UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL AUDIT SERVICES New York/Dallas Audit Region September 27, 2016 Control Number ED-OIG/A02P0007 Dr. Salam Noor Deputy Superintendent of Public Instruction Oregon Department of Education 255 Capitol St. NE Salem, OR 97310 Dear Dr. Noor: This final audit report, “Protection of Personally Identifiable Information in Oregon’s Statewide Longitudinal Data System,” presents the results of our audit. The purpose of the audit was to determine whether the Oregon Department of Education (ODE) has internal controls in place to prevent, detect, report, and respond to unauthorized access and disclosure of personally identifiable information in its Statewide Longitudinal Data System (SLDS). Our review covered ODE’s internal controls from June 2015 through January 2016. BACKGROUND The Institute of Education Sciences administers the SLDS grant program and monitors grantee progress toward meeting the final goals of their approved grant applications. The grant program supports the design, development, and implementation of statewide longitudinal data systems. These systems are intended to enhance the ability of States to efficiently and accurately manage, analyze, and use education data and facilitate analysis and research to improve student academic achievement. The Institute of Education Sciences awarded three SLDS grants to ODE. In fiscal year 2007, ODE was awarded $4,705,977 for a project referred to as the Direct Access to Achievement project. The purpose of this project was to improve data quality by training teachers and other users how to use data maintained in ODE’s SLDS to improve student performance. In fiscal year 2009, ODE was awarded $3,696,615 for a project referred to as the Oregon Formative Assessment Resources project. This project funded curriculum developed at the University of Oregon to train new teachers on how to use data more effectively. ODE also used the project funding to relocate server equipment to the University of Oregon and to implement the Easy The Department of Education's mission is to promote student achievement and preparation for global competitiveness by fostering educational excellence and ensuring equal access. Final Report ED-OIG/A02P0007 Page 2 of 18 Curriculum Based Measurements1 formative assessments system. Also in fiscal year 2009, ODE was awarded $10,475,997 in American Recovery and Reinvestment Act funds for a project referred to as the Advancing Longitudinal Data for Educational Reform project. ODE used this project funding to (1) train users to improve data quality, (2) create a link between data on students and teachers, (3) create an early learning/prekindergarten data system, and (4) create an identity resolution system that could link student achievement data with achievement data from higher education and workforce data. ODE’s Director of Enterprise Systems stated that ODE did not have an SLDS during the time of our audit. However, we determined that ODE did have an SLDS system in place during our audit period that ODE applied SLDS grant funds to enhance. The National Forum of Education Statistics2 defines an SLDS as a data system that collects and maintains detailed, high-quality, student and staff level data that are linked across entities and over time, providing a complete academic and performance history for each student and that makes these data accessible through reporting and analysis tools.3 According to this definition, and for the purpose of this audit, we determined that ODE’s Consolidated Collection System (CCS), its existing kindergarten through twelfth grade State database system, was Oregon’s SLDS. In June 2011, at the request of Oregon’s Governor, the Oregon Education Investment Board was created to provide an integrated, statewide, student-based data system that monitors expenditures and outcomes to determine the return on statewide education investments. ODE’s Support Service Director stated that in July 2015, ODE transferred control over continued development of an early childhood through postsecondary education SLDS to the Oregon Education Investment Board.4 The CCS will remain with ODE and house kindergarten through twelfth grade student data and transmit data to the SLDS. ODE’s Support Service Director stated that ODE was unaware of when the Oregon Education Investment Board would complete Oregon’s early childhood through postsecondary education SLDS. ODE developed its CCS in the 2003–2004 school year, before receiving its first SLDS grant in 2007. SLDS grant funds were used to provide professional development to enhance CCS stakeholders’ use of data and create a link between data on students and teachers within CCS. The CCS contains 81 data stores that contain personally identifiable information and comprise different categories of student data such as math performance, reading performance, graduation rates, and discipline incidents. District staff use the central login on ODE’s Web site to access the CCS and enter or view data. The district staff receives login access to the ODE District Web site and permissions to district data from the district security administrator, whom the district superintendent appoints. The district security administrator can provide district staff with the ability to view all data records for the entire district or specific school or can disable an account, 1 Easy Curriculum Based Measurements is a data warehouse system that allows districts to control exchange of student demographic information and State assessment scores. 2 The National Forum of Education Statistics is a component of the National Cooperative Education Statistics System that was established by the National Center for Education Statistics. The National Center for Education Statistics is a component of the Institute of Education Sciences. 