oversight

Protection of Personally Identifiable Information in the Commonwealth of Virginia's Longitudinal Data System

Published by the Department of Education, Office of Inspector General on 2016-07-12.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                 UNITED STATES DEPARTMENT OF EDUCATION
                                                 OFFICE OF INSPECTOR GENERAL

                                                                                                                    AUDIT SERVICES
                                                                                                          Dallas/New York Audit Region


                                                               July 12, 2016

                                                                                                                    Control Number
                                                                                                                  ED-OIG/A02P0006
Dr. Steven R. Staples
Superintendent of Public Instruction
Virginia Department of Education
James Monroe Building
101 N. 14th Street
Richmond, VA 23219

Dear Dr. Staples:

This final audit report, “Protection of Personally Identifiable Information in the Commonwealth
of Virginia’s Longitudinal Data System,” presents the results of our audit. The purpose of the
audit was to determine if the Virginia Department of Education (VDOE) has internal controls in
place to prevent, detect, report, and respond to unauthorized access and disclosure of personally
identifiable information in the Commonwealth of Virginia’s (Virginia) Statewide Longitudinal
Data System (SLDS). Our review covered the VDOE’s SLDS documentation from May 2014
through September 2015.




                                                         BACKGROUND


The Institute of Education Sciences administers the SLDS grant program and monitors grantees’
progress toward meeting the final goals of their approved grant applications. The Institute of
Education Sciences awarded VDOE two SLDS grants. In fiscal year 2007, it awarded VDOE
$6,054,395 to improve its Educational Information Management System (EIMS), a system that
VDOE used to meet the data collection and reporting requirements of the No Child Left Behind
Act of 2001. In fiscal year 2009, it awarded VDOE $17,537,564 in American Recovery and
Reinvestment Act (Recovery Act) funds, which allowed VDOE to further develop Virginia’s
SLDS.

The National Forum of Education Statistics 1 defines an SLDS as a data system that (1) collects
and maintains detailed, high-quality, student- and staff-level data that are linked across entities
and, over time, provide a complete academic and performance history for each student and


1
 The National Forum of Education Statistics is a component of the National Cooperative Education Statistics
System that was established by the National Center for Education Statistics. The National Center for Education
Statistics is a component of the Institute of Education Sciences.
    The Department of Education's mission is to promote student achievement and preparation for global competitiveness by fostering educational
                                                      excellence and ensuring equal access.
Final Report
ED-OIG/A02P0006                                                                                  Page 2 of 19
(2) makes these data accessible through reporting and analysis tools. 2 According to this
definition, and for the purposes of this audit, we determined that Virginia’s SLDS consists of a
system to query data from other State systems—the Virginia Longitudinal Data System
(VLDS)—and other State systems that contain the data, which include the Single Sign-on Web
System (SSWS) that contains K-12 data, including personally identifiable information, and other
systems containing postsecondary, employment, and other types of data. For our audit of
Virginia’s SLDS, our review was limited to the VLDS and the SSWS.

VDOE’s 2009 Institute of Education Sciences approved grant application stated that VDOE
would create a longitudinal data linking and reporting system with the ability to link data among
State agency data sources, including the K-12 system. To accomplish this objective, the
application explained that state agencies would continue to house source data in their respective
database but additional capabilities were going to be developed to store query results, scrub and
prepare the data for linking, and offer and receive data in the desired format. The VLDS query
system obtains data from the exposure databases from five State agencies: the VDOE, the State
Council of Higher Education for Virginia, the Virginia Community College System, the Virginia
Employment Commission, and the Virginia Department of Social Services. Each participating
State agency maintains its original data in its system, such as the VDOE’s SSWS for K-12 data.
Each State agency creates an exposure database that contains the data fields approved by that
agency, and that data is used when a VLDS query is run. The VLDS receives data from each
State agency’s exposure database via a one-way transmission. Before the transmission of data to
the VLDS, a one-way hashing algorithm is performed to remove personally identifiable
information and create a unique identifier for each individual. Then, when a researcher query is
run in the VLDS, a second hashing algorithm removes that unique identifier, and creates a VLDS
unique identifier. Consequently, no personally identifiable information resides in the VLDS.

