The audit was performed on Feb. 9-10 and the state comptroller's staff examined a sample of 20 mobile computing devices owned by the district. Fourteen of the devices had at least one form of personal, private and sensitive information. The data could include student information, health records, bank account information or personal identifying information.
What the audit found was that while the Union Springs school board adopted cybersecurity policies, district administrators and information technology staff did not implement procedures to protect sensitive data on mobile devices.
"It is the responsibility of district officials to determine whether (a mobile computing device) is the best medium on which to store such information," the auditors wrote. "If such a determination is made, then district officials are responsible for ensuring that adequate safeguards are established, communicated and enforced to help prevent unauthorized access to this information."
The audit also revealed that the district did not properly restrict email access to read-only by non-district mobile devices, such as smartphones. Employees could use a personal device to access their school email online, but there were no security settings in place to prevent staff from downloading sensitive information to their devices.
The state comptroller's office recommended Union Springs develop written procedures for protecting personal, private and sensitive information on mobile devices. Another recommendation is for the district to establish a data classification matrix to establish security levels for the data. An inventory of personal, private and sensitive information stored on mobile devices should be conducted.
According to the audit, Union Springs did not develop a data classification matrix because "they were unaware of what one was or why it was important." There wasn't an inventory of personal, private and sensitive information to determine what was on the mobile devices.
In a response to the audit, Union Springs Superintendent Jarett Powers shared the district's corrective action plan to adopt the comptroller's recommendations. Powers wrote that the district will "develop procedures that more explicitly outline the proper access, transmission, storage and use of (personal, private and sensitive information) within the school district." The district also plans to implement a data classification matrix, he added.
Both actions will be completed by the end of this school year.
"Certainly the district agrees that the ever-evolving environment regarding data security necessitates that we thoughtfully review our policies and practices and work to ensure that they are as current and relevant as possible," Powers wrote.
©2022 The Citizen, Auburn, N.Y. Distributed by Tribune Content Agency, LLC.
