Security Over Critical Information Systems

Issued Date
July 19, 2017
Agency/Authority
State Education Department

Purpose

To determine whether the security controls over critical State Education Department (Department) information systems were sufficient to minimize the various risks associated with unauthorized access to these systems and their associated data. Our audit scope covers the period September 29, 2016 through March 30, 2017.

Background

The Department administers school aid, regulates school operations, maintains a performance accountability system, oversees the licensing of numerous professions, certifies teachers, and administers a host of other educational programs. Its responsibilities include oversight of more than 700 school districts with 3.2 million students, 7,000 libraries, 900 museums, and 52 professions encompassing more than 850,000 licensees. The Department operates 120 computer systems to help support its activities, including four deemed critical to Department operations that we focused our testing on. Each of the four systems supports crucial Department services to the general public and contains sensitive personal data, such as personally identifiable information and student records. The Department is responsible for safeguarding its data and for ensuring the confidentiality, integrity, and availability of its systems.

Key Findings

  • While the Department has taken a number of steps to secure its critical information systems and associated data, there is a risk that unauthorized persons could access these systems. This is largely because the Department has not taken fundamental steps to secure its critical systems, such as completing a full data classification process and adopting adequate information security policies and procedures.
  • The Department could also improve certain technical controls over its critical systems.

Key Recommendations

  • Develop strategies to enhance security controls over critical systems.
  • Implement the recommendations detailed during the audit to strengthen technical controls over critical systems.

Other Related Audits/Reports of Interest

Central New York Regional Transportation Authority: Compliance With Payment Card Industry Standards (2016-S-31)
Office of Information Technology Services: Security and Effectiveness of Department of Motor Vehicles’ Licensing and Registration Systems (2013-S-58)

Brian Reilly

State Government Accountability Contact Information:
Audit Director: Brian Reilly
Phone: (518) 474-3271; Email: [email protected]
Address: Office of the State Comptroller; Division of State Government Accountability; 110 State Street, 11th Floor; Albany, NY 12236