VDOE used grant funds to develop the VLDS to support critical reporting on the quality of
Virginia education. The VLDS was activated November 2013. The VLDS is not a centralized
database; it is a query system that allows researchers to obtain longitudinal data on students from
State agencies to help improve the quality of education in Virginia. VDOE runs the query for the
researchers based on the requested data in the application; the results of the query are available to
the researchers for 10 days then the results are deleted.

According to VDOE’s Director of VLDS, grant funds were used to develop the SSWS exposure
database, which was used to provide K-12 data for VLDS queries. Personally identifiable
information resides in the SSWS. We reviewed VDOE’s SSWS to determine whether it has
internal controls in place to prevent, detect, report, and respond to unauthorized access and
disclosure of personally identifiable information in the SSWS. The SSWS is a system through
which school division personnel access many of VDOE’s data collection processes and other
applications. The SSWS is intended to provide a simple, secure, and reliable environment for
access to different types of educational information that VDOE’s school division manages. The
SSWS allows school division personnel to access its data collection processes, as well as other
applications, with one single user ID and password through the internet. Security and access to

2
 The Education Science Reform Act of 2002, Title 2, Section 208 of the “Grant Program for Statewide Longitudinal
Data Systems” authorizes the U.S. Department of Education to award grants that enable State agencies to design,
develop, and implement Statewide longitudinal data systems to efficiently and accurately manage, analyze,
disaggregate, and use individual student data.
Final Report
ED-OIG/A02P0006                                                                       Page 3 of 19
data are maintained at the user level, so school division personnel have access only to the
information and applications they need.

Although we did not develop a finding on the VLDS since it did not contain personally
identifiable information, we reviewed the Information Technology Security Audit of the VLDS.
The independent audit was performed by Impact Maker in May 2014, and identified several
control weaknesses in the VLDS. We also reviewed the System Security Plan for the VLDS and
determined that VDOE still had not implemented five of the required system controls discussed
in the information technology security audit. We identified weaknesses that pose a heightened
risk to the data that resides on the VLDS. We list the controls VDOE had not implemented for
VLDS in Attachment 2.




                                     AUDIT RESULTS


Our audit objective was to determine if VDOE has internal controls in place to prevent, detect,
report, and respond to unauthorized access and disclosure of personally identifiable information
in Virginia’s SLDS. During our audit, we learned that the VLDS does not contain personally
identifiable information. However, the SSWS contains personally identifiable information;
therefore, our audit focused on the SSWS portion of the SLDS.

We identified internal control weaknesses in the SSWS that increase the risk that VDOE will be
unable to prevent or detect unauthorized access and disclosure of personally identifiable
information. Specifically, we found that although VDOE classified the SSWS as a sensitive
system, it did not ensure that it met the minimum requirements for a system classified as
sensitive, as required in Virginia’s Information Technology Resource Management (ITRM)
Standards. Because VDOE did not meet the minimum State requirements for systems classified
as sensitive, VDOE also was not in compliance with the Institute of Education Sciences SLDS
grant requirements.

We determined VDOE has policies and procedures that address reporting and responding to
unauthorized access and disclosure of data, including personally identifiable information in its
data systems. However, we could not determine whether the procedures were effectively
implemented since VDOE has not reported any system breaches in the VLDS or SSWS.

In its comments to the draft report, VDOE stated that our finding was inconsistent with the stated
purpose of the audit with regard to a focus on the SSWS. Therefore, VDOE requested all
findings related to the SSWS be removed from the report. VDOE stated that it had reclassified
the VLDS system as non-sensitive and reasonably concluded the audit was rescinded. In
addition, VDOE also provided a list of factual inaccuracies it contends were in the draft report.
We include the full text of VDOE’s comments on the draft report as Attachment 3 to the report.
Final Report
ED-OIG/A02P0006                                                                      Page 4 of 19
We were not requested by VDOE to rescind the audit and we disagree there is any rational basis
under Government Auditing Standards to rescind the audit or remove the finding on SSWS. We
also did not remove references to the VLDS as VDOE acknowledges we explained on an
October 1, 2015 conference call because it was classified as a sensitive system through the end
of our audit period. We did make changes to the report for clarity as a result of VDOE’s
response.

