Inadequate security of personal, private, and sensitive Information in school districts’ mobile computing devices – audit

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.databreaches.net/?p=26532

I’ve often pointed out my concerns that public schools – at least
those in New York that I’ve been in – do not seem to have adequate
security in place for the vast troves of sensitive and confidential
information they collect and retain.  So I was unsurprised to read
that a recent  Office of the State Comptroller audit of 12 public
school districts  found the majority lacked adequate security for
personal, private, and sensitive information (PPSI) on Mobile
Computing Devices (MCDs). The audit results were released on December
14, and cover the period from January 1, 2010, to May 4, 2012.

> From the executive summary/press release:

Key Findings

The majority of the 12 districts did not have adequate security
policies and procedures in place, increasing the risk that PPSI could
be accessed and misused by unauthorized persons.
Our tests of a sample of 383 district-owned MCDs found PPSI on 71
(18.5 percent) of these devices. Without proper safeguards in place,
any confidential data on these MCDs could be at risk of exposure.
None of the districts had developed a classification scheme or
performed an inventory of the PPSI the districts possess.

The problems are evident in this statement in the report:

The sample of MCDs we initially selected included three MCDs (from
three different districts) that we were unable to examine because one
had been stolen and two had been lost. The district had filed a police
report in the case of the stolen MCD. The districts had not realized
that the other two devices were lost; it only became apparent that
these two MCDs were lost when district officials were unable to locate
the devices for our audit. Because we were unable to examine these
devices, there is no way of knowing whether or not any of these MCDs
contained PPSI, and whether adequate controls had been implemented on
the devices to protect such information.

> From the summary, the Key Recommendations:

Adopt formal written policies and procedures to ensure a sound IT
environment and to protect PPSI in mobile computing devices.
Develop written policies and procedures that outline the proper
access, use, and protection of PPSI on MCDs.
Complete a classification and inventory of information the district
maintains to assign the appropriate security level to each type of
data, and then conduct an inventory of PPSI stored on all electronic
equipment to account for the confidential data maintained.

You can read the full audit report (2012-MR-2) here.

The state also issued letter reports to the following school
districts: Bath [pdf], Cato-Meridian [pdf], East Rochester [pdf],
Geneseo [pdf],Horseheads [pdf], Marcus Whitman [pdf], Odessa-Montour
[pdf], Penfield [pdf], South Seneca [pdf], Victor [pdf], Weedsport
[pdf] and Wheatland-Chili [pdf].  Most of the letters had passages
like this one:

We found the District’s IT policies were nonexistent or inadequate in
a few areas related to the security of PPSI. The District did not have
policies governing remote access, the installation of hardware on
District MCDs, or notification of affected parties in the event of a
data breach. Further, the District does not have a written
District-wide data classification scheme, and has not inventoried the
PPSI in its possession. In addition, there was no email policy to
address the use of PPSI or confidential information in email
communications. Without adequate policies for protecting the security
of PPSI, there is a significant risk that data, hardware, and software
systems may be lost or damaged by inappropriate access and use.

Our audit identified certain vulnerabilities concerning PPSI. Because
of the sensitive nature of these findings, they are not included in
this report but have been communicated confidentially to District
officials so they could take corrective action.

Even in the rare case where a district did have an encryption policy,
it was not consistently implemented:

Although the District had an adequate policy for the encryption of
mobile devices, the policy was not consistently monitored for
compliance. Of the 45 MCDs we reviewed, 10 devices were not encrypted
as the policy required, including one that contained PPSI. Further,
there was no data breach notification policy, and the District’s email
policy did not adequately address the use of PPSI or confidential
information in email communications. District officials also had no
Districtwide scheme for classifying PPSI according to risk, and had
not conducted an inventory of all PPSI at the District.

I’m still waiting for them or the NYC Comptroller’s Office to conduct
an updated audit of the NYC Education Department – for both
Information Technology and security of PPSI in MCDs.

I wonder what would happen if parents started filing under FOI to
obtain copies of their child’s district’s policies for security of
PPSI on MCDs.  It could make for some interesting school board
meetings.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.