3 The Education Sciences Reform Act of 2002, Title 2, Section 208 of the “Grant Program for Statewide Longitudinal Data Systems” authorizes the U.S. Department of Education to award grants that enable State agencies to design, develop, and implement Statewide longitudinal data systems to efficiently and accurately manage, analyze, disaggregate, and use individual student data. 4 The Oregon Education Investment Board was renamed the “Chief Education Office” in July 2015. Final Report ED-OIG/A02P0007 Page 3 of 18 preventing a user from accessing district data. In addition, the district security administrator can give users access to read, insert, update, and delete data. According to ODE’s District Security Administrator User Guide, district security administrators are to give the least permission assignments needed for each person to do his or her job. Activities within the system are tied to individual users. District security administrators are required to ensure that staff who have been granted access to the central login have a signed permission form and confidentiality agreement on file. The ODE research office uses information from the 81 data stores to perform research projects. ODE also allows external researchers, such as university staff, to perform research projects with the data from the CCS. Each external requester must fill out a standard external research form, which has two parts: (1) a description of the project and the type of data being requested and (2) data handling and security requirements. ODE’s Data Governance Committee approves or denies research requests. External requesters must also sign a confidentiality agreement stating that the researcher cannot disclose personally identifiable information for any purpose other than those stated in the request. The ODE research office assembles the data and sends it to the external requester using a secure file transfer. The assistant superintendent for research and data analysis stated the system uses secure student identification numbers to link students across data sets and time. While the research agreement states an external requester may receive personally identifiable information, the assistant superintendent for research and data analysis stated ODE does not give out specific information such as Social Security numbers, names, and addresses when responding to research requests. AUDIT RESULTS Our audit objective was to determine whether ODE has internal controls in place to prevent, detect, report, and respond to unauthorized access and disclosure of personally identifiable information in its SLDS. To answer our objective, we reviewed ODE’s CCS, a kindergarten through twelfth grade SLDS containing students’ personally identifiable information that ODE enhanced with SLDS grant funds. We identified a lack of documented internal controls in the CCS that increases the risk that ODE will be unable to prevent or detect unauthorized access and disclosure of personally identifiable information. Specifically, we found that ODE did not ensure that the CCS met the minimum requirements in Oregon’s Department of Administrative Services (DAS) State Standards, which require the system controls and documentation of those controls. Since ODE did not meet the minimum State requirements, ODE was not in compliance with the Institute of Education Sciences SLDS grant requirements. In addition, ODE has policies and procedures that address reporting and responding to unauthorized access and disclosure of personally identifiable information in its data system. However, we could not determine whether the procedures were effective because ODE has not reported any system breaches in the CCS. Final Report ED-OIG/A02P0007 Page 4 of 18 In its comments to the draft report, ODE stated that since the audit was conducted, the Office of Information Technology had a change of leadership and that it had identified additional information that was not previously provided at the time of the audit. ODE did not concur with the finding that the CCS did not meet minimum State system security requirements. ODE stated that an Information Security Plan was implemented in December 2010 and incorporated into its 2010 Information Security Policy. In addition, ODE stated its Internal Auditor conducted annual risk assessments every year except 2015. Lastly, ODE stated that it handles data stored in the CCS as level 3 in accordance with its Information Asset Classification policy. We reviewed the additional information and determined that ODE did not provide sufficient evidence to support that it implemented an Information Security Plan, conducted annual risk assessments, and classified security levels of the CCS as level 3. See Attachment 3 for OIG’s response to each of the documents ODE provided. Although ODE did not concur with the finding, it agreed with our recommendations and identified actions it has taken or plans to take to address them. We summarize ODE’s comments and our response at the end of the finding and provide the full text of ODE’s comments in Attachment 2. We did not make any changes to the finding based on ODE’s comments. FINDING NO. 1 – The Consolidated Collection System Did Not Meet Minimum State System Security Requirements We found that ODE did not ensure that the CCS met the minimum system security requirements in DAS State Standards. ODE did not develop and implement an Information Security Plan, conduct annual risk assessments, and classify the security levels of the CCS as required by DAS standards. The Information Security Plan is the foundation of information security and identifies the appropriate security controls over agency data systems. Also, as part of an Information Security Plan, ODE was required to conduct an annual