Because the objective of our audit was to review the protection of personally identifiable
information in Virginia’s SLDS, and because the SSWS portion of Virginia’s State Longitudinal
Data System contained the personally identifiable information, we included the SSWS in our
audit scope. Based on the statutory definition of an SLDS, the Virginia State Longitudinal Data
System consists of both the query system and the exposure databases provided by the state
agencies. Subsequent to our exit conference on September 24, 2015, OIG received an e-mail on
October 8, 2015, from the newly appointed Chief Data Security Officer stating that the VLDS
was reclassified as a non-sensitive system. While this was after our audit period and not relevant
to the audit results, VDOE did not provide documentation to support the reclassification of the
VLDS. We also refuted VDOE’s claims on inaccuracies in our draft report contained in
Attachment 4 to the report.

FINDING NO. 1 – The Single Sign-On Web System Does Not Meet Required State
                Minimum Security Requirements

We found that VDOE did not ensure that the SSWS met required State standards for systems
classified as sensitive. Virginia’s ITRM Standards establish the required system controls for
Virginia systems that are classified as sensitive. Based on the 2007 SLDS Request for Grant
Applications, the grantee must ensure confidentiality of students in accordance with relevant
legislation. In addition, VDOE’s 2009 approved Recovery Act application stated that VDOE
would implement security controls in accordance with Virginia’s Information Security
Standards. According to the ITRM Standards, VDOE must ensure that applicable systems meet
all of the requirements found in the standards. We determined the SSWS did not meet State
minimum security requirements. Therefore, VDOE had weaknesses in its system controls
designed to prevent and detect unauthorized access and disclosure of personally identifiable
information in the SSWS.

We found that VDOE did not ensure the SSWS met the minimum requirements found in
Virginia’s ITRM Standards, which consists of 17 system controls. We reviewed the information
technology security audit of the SSWS performed by Impact Makers, dated May 2014. The
objective of that audit was to determine compliance with Virginia’s ITRM Standards. In
addition we reviewed, Virginia’s Auditor of Public Accounts’ June 2014 Department of
Education Audit that found “matters involving internal control and its operation necessary to
bring to management’s attention,” and other related documents. The Impact Makers audit report
cited issues with all 17 system control areas identified in Virginia’s ITRM Standards. For
example, VDOE had not updated its risk assessment, did not address vulnerabilities the auditors
identified through a vulnerability scan, and did not ensure that the SSWS password policy met
the minimum State requirements. VDOE created one corrective action plan that addressed both
the May 2014 SSWS security audit and the June 2014 Virginia Auditor of Public Accounts audit.
We evaluated VDOE’s corrective action plan for the SSWS security audit and the System
Final Report
ED-OIG/A02P0006                                                                    Page 5 of 19
Security Plan for the SSWS. The corrective action plan identified the issues to be remedied,
planned corrective action, and the status of each finding. The Auditor of Public Accounts
corrective action plan also documented whether VDOE concurred with the findings and the due
date to remedy the findings. VDOE did not implement the corrective actions to remedy
17 missing system controls. See Table 1 below for the 17 missing system controls.

Table 1. SSWS Security Audit
 Control Area       ITRM 501-08 Sections                            Control
Access Control   AC-2                              Required system access controls to be
                                                   documented and describes account
                                                   management principles.
Configuration      CM-2 and CM-8                   Required baseline configuration and
Management                                         component inventory be documented.
Awareness and      AT-1                            Required role-based security training.
Training
Audit and          AU-1                            Required that Audit and Accountability
Accountability                                     polices be documented.
Security           CA-3 and CA-7                   Required that a continuous monitoring
Assessment and                                     program be established.
Authorization
Contingency        CP-1-COV-1 and                  Required that based on the Business Impact
Planning           CP-1-COV-2                      Analysis and the Risk Assessment the
                                                   Information Technology Disaster
                                                   components develop a Disaster Recovery
                                                   planning activity.
Identification     IA-4 and IA-5                   Required that user’s identifiers should be
and                                                disabled (locked) after 90 days of inactivity
Authentication                                     and Information Technology systems
                                                   enforce a minimum lifetime password
                                                   restriction of 24 hours.
Incident           IR-2                            Required Incident Response Training,
Response                                           which includes incident response controls.
Controlled         MA-2                            Required the performance and
Maintenance                                        documentation of maintenance and repair
                                                   of Information System Components.
Media Protection   MP-1                            Required the protection of media systems.
Physical and       PE-1                            Required that the list of the physical and
Environmental                                      environmental controls be reviewed.
Protection
Planning           PL-2 and PL-2-COV               Required that the System Security Plan be
                                                   documented.
Personnel          PS-7                            Required that the Personnel Security Policy
Security                                           be documented.
Risk Assessment    RA-3                            Required that risk assessments be
                                                   conducted.
Final Report
ED-OIG/A02P0006                                                                     Page 6 of 19
  Control Area          ITRM 501-08 Sections                          Control
System and           SA-1, SA-3, and SA-3-COV-2     Required that the system design
Services                                            documentation be documented to include
Acquisition                                         the coding practices.
System and           SC-1                           Required polices for system and
Communications                                      communication protection.
Protections
System and           SI-1                           Required the documentation of security
Information                                         requirements and integrity-based controls.
Integrity

