SALEM — The state agency that holds the education records of more than half a million Oregon students can tighten its control of that information, state auditors say.
The Oregon Department of Education regularly checks its computer systems for vulnerabilities and performs other “critical security tasks,” but the agency isn’t actively managing software or users to prevent breaches, according to a report released by Secretary of State Bev Clarno on Wednesday.
The agency has at least partially put into place more than half of a set of controls that experts consider basic security measures.
But “significant work remains to fully implement” those measures, auditors wrote.
For instance, the agency hasn’t updated the list of software programs that are authorized to run on its systems since 2014. That list includes software with “significant known vulnerabilities,” auditors wrote, and the department hasn’t taken steps to make sure that only authorized software is installed on its computers.
Auditors found that unauthorized software has been installed on “numerous” computers. That puts the agency at a higher risk for missing when its computers have malicious software or software with known weaknesses, leaving the agency prone to attacks that can access student data or “disrupt operations.”
The education department is supposed to keep information about students secure and protect their privacy.
The agency, though, lacks an overall plan to manage security, which means the agency could be more vulnerable to cyberattacks.
Those problems could partially stem from some bureaucratic reshuffling, auditors found.
A recent state law consolidated the state’s cybersecurity workers into one office.
Previously, the education department had workers dedicated to cybersecurity issues.
But in 2016, Gov. Kate Brown issued an executive order that put all dedicated security workers in various state agencies under the state Department of Administrative Services.
That new office hasn’t assigned someone to help the education department with its information security functions.
As a result, “some critical activities are performed on an ad hoc basis” and the agency’s ability to handle security incidents is hindered, auditors wrote.
The agency agreed with auditors’ recommendations, and said it plans to put auditors’ recommendations into action within about 2½ years.