risk assessment and classify the security levels of system assets. Annual risk assessments are a critical control designed to identify, quantify, and prioritize risks against criteria established by ODE for risk acceptance and objectives. The results determine appropriate actions and priorities for managing information security risks and for designing and implementing controls that protect information assets. Information asset classification is critical to ensure that information assets have a level of protection corresponding to the sensitivity and value of the information asset. Because ODE did not design and implement these key controls, it had significant weaknesses in its system controls designed to prevent and detect unauthorized access and disclosure of personally identifiable information in the CCS. ODE’s Chief Information Security Officer stated that he is the only staff member at ODE who works on the security of the system and that ODE needs a full-time security person to ensure ODE meets all security requirements and policies. We determined that this staffing shortage is a contributing factor to ODE’s control measures we noted. Before our audit, ODE had not developed and implemented an Information Security Plan as required by DAS. ODE’s Chief Information Security Officer stated that he was aware of the deficient security measures but did not have the necessary staff to create an Information Security Plan. As a result of our audit, ODE created an Information Security Plan, signed January 20, 2016, that ODE’s interim chief information officer provided to us. However, the Information Security Plan noted several controls were currently not in place and that ODE was developing plans to implement new controls throughout 2016. For example, controls currently not in place include implementing software to detect unauthorized access, documenting malware response procedures and training Final Report ED-OIG/A02P0007 Page 5 of 18 staff on them, and assigning security level classifications of information assets. Because these controls are not yet in place, ODE did not have software to monitor accounts for unusual activity and alert systems administrators or automatically mitigate potentially malicious behavior. ODE purchased this software in January 2016 and plans to implement it in 2016. Because ODE has not performed an annual risk assessment, we could not be certain that the controls listed in ODE’s January 20, 2016, Information Security Plan were appropriate. ODE did not conduct the required annual risk assessments nor did it classify the security levels of system assets as required by DAS. When asked about the required annual risk assessments, the Chief Information Security Officer stated that ODE had not conducted any risk assessments of the CCS. ODE’s Support Service Director stated that ODE started a project plan to classify security levels of data in July 2012; however, ODE did not fund the plan because the projected cost was greater than anticipated. According to the 2007 and 2009 SLDS requests for grant applications, grantees were required to ensure the confidentiality of students in accordance with relevant State legislation. In its fiscal year 2007 and 2009 SLDS grant applications, ODE stated it will ensure the confidentiality of student records by following Oregon Revised Statutes and Oregon Administrative Rules. Oregon Revised Statute 182.122 requires agencies to follow information security standards, policies, and procedures established by DAS. Based on the evidence above, we found that ODE not only failed to document and perform the minimum State system security controls to detect and prevent unauthorized access and disclosure of personally identifiable information in its SLDS, but also did not comply with State regulations as it assured it would do in its fiscal year 2007 and 2009 SLDS grant applications.5 According to DAS Policy 107-004-052, each agency must develop and implement an Information Security Plan, policies and procedures that protect its information assets from the time of creation through useful life and through proper disposal. Additionally, DAS Policy 107-004-050 states that each agency must identify and classify its information assets. Agencies must implement proper levels of protection to protect these assets relative to the classifications. Each information asset classification should have a set or range of controls, designed to provide the appropriate level of protection of the information proportionate with the value of the information in that classification. In addition, the DAS Information Security Plan for the State of Oregon, September 2009, requires each agency to conduct an annual risk assessment in accordance with the International Organization for Standardization 27001. After identifying risks, agencies must apply the appropriate controls to their information and information systems security. By not previously developing and implementing an Information Security Plan, ODE did not ensure that it met the assurances provided in its SLDS grant applications that it would comply with DAS information security policies, standards, and processes. Until ODE fully implements its Information Security Plan, conducts an annual risk assessment, and classifies security levels of information assets, ODE will not be fully aware of the system vulnerabilities in its CCS and 5 The Uniform Administrative Requirements in Title 2, Code of Federal Regulations, replaced Title 34, Code of Federal Regulations, for new and continuation awards that the Department issued on or after December 26, 2014, and also consolidated requirements contained in a number of Office of Management and Budget circulars. The Uniform Administrative Requirements are not applicable to our audit because our audit covered SLDS grants that were awarded before the effective date. Final Report ED-OIG/A02P0007 Page 6 of 18 will continue to lack information that can guide it in determining controls it needs to protect information assets. As such, ODE is at an increased risk of a breach and may not be aware if breaches have occurred to its CCS, which could compromise the personally identifiable information of students in the State of Oregon. Recommendations We recommend that the Director of the Institute of Education Sciences work with ODE to— 1.1 Ensure the system controls identified in ODE’s Information Security Plan are implemented to detect and prevent unauthorized access and disclosure of personally identifiable information in its CCS. 1.2 Conduct annual risk assessments and classify security levels of data in the CCS, and ensure the CCS meets minimum State security standards. 