While the System Security Plan identified seven security findings, it did not provide any
remedies. The System Security Plan was also undated, unsigned, and not approved by a VDOE
official, so we were unable to determine when VDOE developed the plan or its effective date.
Therefore, VDOE did not take corrective action to address security control weaknesses to ensure
the protection of personally identifiable information in the SSWS. During the exit conference
with VDOE officials in September 2015, the director of Virginia’s VLDS stated that VDOE
hired a Chief Data Security Officer on August 10, 2015, who was working on updating the
System Security Plan for the SSWS.

Subsequently, the Auditor of Public Accounts audited the VDOE and identified additional
missing system controls from the ITRM Standards. Virginia’s Auditor of Public Accounts
reported five system control areas in the SSWS that did not meet the minimum standards
identified in the Virginia ITRM Standards. The five missing system controls are listed in
Table 2.

Table 2. Auditor of Public Accounts 2014 Audit
   Control Area        ITRM 501-08 Sections                            Control
Contingency          CP-9 and CP-9-COV               Required that an agency document backup
Planning                                             and restoration plans to meet agency
                                                     requirements.
Configuration          CM-3 and CM-6                 Required that an agency (1) retains and
Management                                           reviews a record of each configuration
                                                     controlled change to a system and (2)
                                                     documents mandatory configuration
                                                     requirements consistent with system
                                                     hardening standards.
Risk Assessment        RA-5                          Required that an agency scan each
                                                     sensitive system for vulnerabilities at least
                                                     once every 90 days.
Information            Section 2.4.1                 Required that the Information Security
Security Roles and                                   Officer report directly to the agency head.
Responsibilities
Final Report
ED-OIG/A02P0006                                                                       Page 7 of 19
   Control Area        ITRM 501-08 Sections                               Control
Information          Section 4.2.3                     Required that an agency (1) identifies the
Technology System                                      sensitivity level of a system or data on the
and Data Sensitivity                                   basis of low, medium, or high; and (2)
Classification                                         determines potential damages as a result
                                                       of a compromise of sensitive data.

The Auditor of Public Accounts reported that VDOE had not adequately documented some of
the system control processes and found no evidence that the system controls were adequate. For
example, for the Information Technology System and Data Sensitivity Classification system
control area, VDOE did not scan all sensitive systems for vulnerabilities. Based on our review of
the corrective action plan, the System Security Plan, and VDOE’s policies and procedures,
VDOE has not adequately addressed the findings to ensure that the system controls meet the
minimum State standards.

State and Federal Requirements for Protection of Personally Identifiable Information
According to the 2007 SLDS Request for Grant Applications, the grantee must ensure
confidentiality of students in accordance with relevant legislation. In addition, VDOE’s
2009 approved Recovery Act application stated that VDOE would implement security controls in
accordance with Virginia’s Information Security Standards. Virginia’s ITRM Standards require
VDOE to ensure it has appropriate system controls for its sensitive data systems. Since both the
VLDS and the SSWS were classified as sensitive systems for our audit period, VDOE must
ensure these systems meet ITRM Standards.

