is to have that completed by December at the latest.
“This fall, (our technology department) will pull together all the different pieces and start putting those together in a formalized document,” he said.
Another item highlighted in the local report is user accounts.
In four instances, auditors found certain users still had access to the district’s system 30 days or more after leaving. The four were not traditional employees, so typical human-resources procedures were not applied in shutting down those user accounts, said Brian Hall, the district’s technology coordinator.
Since then, a failsafe has been introduced into the system for people who aren’t on the normal payroll but need access to the system.
“To put this in perspective, there are close to 7,000 accounts (in the district’s system), but (the auditors) found four,” said Neil Glass, assistant superintendent for administrative services.
The auditor’s findings also recommended someone in the district be appointed as a security administrator to stay on top of all things about information security.
Hall now is charged with that responsibility.
In the case of a data breach, which Welker said has not happened in the district, the report advised creating documented policies and procedures along with an incident-response plan.
“We have quite a bit of information, and we need to formalize that into a comprehensive plan,” Hall said, along with periodic reviews and continued emergency exercises.
The last part of the report deals with vendor controls or establishing a process for ensuring software technology complies with district security principles.
Welker said most sensitive information is stored on internal district servers, but for anything being handled by outside vendors, contracts specify they must be audited and have adequate security measures.
Overall, Welker said he has viewed the audit process as a learning experience.
“We’re going to work toward putting the recommendations from the state auditor’s office into place,” he said.
Similar audits have been released for the Booneville and Waynesville districts; audits remain in progress in the Park Hill and Orchard Farm districts.
To read Cape Girardeau’s cybersecurity findings, visit auditor.mo.gov.
301 N. Clark Ave., Cape Girardeau, Mo.