1.3 Take appropriate action to determine whether a breach occurred in the CCS, and if breaches are identified, report and respond to the breaches in accordance with ODE’s policy and procedures. ODE Comments ODE did not concur with our finding and stated that it had identified additional information that was not previously provided during our audit. However, ODE agreed with the recommendations and stated that they were entirely reasonable and representative of good security practices. ODE stated that its first Information Security Plan was implemented in December 2010 in accordance with DAS requirements. It stated that ODE incorporated the required elements of a DAS Information Security Plan into its 2010 Information Security Policy. ODE stated that the controls identified as currently not in place in its Information Security Plan, dated January 20, 2016, are designed to close gaps in existing controls. ODE asserted that activities identified in the plan for the first half of 2016 have been completed and that the remaining activities are scheduled to be completed by the end of 2016. In addition, ODE stated DAS did not, in their information security plan guidance, require that agencies conduct a risk assessment prior to writing a security plan. ODE stated that DAS required that agencies include in their Information Security Plan a way to conduct an annual risk assessment and it is included in its 2010 Information Security Policy. ODE stated that its Internal Auditor has conducted annual independent risk assessments every year except 2015. ODE provided its Internal Audit Charter policy to demonstrate that the Internal Auditor may conduct risk assessments. Also, ODE stated that it hired Microsoft in 2011–2012 to conduct a risk assessment of the SQL environment in which the CCS is built and maintained. ODE provided an executive summary, dated May 2011, of the risk assessment performed. In addition, ODE provided a list of audits and risk assessments to be completed in 2016. ODE also stated that it handled data in the CCS in accordance with ODE Policy 581-309, Information Asset Classification. ODE stated that the policy specifies the classification level of Final Report ED-OIG/A02P0007 Page 7 of 18 data for student information, including data stored in the CCS, as level 3. ODE stated that all ODE databases containing student information are handled in accordance with level 3 requirements. ODE claimed that it classified data based on the type of data, and it identified and implemented handling standards based on the classification level. To support the classification of data in the CCS, ODE provided its Information Asset Classification policy and a project plan summary. Lastly, ODE stated that information security staffing has increased since November 2015 from one full-time employee to 3.75 full-time employees. The full text of ODE’s comments on the draft report is included as Attachment 2 of the report. OIG Response We reviewed the additional information that ODE provided and determined that the documentation was insufficient to support ODE’s contention that it had implemented an Information Security Plan, conducted required risk assessments, and identified and properly classified information assets. Despite multiple requests for documentation throughout our audit as well as at an exit briefing where we confirmed our findings with ODE officials, no ODE official had claimed that an Information Security Plan was created and implemented, annual risk assessments were performed, or information asset classification had been properly conducted. In ODE’s response to our draft report it is now claiming to have complied with DAS standards, but only provided policies with no evidence that these activities had been carried out. Therefore, we did not make any changes to the finding based on ODE’s comments. Specifically, we disagree that ODE’s 2010 Information Security Policy qualifies as an Information Security Plan in accordance with DAS standards. While ODE stated in its response that its first Information Security Plan was implemented in 2010, the Chief Information Security Officer informed us during our audit that ODE did not have an Information Security Plan. We had previously been provided ODE’s policy, and it lacks many components of an Information Security Plan. For example, DAS standards stated that an Information Security Plan should include, among other things, safeguards to detect, prevent, and respond to attacks or system failures, to identify reasonably foreseeable internal and external risks, and to assess the risks in network and software design. ODE’s 2010 Information Security Policy did not contain these fundamental safeguards, among others. While ODE had policies for conducting risk assessments, it did not provide any documentation that any of the required annual risk assessments for 2014 and prior years were conducted. While ODE stated in its response that