Based on our review of the security audits, related policies and procedures, and corrective action
plan for the SSWS, we concluded that VDOE had weak system controls to prevent and detect
unauthorized access and disclosure of information in the SSWS. In April 2015, we were
provided with the corrective action plan dated March 2015, for the May 2014 and
June 2014 audits of the SSWS. During the exit conference, which was held in September 2015,
VDOE stated it updates its corrective action plan quarterly and was working on updating the
System Security Plan for the SSWS. We requested the updates to the corrective action plan and
the System Security Plan; however, VDOE did not provide us with any updated documentation
to support these assertions.

Due to the system control weaknesses, the SSWS is at an increased risk of a breach. The SSWS
contains personally identifiable information, and there is a heightened risk that personally
identifiable information is not adequately protected. Therefore, VDOE must ensure it has met
the required State minimum security requirements. By not implementing the proper system
controls, VDOE was not in compliance with its SLDS grant requirements covering system
security.

Recommendations

We recommend that the Director of Institute of Education Sciences work with VDOE to—

   1.1 Implement the system controls identified in the ITRM Standards to ensure the prevention
       and detection of unauthorized access and disclosure of information in the SSWS.
Final Report
ED-OIG/A02P0006                                                                       Page 8 of 19


   1.2 Take appropriate action to determine whether a breach has occurred in the SSWS and if
       breaches are identified, report and respond to the breaches in accordance with VDOE’s
       policy and procedures.

   1.3 Address all outstanding recommendations related to the security and Auditor of Public
       Accounts audits, and require SSWS to meet minimum State security standards.

VDOE Comments

In its response to the draft report, VDOE requested all findings related to the SSWS be removed
from the report. VDOE stated that the scope of the audit was extended beyond the stated
purpose to include VDOE’s SSWS application portal (exposure database), which is not part of
the SLDS and was not developed using SLDS funds.

VDOE identified the VLDS as its SLDS in its response to the draft report. VDOE provided the
Office of Inspector General (OIG) with an email stating that VDOE had reclassified the VLDS
from sensitive to non-sensitive on October 8, 2015. VDOE stated that it did not receive any
additional communication until the draft report was issued and, as a result, reasonably concluded
that the audit had been rescinded as the VLDS was not classified as a sensitive system.

VDOE also stated that the OIG incorrectly concluded that its SLDS consists of the VLDS and
other State systems that contain personally identifiable information, including the SSWS. It
stated that the VLDS and the SSWS are separate and distinct systems.

In addition, VDOE included a list of factual inaccuracies it believes were contained in the draft
report. For example, VDOE stated that there have been no reported breaches in the VLDS and
the breaches discussed in the “Objective, Scope, and Methodology” section were not related to
VDOE. Also, VDOE stated that it used state funds not Federal grant funds to develop the
SSWS.

VDOE also expressed concern with certain information contained in the draft report. The full
text of VDOE’s comments on the draft report is included as Attachment 3 of the report.

OIG Response

We agree that the VLDS and SSWS are distinct systems, but they comprise (along with other
State systems) the larger SLDS. The description in our report of how the systems are connected
was paraphrased from the Websites of the VLDS and the VDOE, and the VLDS Exposure
Database Guidelines. Therefore, we did not remove the finding, but did make changes to the
report for clarity as a result of VDOE’s response.
Final Report
ED-OIG/A02P0006                                                                                  Page 9 of 19
The 2009 Institute of Education Sciences approved grant application stated that VDOE would
create a longitudinal data linking and reporting system with the ability to link data among State
agency data sources. To accomplish this objective, the approved application explained that state
agencies would continue to house source data in their respective database but that additional
capabilities were going to be developed to store query results, scrub and prepare the data for
linking, and offer and receive data in the desired format. Therefore, VDOE had to create an
exposure database for the SSWS that contained K-12 data, including personally identifiable
information. The SSWS is used when a VLDS query is run. In addition, the Director of the
VLDS stated in an interview that the VLDS went into production in November 2013 and that the
2009 grant funds were used to establish the SSWS exposure database.

