Audit Objective 

Determine whether the Charter School of Educational Excellence (School) Board of Trustees (Board) and officials secured student data to help protect it from unauthorized access and developed and adopted a comprehensive information technology (IT) contingency plan. 

Key Findings 

The Board and officials did not adequately secure student data to help protect it from unauthorized access or develop an IT contingency plan. As a result, there was an increased risk of unauthorized access to student personal, private and sensitive information (PPSI) and personally identifiable information (PII), and that the School could suffer a serious interruption to operations since its ability to communicate during a disruption or disaster could affect the timely processing of its business functions. In addition to sensitive IT control weaknesses which we communicated confidentially to School officials, we found: 

• School employees did not have guidance on how to properly identify and secure sensitive student data.
• Three out of six tested users of the cloud-based application used for School operations stored sensitive student data without adequate protection, and 12 of the 125 users of the cloud-based Student Information System (SIS) had excessive or unnecessary access to view and modify sensitive student data. 

Key Recommendations 

• Review, revise (if necessary), adopt and communicate the data classification policy to employees. 
• Ensure all access to sensitive student data is based on needs and job responsibilities. 
• Develop a written IT contingency plan. 

School officials agreed with our recommendations and have initiated, or indicated they planned to initiate, corrective action.