it conducted annual risk assessments with the exception of the 2015 year, the Chief Information Security Officer informed us during our audit that annual risk assessments had not been performed. ODE provided policy documents on how risk assessments were to be conducted along with its response to our draft report, but produced no evidence that annual risk assessments were conducted. Furthermore, ODE did not provide documentation to support its assertion that it had classified security levels of data in CCS. According to DAS Policy 107-004-050, Information Asset Classification, each agency will identify and classify its information assets. ODE provided the 2010 Information Asset Classification policy and a summary of an information asset classification project to support that information stored in the CCS is handled as level 3. Final Report ED-OIG/A02P0007 Page 8 of 18 However, the policy and project summary was for information assets in general at ODE and was not specific to the CCS. ODE did not provide documentation that data in CCS was classified as level 3. Attachment 3 provides a more detailed assessment of the additional documentation ODE provided in response to the draft report to support it had an Information Security Plan in place since 2010, conducted annual risk assessments, and classified security levels of the CCS as level 3. OBJECTIVE, SCOPE, AND METHODOLOGY Our audit objective was to determine whether ODE has internal controls in place to prevent, detect, report, and respond to unauthorized access and disclosure of personally identifiable information in its SLDS. Our review covered ODE’s internal controls from June 2015 through January 2016. To accomplish our objective, we interviewed officials from ODE and reviewed ODE’s organizational charts, ODE SLDS approved grant applications, the Institute of Education Sciences’ Final Performance Report Reviews for the Oregon 2007 and 2009 SLDS grants and the Annual Performance Report Review for the American Recovery and Reinvestment Act SLDS grant, and ODE’s policies and procedures over information technology system security and breach response. Oregon is one of three States we selected for a series of audits to assess how States’ SLDS protect personally identifiable information. We judgmentally selected three States based on the following characteristics: (1) total amount of SLDS funding, (2) status and extent of grant program participation, and (3) the State’s number of reported education system data breaches. The data breaches included any education system breaches that the Identity Theft Resource Center reported. The Identity Theft Resource Center is a nonprofit organization that serves as a national resource on consumer issues related to cyber security, data breaches, social media, fraud, scams, and other issues. Breaches the Identity Theft Resource Center reported did not specifically identify the CCS. We selected Oregon because it received more than $5 million in SLDS funding, two of its three grants were closed, and it had three breaches related to educational systems. We conducted a site visit at ODE’s office in Salem, Oregon, during the week of June 9, 2015. We held an exit conference with ODE on January 6, 2016, to discuss the results of the audit. We assessed the internal controls designed for the protection of personally identifiable information in the SLDS. We assessed ODE’s system control activities through inquiries of Oregon personnel and review of written policies and procedures and documentation. We did not Final Report ED-OIG/A02P0007 Page 9 of 18 assess the reliability of data in the SLDS systems because the data did not relate to our audit objective. We identified a lack of documented internal controls, which we fully discuss in the audit findings. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. ADMINISTRATIVE MATTERS Statements that managerial practices need improvements, as well as other conclusions and recommendations in this report, represent the opinions of the Office of Inspector General. Determinations of corrective action to be taken will be made by the appropriate Department of Education officials. If you have any additional comments or information that you believe may have a bearing on the resolution of this audit, you should send them directly to the following U.S. Department of Education official, who will consider them before taking final Departmental action on this audit: Ruth Neild Deputy Director of Policy and Research Delegated Duties of the Director Institute of Education Sciences U.S. Department of Education 400 Maryland Avenue SW Room 4109 Washington D.C. 20202 It is the policy of the U.S. Department of Education to expedite the resolution of audits by initiating timely action on the finding and recommendations contained therein. Therefore, receipt of your comments within 30 calendar days would be appreciated. In accordance with the Freedom of Information Act (5 U.S.C. § 552), reports issued by the Office of Inspector General are available to members of the press and general public to the extent information contained therein is not subject to exemptions in the Act. Sincerely, /s/ Daniel Schultz Regional Inspector General for Audit Attachments Final Report ED-OIG/A02P0007 Page 10 of 18 Attachment 1: Acronyms, Abbreviations and Short Forms Used in This Report CCS Consolidated Collection System DAS Department of Administrative Services ODE Oregon Department of Education SLDS Statewide Longitudinal Data System Final Report ED-OJG/A02P0007 Page II of 18 Attachment 2: ODE's Comments on the Draft Report • Q_Kn_t~B_;:~lo !. ' fl.0_0~-vem? -_e_p___nt artme__ _Of_ _E________ dUCation _ _ _ __ Office of the Deputy Superintendent 255 Capitol St NE. Salem. OR 97310 Voice: 503-947-5600 Fax: 503-378-5156 July 8, 2016 Daniel