Missouri Audit Finds Cybersecurity Issues at Boonville R-I School District

A Missouri audit uncovered a number of data privacy and security weaknesses that Boonville R-I School District plans to shore up.

Missouri State Auditor Nicole Galloway published the first of at least five Cyber Aware School Audits on Tuesday, March 29 as she continues her quest to hold government accountable for cybersecurity efforts. In the 1,500-student district, Galloway's team found six major issues:

1. No comprehensive data governance program
2. No security administrator or critical security controls
3. Not enough user access control
4. No data breach response policy or continuity plan
5. No formal security and privacy awareness training program
6. No process to make sure software meets data security principles

The auditor's office and the district worked together throughout the audit process, and the final report included the district's responses to 15 recommendations. Boonville R-I School District agreed with all of the recommendations and has already acted on some of them, with plans to finish implementing them by July 31. 

This audit underscored the importance of creating incident response policies, data breach response policies and continuity plans, said Kevin Carpenter, the district's IT director. 

"Especially because we're a small district and short staffed, sometimes policy's a pretty easy thing to put off down the road," Carpenter said. "There's always been the desire to have those policies in place, we just hadn't had time to create them."  

Now that these policies have become a district priority, the two-person IT team will make time to create them by putting aside some of the typical maintenance projects on their list this summer. While they will collaborate with other district leaders, most of the responsibility for creating policies will fall to the IT staff members.

As a result of the audit, the school district community has supported IT efforts to follow the recommendations, including the implementation of specific password requirements, and mandatory security and privacy awareness training. Each summer, the district plans to provide training and then follow up with that training throughout the year on specific topics.

"It's a lot easier for us as the technical staff in the district to get people on board with this stuff because now we have that outside approval of these steps," Carpenter said.  

With one audit finished, Galloway's team will continue to look for cybersecurity problems in the other four districts it selected: Waynesville, Cape Girardeau, Park Hill and Orchard Farm.