PHILADELPHIA — Indian River Central School and Lowville Academy and Central School have updated district procedures to tighten security and access to sensitive student data.
An audit released Aug. 19 by state Comptroller Thomas P. DiNapoli named Indian River and Lowville as two of six state school districts chosen for a random audit that had inappropriate computer access to sensitive student data.
Lowville Superintendent Cheryl R. Steckly said the district already has made changes to meet Mr. DiNapoli’s recommendations and has sent a report to the comptroller’s office. Indian River Superintendent James Kettrick said the district is compliant with the recommendations but has to finalize a districtwide policy to be approved by the Board of Education and submit its report to the comptroller.
“One of the high points in our findings is, we do have a procedure,” Indian River Assistant Superintendent Mary Anne Dobmeier said. “But our procedures aren’t documented and approved by the Board of Education.”
Mrs. Dobmeier said the district will address the issue of who has access to student information, set up a system to regulate who is monitoring the information and more effectively establish, deactivate and monitor accounts accessing the information.
Mrs. Steckly said because only a small number of schools was audited, other schools can learn from their corrective actions.
“We learned a great deal through the audit,” she said. “Our hope is to take what we learned and share with other school districts as they move forward with their own plan of action.”
Mr. DiNapoli wrote in the audit that employees were able to change student grades and attendance records without proper authorization. The audit said several school computer system users in each district had access to functions that were outside the scope of their responsibility.
According to the audit, 19 of 40 grade changes from Indian River were made by a Mohawk Regional Information Center employee who was not assigned the responsibility to change grades, and there was no documentation to support these grade changes. Auditors also found that Indian River had features within its computer system that allowed users to assume the identities or the accounts of other users as well as inherit increased rights or permissions.
The districts were given six months from the time they were made aware of the audit to follow through with the comptroller’s recommendations to improve their controls over personal, private and sensitive information.
Recommendations included establishing written policies for student information system administration; creating a formal authorization process to add, deactivate or change user accounts and rights for monitoring user access; ensuring people are assigned only those access rights needed to perform their job duties; evaluating rights and permissions assigned to each system user; restricting the ability to make grade changes and ensuring that documentation is retained to show who authorized the grade change; removing all unknown/generic or shared student information system accounts and deactivating the accounts of any users who are no longer employed, and periodically reviewing audit logs for unusual activity.
“We were given straightforward recommendations and we’ve already put in our response and we’ve completed our action items,” Mrs. Steckly said.
Mrs. Dobmeier and Mrs. Steckly said when they reviewed the users in the systems there were authorized users who either were no longer employees or had been given more access than necessary to complete their jobs.
“Many times those people weren’t using their accounts at all, and some of those users were with MORIC,” Mrs. Steckly said. “The people from MORIC were our tech support, but they worked with us on their end to streamline who needs to have access.”
Mrs. Dobmeier said some of the final steps to establishing the district policy is to evaluate which district employees have user permissions. She said short-term employees, those who are working with the district less than 30 consecutive days, will not have access to the online School Tools account. Substitutes who are working for another employee have to do attendance the “old-fashioned way” of writing it down and submitting to the school office.
Mrs. Dobmeier said by the Board of Education meeting Sept. 11, the board should have a procedure in place to restrict ability to make grade changes and document who is changing grades.
If someone goes in under another user’s account, there needs to be a way to monitor who is doing that.
Board member Donald L. Brumfield asked if it would be possible to for substitutes to have accounts that are limited to the classroom they’re working in.
Indian River Business Manager James R. Koch said one problems with temporary access could be that if a substitute works for a teacher one day, and a different teacher shortly after, that substitute might continue to have access to the former teacher’s classroom information.
Mrs. Dobmeier said the final changes will be typed and presented to the board at its Sept. 11 meeting, establishing an official district policy.
The full report can be viewed at http://wdt.me/HM6LC8.