P. Schu ltz Regiona l Inspector General for Audit U.S. Department of Education Office of Inspector General 32 Old Slip, 26th Floor Financial Square New York, NY I 0005 Reference: Audit Control Number ED-OIG/A02P0007 Dear Mr. Schultz, We 've reviewed the draft audit report and have prepared commentS on each of the findings and responses to each recommendation. In the time since the audit was conducted, the Office of Information Technology (OfT) at the Oregon Departmem of Education (ODE) has had a change in leadership. Susie Strangfield is now the Chief Information Officer and Amy McLaughlin is now the Director of IT Operations. After receiving the draft report, and with the institutiona l knowledge Amy McLaughlin brought to her new role, we've identifi ed additional information that was not previously provided at the time of the initial audit. O IG A udit Response Finding No I - The Consolidate Collection System Did Not Meet Minimum State System Security RequirementS ODE does not concur with the finding that the Consolidated Collection System (CCS) did not meet minimum State system security requirementS. Us ing the explanation OIG has provided to explain this finding, ODE has responded below to each point OIG provided to support this finding. I. ODE did not develop and imp lemem an Information Secu rity Plan. ODE clearly demonstrated existing and revised plans that met the Department of Administrative Services requirement for creating an Information Security Plan. The ODE's first Information Security Plan was implemented in December 2010 in accordance with the DAS requiremem at the time and developed using the DAS security plan temp late for guidance. The lnfonnation Security Plan was adopted and identified for action at ODE by incorporating it into ODE's policy structure and assigning it the name Po licy 581 -310 (Information Security Policy). Some of the confusion about this is due to the fact that ODE incorporated the required elementS of a DAS "security plan'' into the policv document 581-3 10. Final Report ED-OIG/A02P0007 Page 12 of 18 Daniel P. Schultz Reference: Audit Control Number ED-OIG/A02P0007 July 8. 2016 Page 2 of 5 The updated Information Security Plan adopted on January 20, 2016 was based on an assessment of ODE's current security controls against the SANS Top 20 and ISO 27002 (industry standards for assessing security in organizations) and included an actionable plan for remediating any areas ofconcern in protecting all ODE systems from unauthorized access or disclosure of personally identifiable information in the CCS or any other ODE systems. OIG indicated that the updated Information Security Plan from January 20, 2016 included controls that were currently not in place. TI1e controls identified in the 2016 plan are those controls that needed to be added to existing controls identified as in place by the '·current state'' designation to close any gaps identified above. Activities identified in the plan that are due in the first half of 2016 have been completed and the rest are on schedule to be completed by the end of 20 16. For example, the controls to implement unauthorized access detection software, documentation of mal ware response procedures. and training of staff have all been completed on or ahead ofschedule. ODE will reassess the current security posture and update the plan for 20 17. The OIG report also indicated that "since an an nual risk assessment has not been performed, we could not be certain that the controls listed in ODE's January 20, 2016 lnfonnation Security Plan were appropriate." The Department of Administrative Services did not, in their information security plan guidance, require that agencies conduct a risk assessment prior to writing a security plan. The Department of Administrative Services recommends that agencies utilize the ISO 27002: 2005 standards as guidance for developing the Information Security Plan. ODE utilized the guidance from ISO 27002:2005 and the SANS Top 20 Recommendations to assess and review ODE's existing security architecture and document in the plan the existing controls under ·•current status'' and the add itional controls to be implemented in 2016 based on the identified schedule. 2. ODE did not conduct an annual risk assessment The Department of Administrative Services requirement is that agencies include in their Information Security Plan a way to conduct nn annual risk assessment. DAS Security Plan Criteria is located at: http;l/www.oregon.gov/das/OSCIO/Documents/criteria.pdf Both the original 20 I0 ODE Information Security Plan and the 2016 ODE Information Security Plan identify how ODE conducts ongoing, annua l and periodic risk assessments. From the 2010 ODE Information Security Policy - "there is an ODE Audit Committee that conducts risk assessments on the larger ODE projects and meets on an as needed basis to review new audits and corrective action plans (CAP) and periodic check-ins on CAP progress. ODE also contracts third party IT security audi tors to assess its information security, and is subject to security audits from DAS and Secretary of State as well.'' Sec copy of the attached Audit Committee Charter. ODE can document annual risk assessments have been conducted ongoing, with the exception of 2015, and additional risk assessments and audits ofspecific areas have occurred over time. Past r isk assessme nts: In compliance with Oregon Law, Chapter 373, in which Internal Auditing became effective June 29. 