Purpose of Audit

The purpose of our audit was to examine the District’s information technology (IT) access controls over personal, private and sensitive information (PPSI) in its Student Information System (SIS) for the period July 1, 2014 through October 30, 2015.

Background

The Oneida City School District is located in the City of Oneida and the Towns of Lenox and Lincoln in Madison County and the Towns of Vernon, Verona and Vienna in Oneida County. The District, which operates six schools with approximately 2,600 students, is governed by an elected seven-member Board of Education. Budgeted appropriations for the 2015-16 fiscal year total approximately $41 million.

Key Findings

• District personnel could not provide documentation to show justification and authorization for the 48 grade changes made by guidance counselors and guidance office secretaries.
• District officials do not review SIS audit logs on a regular basis nor do they properly manage SIS accounts and permissions and have not established effective policies and procedures for protecting the PPSI in the SIS.
• There were unnecessary user accounts in the SIS, including those for former District employees, former third-party personnel, MORIC personnel that do not directly support the SIS and substitute secretaries and nurses that only need occasional access.

Key Recommendations

• Require documentation to be retained to show who authorized grade changes and the reasons for the changes.
• Periodically review SIS audit logs for unauthorized or inappropriate activity and establish written policies and procedures for managing and monitoring access to the SIS. This should include requirements for safeguarding PPSI and procedures for monitoring user activity.
• Evaluate all existing SIS user accounts and remove any accounts deemed unnecessary.