Because the SSWS provides data to the VLDS via the exposure database, we determined that the
scope of our audit encompassed whether VDOE protected the personally identifiable information
in the SSWS. We informed the Director of VLDS in March 2015, that our audit work would
include the SSWS and performed audit work on the SSWS because that is where the personally
identifiable information is located for K-12 data. Therefore, we reviewed the security audits of
the system controls for the SSWS to determine whether VDOE had internal controls in place to
prevent, detect, report, and respond to unauthorized access and disclosure of personally
identifiable information, the stated objective of the audit.
At the time of our site visit, VLDS was classified as a sensitive system, therefore, we included
the weaknesses identified in the VLDS’s system security plan as background and not as a finding
in our audit report because it did not contain personally identifiable information. Subsequent to
our exit conference, OIG received an e-mail on October 8, 2015, from VDOE stating that the
VLDS was reclassified from a sensitive to a non-sensitive system and removed from the VDOE
IT Security Plan. No supporting documentation was sent in that e-mail or in response to our
draft audit report.

VDOE stated that the report was inconsistent with the stated purpose of the audit, and incorrectly
included the SSWS as part of its SLDS. For the purpose of the audit, and in consideration of the
statutory definition of an SLDS 3, we determined that Virginia’s SLDS is a system to query data
from other State systems—the VLDS—and other State systems that contain the data, which
include the SSWS exposure database that contains K-12 data, including personally identifiable
information, and other systems containing postsecondary, employment, and other types of data.
Therefore, we included the SSWS in the scope of our audit since that system contains the
personally identifiable information of K-12 student data.

Lastly, OIG disagrees that the audit report contained factual inaccuracies. Attachment 4 of this
report provides our response to the remaining claims of factual inaccuracies pointed out by
VDOE that we have not already addressed.



3
 The Education Science Reform Act of 2002, Title 2, Section 208 of the “Grant Program for Statewide Longitudinal
Data Systems” authorizes the U.S. Department of Education to award grants that enable State agencies to design,
develop, and implement Statewide longitudinal data systems to efficiently and accurately manage, analyze,
disaggregate, and use individual student data.
Final Report
ED-OIG/A02P0006                                                                     Page 10 of 19


                  OBJECTIVE, SCOPE, AND METHODOLOGY


Our audit objective was to determine if VDOE has internal controls in place to prevent, detect,
report, and respond to unauthorized access and disclosure of personally identifiable information
in Virginia’s SLDS. During our audit, we learned that the VLDS does not contain personally
identifiable information. However, the SSWS contains personally identifiable information;
therefore, our audit focused on the SSWS portion of the SLDS. Our review covered the VDOE’s
SLDS documentation from May 2014 through September 2015.

To accomplish our objective, we performed the following procedures. We reviewed:

   •   Virginia’s organizational chart and interviewed officials from the VDOE.
   •   VDOE’s security and system documents including:
           o Information Technology Security Policy;
           o Identification and Authentication Policy;
           o Personnel Security Policy;
           o Security Assessment and Authorization Policy;
           o Logical Access Control Policy;
           o Exposure Database Guidelines;
           o System and Communication Encryption Policy;
           o System and Information Integrity Policy;
           o System and Communication Protection Policy;
           o System and Services Acquisition Policy; and
           o the SSWS User Guide.
   •   Impact Makers reports, “Information Technology Security Audit of Virginia Longitudinal
       System,” dated May 2014 and “Information Technology Security Audit of Single Sign-on
       Web Systems,” dated May 2014 and the related corrective action plan.
   •   Virginia Auditor of Public Accounts’ 2014 Department of Education Audit and the
       related corrective action plan.
   •   The VLDS and SSWS System Security Plans for evidence of the resolution of audit
       findings.
   •   VDOE’s approved SLDS grant applications for 2007 and the Recovery Act.
   •   The Institute of Education Sciences’ annual and final performance reports for Virginia’s
       SLDS grants.

Virginia is one of three States we selected for a series of planned audits to assess how States’
Longitudinal Data Systems protect personally identifiable information. We judgmentally
selected the three States based on the following characteristics: total amount of SLDS funding,
status and extent of grant program participation, and the State’s number of reported education
system data breaches. The data breaches included any education system breaches that the
Identity Theft Resource Center reported. The breaches did not specifically identify the VLDS
Final Report
ED-OIG/A02P0006                                                                           Page 11 of 19
and the SSWS. The Identity Theft Resource Center is a nonprofit organization that serves as a
national resource on consumer issues related to cyber security, data breaches, social media,
fraud, scams, and other issues. We selected Virginia because it received more than $5 million in
SLDS funding, had two SLDS grants that were closed, and the Identity Theft Resource Center
reported that Virginia had more than three breaches in educational systems 4. In addition, we
selected Virginia because the Institute of Education Sciences stated that Virginia was a model
State for protecting personally identifiable information in their SLDS.