2005, and Oregon Administrative Rules 125-700-00 10 through 125-700-0065, which define how the law is to be carried out, ODE' s Internal Auditor has conducted an annual independent risk assessment every year exc.ept for 2015. No risk assessment was cond ucted in 20 IS because the Internal Auditor position was not filled at that time. Additionally, ODE hired Microsoft in 2011- 12 to conduct a Risk Assessment of the SOL environment in Final Report ED-OIG/A02P0007 Page 13 of 18 Daniel P. Schultz Reference: Audit Control Number EO.OIG/A02P0007 July 8, 2016 Page 3 ofS which the CCS built and maintained. C urrent risk asses..me11ts: In 2016 ODE is on track to complete the following audits and risk assessments: • Microsoft Risk Assessment as a Service • SQL Risk Assessment on the SQL servers that host the Consolidated Collection System Completed S/2016 • Microsoft Risk Assessment as a Service- Active Directory Risk Assessment Completed 612016 • ODE Internal Auditor's 2016 independent risk assessment· in process • ODE Secretary ofState IT Audit· in process • ODE Secretary of State statewide patch management audit • in process 3. ODE did not classify the security levels of the CCS as required by DAS standards. In 2007, ODE reviewed personally identifiable information (PII) stored in ODE systems and determined that agency would no longer store Social Security Numbers in ODE databases hosting student level data. All Social Security Numbers were purged from ODE databases. Subsequent to the purging of SSNs from ODE databases, ODE has handled all student data, including that in the Consolidated Collection System as level 3 data in accordance with ODE Policy 581-309. ODE adopted Policy 581-309 Information Asset Classification in March 2010, which classifies ODE data based on the functional type of data. The policy specifies the level of data for student information (including that stored in the Consolidated Collections Systems) as level 3. All ODE databases containing student infonnation are handled in accordance with Level 3 handling requirements. Please see excerpt from that policy and the attached ODE Handling Standards: Policy Excerpt: Level 3, "Restricted" - Sensitive information intended for limited business use that may be exempt from public disclosure because, among other reasons, such disclosure will jeopardize the privacy or security of agency employees, clients, partners or individuals who otherwise qualify for an exemption. Information in this category may be accessed and used by internal p8l1ies only when specifically authorized to do so in the performance of their duties. External parties requesting this information for authorized agency business must be under contractual obligation ofconfidentiality with the agency (for example, confidentiality/non-disclosure agreement) prior to receiving it. Security threats at this level include unauthorized disclosure, alteration or destruction of data as well as any violation of privacy practices, statutes or regulations. Information accessed by unauthorized individuals could result in financial loss or identity theft. Security efforts at this level are rigorously focused on confidentiality, integrity and availability. Examples: Student Information, Assessment Test Materials, Network d iagrams, Personally Identifiable Information, completed retirement applications, screen-prints Final Report ED-OIG/A02P0007 Page 14 of 18 Daniel P. Schultz Reference: Audit Control Number ED-OIG/A02P0007 July 8, 2016 Page 4 ofS containing SSN and name, employee and retiree address, telephone and other nonfinancial membership records and employee financial records maintained by ODE, disability information. security audit reports, and other information exempt from public records disclosure. ODE bas classified data based on the type of data and identified and implemented handling standards. Since the CCS contains student information and other related Pll it is handled and protected as a Level 3 asset. 4. The audit identified inadequate staffing as an issue for maintaining the information security program at ODE. At the time of the audit, the security unit was understaffed due to staffing and organizational changes. Staffing of infonnation security bas increased since November 20 IS from I FTE to 3.75 FTE. Recommendatiou: While ODE did not concur with the findings of the audit for the reasons noted above, the recommendations of the audit are entirely reasortable and representative of good security practices. ODE concurs w ith the recommendations and bas identified what actions ODE is taking that align with the recommendations provided. Recommendation 1.1 Ensure the system controls identified in ODE's Information Security Plan are implemented to de~t and prevent unauthorized access and disclosure of personally identifiable information of personally identifiable infonnation in its CCS. ODE Response: ODE agrees with this recommendation. ODE has already implemented, on schedule all the controls identified in the 2016 plan that are scheduled to be completed by July I, 2016 and is continuing to implement other identified controls on schedule. In addition to existing controls, the following controls from the 2016lnformation Security Plan have been fully implemented: • Varonis monitors and detects unauthorized access- implementation completed 412016 • Websense internet filtering upgrade to block known signatures for security risks implementation completed 512016 • Antivirus installation on specific servers implementation completed 112016 Recommendation 1.2 Conduct annual risk assessments and classify security levels of data in the CCS, and ensure the CCS meets minimum State security standards. ODE Response: ODE agrees with this recommendation. As noted in the response to the findings, ODE bas conducted an annual risk assessment every year except 20 IS and ODE bas already conducted three risk assessments in 2016. ODE also currently classifies all student data as level 3 data and protects it as such as noted in the response to the findings, however, ODE will conduct a more granular review of the data elements in the CCS and classify