Tuesday, October 27, 2015

1.5 million current and former student SSNs at risk says MO Auditor » Missouri Education Watchdog

1.5 million current and former student SSNs at risk says MO Auditor » Missouri Education Watchdog:

1.5 million current and former student SSNs at risk says MO Auditor



Screen Shot 2015-10-26 at 10.53.46 PMA recently released cyber audit of DESE’s student data system (MOSIS) revealed several weaknesses that MO State Auditor Galloway said placed 1.5 million current and former students’ personal information, such as social security numbers, at cyber risk.
The report noted that the state has “no business reason” for collecting social security numbers.  Galloway takes a strong position on data security. In a statement to KCUR she said, “We need to be proactive to be sure to limit the collection of that data if it’s not necessary and then be proactive in protecting it to make sure it doesn’t fall into the wrong hands.” This is exactly what SB530 (Onder – Dist 2), filed but never passed out of the Senate Education Committee last year, attempted to do.
Other Auditor findings include:
  • DESE management has not fully established and documented user account management policies and procedures. User account management includes requesting, establishing, issuing, suspending, modifying, closing, and periodically reviewing user accounts and related user privileges. Multiple DESE users are allowed access to the MOSIS system via shared accounts; however, DESE management does not regularly monitor these accounts to ensure actions taken by account holders are appropriate.
  • DESE management has not established a comprehensive data breach response policy, as recommended by the U.S. Department of Education. Without a comprehensive data breach response policy, management may not be sufficiently equipped to respond quickly and effectively in the event of a breach, increasing the risk of potential harm to affected individuals
Galloway cited these deficiencies, despite fact that the State Board did pass the rule 5 CSR 20-700.100 Statewide Longitudinal Data System on March 2nd this year requiring:
2) Data Access and Management Policies.
(A) The department adheres to the confidentiality requirements of both federal and state laws including, but not limited to, the Family Educational Rights and Privacy Act (FERPA), the Individuals with Disabilities Education Act (IDEA), the Protection of Pupil Rights Amendment (PPRA), and the National School Lunch Act. These policies include:
1. Defining privacy, confidentiality, personally identifiable information, disclosure, access, and confidential data; and1.5 million current and former student SSNs at risk says MO Auditor » Missouri Education Watchdog: