Missouri State Auditor Launches Cybersecurity Campaign to Protect Student Data

Nicole Galloway has led her team of auditors on a mission to sniff out problems in school districts and the Missouri Department of Elementary and Secondary Education

by / March 17, 2016 0
In this April 27, 2015 photo, Democrat Nicole Galloway speaks after being sworn in as new Missouri auditor in Jefferson City, Mo. Galloway, who previously served as the Boone County treasurer, was appointed by fellow Democrat Gov. Jay Nixon to replace former Republican Auditor Tom Schweich. Schweich fatally shot himself Feb. 26. Tim Bommel/AP

Missouri's state auditor is waging a war against bad cybersecurity practices. 

As high-profile breaches continue to make headlines across the country, Nicole Galloway has made cybersecurity a priority since she became the state auditor on April 27. The government lags behind the private sector in its cybersecurity practices, and Galloway has led her team of auditors on a mission to sniff out problems in school districts, local municipalities and large government agencies, including the Missouri Department of Elementary and Secondary Education (DESE).

"It's my job to hold government accountable at all levels," Galloway said. "I believe that in government, we need to proactively make sure we protect people's personal information."   

Galloway is holding government accountable by incorporating cybersecurity checks into every audit as her team looks for common data protection issues. In addition, auditors finished an investigation into data security in DESE's student information system last fall, announced the start of Cyber Aware School Audits and published common issues from a year's worth of audits across the board.

4 recommendations for DESE

Overall, the auditor's office gave DESE a "good" rating in the areas it audited, which means that the department runs well, has a few things to fix and has agreed to work on those areas by following most of the auditor's recommendations. In the student information system audit, investigators made four recommendations that DESE started acting on:

  1. Review user access occasionally, report the findings in writing and eliminate accounts with shared passwords.
  2. Stop collecting and delete Social Security numbers that DESE doesn't need.
  3. Create a data breach response policy.
  4. Update and test a business continuity plan for natural disasters and other unexpected incidents.

The Cyber Aware School Audits

After auditors found these issues with DESE, Galloway wondered what happens with the data that the department receives from local school districts. Her son started school this year, and she filled out a stack of paperwork for the school district that included personal information about her and her son. She said she wanted to see whether school districts had safeguards in place to keep data out of the wrong hands, so she started the Cyber Aware School Audits last fall.

Auditors have completed their field work in Boonville and Waynesville school districts, plan to start their field work soon in Cape Girardeau and Park Hill school districts, and don't have a date yet for Orchard Farm School District, Galloway said.

Though Orchard Farm is last on the list, Technology Director Bill Niemeyer and his staff have been working on cybersecurity best practices and taking advantage of cybersecurity webinars from the Missouri Research and Education Network (MOREnet). MOREnet connects public-sector organizations in Missouri to the Internet and provides technical training, among other things. In the webinars, IT leaders talked about issues including backup plans for disaster recovery, security controls and password policies.

"The data that we have on our networks is very confidential, and we certainly want to protect all of the private information from students and teachers," Niemeyer said.

District security challenges

One question that has come up is how a district would know whether it had an intrusion. Orchard Farm School District has a three-member IT team, and the small district of less than 2,000 students doesn't have the resources to buy expensive intrusion detection systems, Niemeyer said. Because most Missouri schools use the same Internet service provider, he said it would be nice if MOREnet could work out a deal with vendors to provide these systems at a discounted rate.

In fact, another organization is already working on that: The Center for Education Safety, which is part of the Missouri School Boards' Association, has an agreement in place with DESE to support school emergency planning. Within the next few weeks, the center plans to sign an agreement with a business partner that can scan school systems to detect intrusions, said Paul H. Fennewald, the center's director. Schools would be able to take advantage of this detection tool.

In its role of educating district leaders on school safety, the center created a cybersecurity checklist with help from the FBI and the Department of Homeland Security. After Galloway announced the Cyber Aware School Audits in September, Fennewald shared the checklist with the auditor's office and asked for input so his center could help schools better prepare for the audits. Auditors told the center that the guidelines looked good, but didn't give any feedback beyond that, Fennewald said.

On a scale of 1-10, Fennewald estimates that district's cybersecurity preparedness is at a 3 or 4. In safety assessments in schools, he sees major problems with school data backups, device policies, data access, firewall strength and out-of-date virus programs. He said he's afraid that bad actors may attack school networks and delete education records, which would be catastrophic if the district's backups were corrupted.

"It's extremely important that we get ahead of this issue," Fennewald said. "We're not moving fast enough in my estimation, but I think we're moving in the right direction anyway." 

5 common cybersecurity issues

In an October report, the auditor's office shared some of the common cybersecurity mistakes it saw across 33 municipalities, school districts and state agencies between July 2014 and June 2015. By sharing these mistakes, the office is giving IT leaders an opportunity to beef up their cybersecurity.

  1. Government employees don't have to use passwords at all to access some computers, and for the ones that do have passwords, they don't need to change them. 
  2. Employees have more computer system access than they need to do their work.  
  3. Computer systems don't automatically lock the computer when employees step away from their desk or when someone tries to guess their password. 
  4. Offsite data backups don't happen regularly, and if they do, agencies don't test the backups to make sure they can restore the data. 
  5. Computer systems don't have safeguards to prevent employees from changing data they shouldn't and don't have the ability to figure out how the changes happened.   

What's next

For school districts involved in the Cyber Aware School Audits, auditors will write a draft report that includes recommendations and meet with district administrators to talk about the results. This meeting gives district leaders an opportunity to correct any inaccurate information and understand the issues that the audit identified, Galloway said. It also allows them to address major security vulnerabilities together before the report is published to prevent anyone from taking advantage of the vulnerabilities. The districts will have 30 days to respond to the draft report, and their responses will be included in the final published report. 

In typical audits, auditees may fix some of the issues during that 30-day window and respond that they're fixed or will be fixed, Galloway said. They also may recognize they have a problem in a specific area, but decide to address it in a different way than the auditors recommended. In rare cases, the auditee may disagree with the findings and refuse to implement them.  

In April or May, Galloway said she plans to release the Boonville report, and the other reports will follow as the investigations are completed. When all five investigations end, the auditor's office will share common problems it found in school districts with the Missouri School Boards' Association so that the association can continue to educate its members on better cybersecurity practices. Then the auditor's office will start another round of audits to hold school districts accountable for their cybersecurity practices.

"For me, this is not a gotcha thing," Galloway said. "I believe in good government, and I believe that if we work together, we can create a solution and we can move the needle on this."   

Tanya Roscorla Former Managing Editor

Tanya Roscorla covered ed tech from 2009-2017.