Audits: Oregon Department of Education Lacks Proper Security in Protecting Student Data

Hundreds of people in school districts and in state government have access to some or all of that data. That means keeping it safe is a daunting technological challenge.

(TNS) -- Two separate audits found the Oregon Department of Education didn't do enough to ensure that its huge cache of data on more than 600,000 students remains private.

Hundreds of people in school districts and in state government have access to some or all of that data. That means keeping it safe is a daunting technological challenge.

A report by the U.S. Department of Education's Office of Inspector General found Oregon at risk of being unable to "prevent or detect unauthorized access and disclosure of personally identifiable information."

A state audit, made public Thursday
, also found insufficient security measures to keep confidential student data confidential.

"The department does not provide an appropriate layered defense," auditors wrote.

Neither the state nor federal department issued a notice about the federal audit. The Oregon Department of Education provided it to The Oregonian/OregonLive in response to a public records request.

Oregon Department of Education officials say they have taken careful and technically advanced steps to protect data, and are constantly updating and upgrading those efforts.

Oregon student data in their possession has never been breached, said Susie Strangfield, the department's chief information officer.

But state and federal auditors both identified weaknesses in the steps and procedures the agency has used to ensure cyber security.

Federal auditors named several highly technical details; state auditors disclosed only general information, saying they listed precise problems in a confidential letter to state education department, to avoid flagging them for hackers.

The data doesn't include students' home addresses, health records or discipline write-ups.

But hackers could potentially capture full names, birth dates, test scores, special education designations, expulsions, whether students qualify for free- or reduced-price meals, expulsions, whether students are pregnant or parenting, whether students have opted out of testing, and other educational and demographic information.

The state tracks the identities of everyone who logs into the system, and it polices access to it. Officials also limit users to the portion of the data that's appropriate for them, such as information about their particular school or students in the grade they teach.

The federal audit was conducted beginning in June 2015 and looked at the department's internal controls of the data from from June 2015 through January 2016.

The Oregon Department of Education received preliminary findings in January and final results in September.

Oregon officials largely disputed the federal findings, saying their procedures and controls meet international and industry standards.

"Our implementation of these controls ensure our student data is kept secure," Strangfield, the state education department's chief information officer, said Thursday. "Agency technical controls and technologies implemented were not raised by either audit as cause for concern."

She said said the department "practices a defense-in-depth approach and continues to add layers of security to address emerging threats."

According to written comments included in the federal audit report, state officials acknowledged some problems. But they said they were on track to have them fixed by July.

The department, which had just one data security employee, hired three more, added software to detect unauthorized access, wrote down malware response procedures and trained staff on them, the federal audit said.

The state audit was conducted in fall 2016.

It found the department has done several things right, including ensuring the integrity of student data and accurately giving out and tracking state and federal funding.

But beyond raising questions about security measures, state auditors also said the department failed to follow procedures to ensure bad code did not get programmed into its system. And, although it has adequate measures to back up files in case of a disaster, the department lacks a workable plan for restoring those files and quickly becoming operational again.

State auditors said they were purposefully vague about inadequacies in the education department's data security system.

Weaknesses "relate to the department's processes for planning, configuring, managing and monitoring information technology security components," they wrote.

"Because of the sensitive nature of IT security, we communicated the details" in a confidential memo, they said.

©2016 The Oregonian (Portland, Ore.) Distributed by Tribune Content Agency, LLC.