We conducted a site visit at VDOE’s office in Richmond, Virginia, during the week of
March 23, 2015. We held an exit conference with VDOE on September 24, 2015, to discuss the
results of the audit. We also had a follow-up discussion with VDOE on October 1, 2015.

We assessed the internal controls concerning the protection of personally identifiable
information in the VLDS and the SSWS. We assessed VDOE’s system control activities
through inquiries of Virginia personnel; review of written policies, procedures, and
documentation; and an analysis of prior audit reports and follow-up on the
recommendations included in those reports. Because it did not relate to our audit
objective, we did not obtain any data from the VLDS or the SSWS, so we did not assess
the reliability of data in those systems. We identified weaknesses in the auditee’s SSWS
internal controls, which we fully discuss in the audit findings.

The internal controls pertinent to our audit objective were also reviewed by other
auditors. Our report, as it relates to VDOE’s controls to protect personally identifiable
information in the SSWS, was based, in part, on the reports of other auditors. Based on
our review of the auditors’ qualifications and the audit reports, we determined that the
auditors were independent of VDOE and the scope of the work performed was
sufficiently reliable as it related to our audit objective.

We conducted this performance audit in accordance with generally accepted government
auditing standards. Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions
based on our audit objectives. We believe that the evidence obtained provides a reasonable basis
for our findings and conclusions based on our audit objectives.




                                 ADMINISTRATIVE MATTERS


Statements that managerial practices need improvements, as well as other conclusions and
recommendations in this report, represent the opinions of the Office of Inspector General.
Determinations of corrective action to be taken will be made by the appropriate Department of
Education officials.


4
    The Identity Theft   Resource Center did not identify breaches related to the VLDS.
Final Report
ED-OIG/A02P0006                                                                      Page 12 of 19
If you have any additional comments or information that you believe may have a bearing on the
resolution of this audit, you should send them directly to the following Department of Education
official, who will consider them before taking final Departmental action on this audit:

                              Ruth Neild
                              Deputy Director of Policy and Research
                              Institute of Education Sciences
                              U.S. Department of Education
                              555 New Jersey Ave, NW
                              Room 500e
                              Washington, DC 20208-5500


It is the policy of the U. S. Department of Education to expedite the resolution of audits by
initiating timely action on the findings and recommendations contained therein. Therefore,
receipt of your comments within 30 calendar days would be appreciated.

In accordance with the Freedom of Information Act (5 U.S.C. §552), reports issued by the Office
of Inspector General are available to members of the press and general public to the extent
information contained therein is not subject to exemptions in the Act.

                                             Sincerely,

                                             /s/

                                             Daniel Schultz
                                             Regional Inspector General for Audit
Attachments
Final Report
ED-OIG/A02P0006                                                          Page 13 of 19

           Attachment 1: Acronyms, Abbreviations, and Short Forms
                            Used in This Report
EIMS                         Educational Information Management System

ITRM Standards               Virginia’s Information Technology Resource Management
                             Standards SEC501-08

OIG                          Office of Inspector General

Recovery Act                 American Recovery and Reinvestment Act

SLDS                         Statewide Longitudinal Data System

SSWS                         Single Sign-on Web System

VDOE                         Virginia Department of Education

VITA                         Virginia Information Technologies Agency

Virginia                     Commonwealth of Virginia

VLDS                         Virginia Longitudinal Data System
Final Report
ED-OIG/A02P0006                                                               Page 14 of 19