them more specifically. ODE will continue to protect the CCS based on the highest level of classification of the data within the system. In accordance with the ODE Information Security plan and ODE policies, ODE will continue to ensure that CCS meets the minimum State security standards. Final Report ED-OIG/A02P0007 Page 15 of 18 Daniel P. Schultz Reference: Audit Control Numbe r ED-OIG/A02P0007 July 8, 2016 PageS of5 Recommendation 1.3 Take appropriate action to determine whether a breach occurred in the CCS, and if breaches are ident ified. report and respond to the breaches in accordance with ODE's policy and procedures. ODE Response: ODE concurs. ODE continuously maintains its network, servers and systems with current security patching and monitoring tools, and the Office of Information Technology monitors networks and systems for security breaches and responds to alertS that may indicate a potential breach. ODE is continuing to expand our capabi lity in monitoring and responding to security threats. Staffing for security has increased to 3.75 FTE in the last eight months. If there are any additio nal questions or concerns wi th ODE's responses, please contact Susie Strangfield or Amy McLaugh lin. Their contact information is below. Susie Strangfield Ch ief Information Officer 503-947-5705 susic.strangfieldralstate.or.us Amy McLaughlin Director of IT Operations 503-947-5771 amy.mclaughlinla>.state.or.us Respectfully, Salam A. Noor, Ph.D. Deputy Superintendent of Public Instruction Final Report ED-OIG/A02P0007 Page 16 of 18 Attachment 3: Analysis of ODE’s Supporting Documentation ODE's Supporting Documentation OIG's Review of the Documentation We found that ODE’s 2010 Information Security Policy did not identify the specific controls ODE had implemented or planned to implement to mitigate risks over its information assets. In its response, ODE stated that the 2010 Information Security Policy was its Information Security Plan. However, during our fieldwork, the 2010 Information Security Policy, along with other ODE policies, was provided by ODE’s Support Services Director as policy documentation. According to DAS Policy 107-004-052, Information Security, agency information security plans should include safeguards in which the agency: Identifies reasonably foreseeable internal and external risks; Assesses the sufficiency of safeguards in place 2010 Information Security Policy to control the identified risks; Assesses risks in network and software design; Assesses risks in information processing, transmission and storage; Detects, prevents and responds to attacks or system failures; and Regularly tests and monitors the effectiveness of key controls, systems and procedures The 2010 Information Security Policy did not document ODE’s assessment of risk, controls in place to mitigate risk, or the planned implementation of controls to mitigate risks. In addition, it did not document ODE’s safeguards to detect, prevent and respond to system failures or monitor the effectiveness of key controls, systems and procedures. Final Report ED-OIG/A02P0007 Page 17 of 18 The Risk and Health Assessment Program for Microsoft SQL Server was the only documentation of a prior risk assessment that ODE provided. The risk assessment did not identify whether it was specifically for ODE, and we would consider it to be only a fraction of an overall risk assessment. Further, the May 2011 risk assessment did not provide evidence that it followed the International Organization for Standardization 27001, as required by DAS standards for conducting annual risk assessments. Risk and Health Assessment Program For example, the following elements of the International for Microsoft SQL Server Organization for Standardization 27001 are to be considered (1) identify assets and the associated information owners, (2) identify the threats to those assets, (3) identify the vulnerabilities that might be exploited by the threats, (4) determine whether the risks are acceptable, (5) apply appropriate controls, and (6) accept or avoid the risks. These steps were not demonstrated in the Risk and Health Assessment Program for Microsoft SQL Server provided by ODE. ODE provided its Internal Audit Charter policy to demonstrate that the Internal Auditor may conduct risk assessments. While the policy states an Internal Auditor Internal Audit Charter may conduct a risk assessment, no documentation of a risk assessment performed by the Internal Auditor was provided. ODE provided the 2010 Information Asset Classification policy to support that information stored in the CCS is handled as level 3. The document states ODE’s policy providing descriptions and examples of Information Asset Classification the different asset classification levels, information asset Policy protection, information owner responsibilities, labeling, handling, and disposal. However, the document provides only ODE’s policy and not the classification itself of ODE’s information assets, including the CCS. Final Report ED-OIG/A02P0007 Page 18 of 18 ODE provided a summary of an information asset classification project to support that information stored in the CCS is handled as level 3. The document stated that the purpose of the project was to develop and Information Asset Classification implement processes that continually allow for Project information on ODE’s file server to be assessed, classified, and managed. However, the result of neither the project nor the classification itself of ODE’s information assets, including the CCS, was provided.
Protection of Personally Identifiable Information in Oregon's Statewide Longitudinal Data System
Published by the Department of Education, Office of Inspector General on 2016-09-27.
Below is a raw (and likely hideous) rendition of the original report. (PDF)