The state comptroller audited and released the audit report for the Oneida City School District. In its summary, the comptroller writes, “Auditors found questionable activity and unnecessary permissions granted for changing student grades, modifying student information system (SIS) permissions, assuming accounts or identities and viewing private, personal and sensitive information. There were also unnecessary user accounts in the SIS, including those for former district employees, former third-party personnel, and substitute secretaries and nurses that only need occasional access. These issues were the result of, at least in part, district officials’ failure to review SIS audit logs on a regular basis, properly manage accounts and permissions and establish effective policies and procedures.”
In addition, the report identified the following:
- “SIS accounts were logged into 81 times from systems that reside outside the United States, which could potentially indicate that those accounts have been compromised. After sharing our findings with District officials, they determined that some of the access was authorized and other access was not. Subsequent to our audit, District officials indicated that they further confirmed 80 of the 81 login events as authorized.
- “Guidance counselors and guidance office secretaries changed 48 final course grades from a failing grade to a passing grade without supporting documentation. While none of the grade changes were made by users that do not have the responsibility to change grades, we did find 55 users without such responsibilities that have also been granted permission to change grades in the SIS.
- “A keyboard specialist, whose responsibilities include looking up group permissions but not changing those permissions, made seven changes to SIS permissions. Seven other users without the responsibility to manage SIS permissions also have the ability to modify group permissions in the SIS.
- The SIS has functionality that allows users to assume the account or identity of another user. We found that SIS identities were assumed over 2,000 times and SIS accounts were assumed over 200 times by 37 different users. An additional 54 users have also been granted permissions to assume accounts or identities.
- We could not determine whether PPSI has been accessed inappropriately because viewing PPSI is generally not logged in the SIS; however, we did find that 22 users are unnecessarily able to view the Social Security number field in the SIS, 21 users are unnecessarily able to view students’ identification numbers, seven users are unnecessarily able to view students’ medical information, 50 users are unnecessarily able to view students’ order of protection information, 58 users are unnecessarily able to view students’ custody information and nine users are unnecessarily able to view PPSI in the SIS audit log.
“We also found unnecessary user accounts in the SIS, including six for former District employees, five for former third-party personnel, two for MORIC personnel that do not directly support the SIS and 22 for substitute secretaries and nurses that only need occasional access. These unnecessary accounts increase the risk that an account could be used to inappropriately access the SIS. It also increases the efforts needed to manage permissions in the SIS, which could allow inadvertently granting more access than needed.
“Finally, we found that District officials do not review SIS audit logs on a regular basis nor do they properly manage SIS accounts and permissions. In addition, they have not established effective policies and procedures for protecting the PPSI in the SIS. The questionable activity, unnecessary permissions and unnecessary user accounts we identified result, at least in part, from the lack of effective management and monitoring of access to the SIS.”
Auditors reviewed the information with school district officials. The full audit and school’s response to recommendations can be found here: Full Report.