Audit: Education department has improved cyber security, but some gaps persist
Two servers being used by the Department of Education did not have antivirus software installed at the time of the audit. (Victorgrigas/Wikimedia Commons)
The Oregon Department of Education’s IT office largely passed the state’s audit of its cybersecurity protocols in a report released Wednesday, but several persistent gaps remain since they were reviewed in 2019.
The Education Department’s Office of Finance and Information Technology is tasked with supporting agency technology and creating web applications that help with programs like child nutrition and grants management. The office has about 125 employees and an operating budget of $77 million.
The Audits Division of the Secretary of State’s Office made 14 recommendations for improvement, especially when it comes to accessibility for users with disabilities, but roundly praised the agency’s cybersecurity efforts.
“It’s great to see agencies practicing good data stewardship, especially when the data is related to Oregon students,” Secretary of State Shemia Fagan said in a statement.
She called on the department to do more to increase accessibility to site content for users with disabilities and to monitor and update website accessibility.
An example cited would be to include alt-text with images that describe what is happening in a photo on the department’s site or platforms, so it could be read aloud to visually impaired or blind users.
The Education Department has only had funding for temporary web accessibility technicians and was turned down earlier this year when it asked the Oregon Legislature for money to hire permanent staff.
The audit also found that while the Education Department had largely improved security for its web applications, gaps remain that could lead to data breaches.
One gap was leaving inactive accounts accessible beyond 60 days, allowing people who have left their job or changed roles to continue accessing the agency’s network and platforms. At least one person who no longer worked for the department still had access to the network.
Auditors also found that two agency servers did not have antivirus software. The Education Department explained in a response that it took the software down while troubleshooting a server issue and mistakenly overlooked reinstalling it.
State auditors also found that the agency was not requiring multi-factor authentication for users with privileged access to the department’s network.
Portions of the audit were submitted directly to the agency in a confidential appendix because of the sensitivity of the gaps found. That included deficiencies in data storage and network access and logging – that is an account of who is logging into systems and when. The Education Department said some of the confidential issues were being addressed in projects already underway.
The Education Department came out far better than its agency peers at the Department of Consumer and Business, which was found to have largely ignored cyber security warnings for the past five years, leaving it vulnerable to cyber attacks.
Our stories may be republished online or in print under Creative Commons license CC BY-NC-ND 4.0. We ask that you edit only for style or to shorten, provide proper attribution and link to our web site.