  Attachment 2: Minimum Information Technology Resource Management
                Standards Not Met by VDOE for the VLDS
Table 3. Missing Required System Controls for VLDS
  Control Areas          ITRM 501-08 Sections                       Control
Risk Assessment     Section 6.2 and RA-5           VDOE did not ensure a risk assessment
                                                   was performed at least every 3 years
                                                   and did not ensure a vulnerability scan
                                                   was performed at least every 90 days.
System and          SC-28                          The data stored in the VLDS was not
Communication                                      encrypted while sitting idle.
Protection
Access Control      AC-7                           VDOE did not limit the number of
                                                   invalid access attempts to an account in
                                                   the VLDS.
Identification and  IA-4 and IA-5                  VDOE did not ensure passwords were
Authentication                                     refreshed every 90 days and did not
                                                   disable accounts after 90 days of
                                                   inactivity. VDOE did not ensure that
                                                   the VLDS passwords had a minimum
                                                   and maximum lifetime, and were not
                                                   limited to a reuse of 24 generations.
Security            CA-3                           VDOE did not document the VLDS’
Assessment and                                     connections to other information
Authorization                                      systems.
Final Report
ED-OIG/A02P0006                                               Page 15 of 19

          Attachment 3: VDOE’s Comments on the Draft Report
Final Report
ED-OIG/A02P0006   Page 16 of 19
Final Report
ED-OIG/A02P0006   Page 17 of 19
Final Report
ED-OIG/A02P0006                                                                 Page 18 of 19

    Attachment 4: OIG Response to VDOE’s claim of Factual Inaccuracies

Table 4. OIG Response
   Inaccuracies According to
                                                         OIG Response
             VDOE
The EIMS was state-funded, not Based on information we were provided by VDOE we
federal grant-funded.           determined that SLDS funds were used for the EIMS. As
                                stated in the report the 2007 SLDS grant funds were used to
                                improve the EIMS. VDOE’s 2007 Institute of Education
                                Sciences approved grant application states that “VDOE
                                proposes to add two products from Triand Incorporated,
                                easyCONNECT and easySTUDENT to the existing decision
                                support tools provided by the EIMS program.”
The EIMS was not developed to We reviewed VDOE’s 2007 Institute of Education Sciences
meet the data collection and    approved grant application, which states: “[t]he VDOE is
reporting requirements of the   entering the fourth year of development of its Student
No Child Left Behind Act of     Information Program; the core of the program is the EIMS.
2001.                           The EIMS is Virginia’s solution to meeting the data collection
                                and reporting requirements of the No Child Left Behind Act
The data collection and         of 2001, leveraging the data requirements to provide rich
reporting requirements of the   decision support tools to Virginia school district personnel.”
No Child Left Behind Act of
2001 were completed by 2003,
well before VDOE received the
SLDS grant.
The EIMS was not a              OIG was informed by the Director of the VLDS, in
predecessor to the SSWS, it was March 2015 that the EIMS was a predecessor system to the
a separate system developed     SSWS, and the SSWS was populated with data from the
after the SSWS.                 EIMS. However, for the final report we have deleted the
                                footnote that contained the information.
The SSWS predates the EIMS
by a number of years.

The SSWS is not populated
with data from the EIMS.


The EIMS has been retired and    We agree that the EIMS is retired. As stated in the draft
is no longer in production.      report, the EIMS ceased operation on July 1, 2014, when the
                                 vendor’s contract expired.
Final Report
ED-OIG/A02P0006                                                                  Page 19 of 19
The fiscal year 2009 grant was  We obtained a document dated May 2, 2013 from VDOE’s
not used to make improvements   website, which states: “[t]he development of VLDS was
to the EIMS.                    funded through a Longitudinal Data Systems Grant awarded
                                to Virginia under the American Recovery and Reinvestment
                                Act of 2009. The federal grant allowed the commonwealth to
                                build on VDOE’s state-funded EIMS and put additional high
                                quality data into the hands of teachers, administrators,
                                researchers, policymakers and the public — while
                                safeguarding the privacy of students and adults.”
The VDOE has not reported any We did not state that data breaches reported by the Identity
system breaches in the VLDS     Theft Resource Center impacted the VLDS or SSWS. We
because there have not been     further clarified in the final audit report the information
any.                            obtained from the Identity Theft Resource Center was only
                                used to help the OIG select states to be audited and was not of
The data breaches referenced in VLDS.
footnote #4 of the audit report
are not related to VDOE and
should be removed from the
audit report.