The deficiencies could lead to “inappropriate” or “unauthorized access” to the system, which includes employee and student records, and district financial data, according to the audit released this spring.
The main issue auditors found was a lack of controls on so-called “super users,” who have unlimited access to the system, called the Total Education Administrative Management Solution, or TEAMS.
Super users can add, edit and delete information in TEAMS. They have broad access, unlike regular users, who can only see or edit certain information, like a teacher tracking her students’ grades. Most super users are in the finance, human resources and information technology departments, EPISD Chief Technology Officer Stephen Stiles said.
Super users are necessary to run the system – for example, to change passwords, fix data or generate finance or academic reports – but there may be unnecessary and unsupervised super users, according to the audit.
“Mitigating controls are not in place to ensure super users are properly authorized, managed, and monitored,” the audit report states.
The Technology Services department is working to establish better protocol for super users, Stiles said.
“There’s no issue about us having access,” he said. “What the audit is saying is we in IT need more controls upon us.”
The department has inventoried accounts to see who has super user access – more than 100 people do, Stiles said. Next up is determining who should have that access and requiring finger printing and background checks for each of those users, he said.
Currently some have background checks and others don’t, he said.
“If we don’t know the criminal history of one of our employees, and there is a criminal history, then you may be reticent about giving that person access to district data,” Stiles said.
He said he expects that list of super users will shrink in the coming months, following a principle of data security that “people should only have access to the data they actually need access to."
Too many unsupervised, unrestricted super users put the district at risk for compromised accounts or for untrustworthy employees to sell social security numbers, bank account information and more, Stiles said.
“It is sensitive information, and there’s a market for it,” he said.
The district will also keep a better log of super user activity to know who made what changes in the system. Currently, some employees share super user accounts, which makes it difficult to know who accessed or changed what data, Stiles said.
The auditors also expressed concern that technology "leadership" sometimes circumvented protocol to grant someone access to TEAMS. Creating a new account that can access financial data, for example, may first need approval from the finance department. That process was occasionally skipped, according to the audit.
“If we do have internal controls in place, it’s important that we follow the process,” EPISD Internal Auditor Myra Martinez said at a board meeting last week, in a brief, testy exchange with Stiles. “If it requires certain approval, there’s a need for that. … If there is an extenuating circumstance … then it should be well-documented. It needs to be an extenuating circumstance … not just that we want access today.”
EPISD District 3 trustee Susie Byrd said she agreed.
“This is access to very important information, and we need to make sure we provide the appropriate internal controls to protect that information,” Byrd said.
Stiles described to the board an instance of not following the process. Just that morning, a "cabinet-level" EPISD administrator asked him to grant access to TEAMS for a new hire, starting the next day, he said. Because the paperwork takes more than a day, he approved the request then began the paperwork, he said.
“This is a high-level request; it’s a genuine district need and the paperwork can follow,” he told the board.
Now, he said that won’t happen, unless he gets specific written permission from the superintendent on why immediate access is needed. He would then forward it to the Internal Audit department.
The audit report says the technology department needs a “‘tone at the top’ culture to communicate its positive commitment to internal controls.”
“If I do not circumvent the procedures for these high-level request, then I am setting the tone that the auditors are looking for,” Stiles said in an interview.
The audit also outlined a need to periodically review who has access to TEAMS as job descriptions and employees change, and to classify data by importance to limit access to confidential information.
The technology department’s plan to correct the audit findings will satisfy all concerns, Stiles said.
“Then we can agree that we do have sufficient controls in place for what is very important information in the district,” he said. “Then we operate under those controls and feel we’re more protected, as we ought to be.”
©2016 the El Paso Times (El Paso, Texas) Distributed by Tribune Content Agency, LLC.
