A new audit released by the U.S. Department of Education found that the systems used by Indiana state education officials to store sensitive student data including test scores have at points lacked “adequate oversight” and other controls to ensure minimum security requirements were met—in one instance in violation of state law.
A report released July 10 by the federal agency’s Office of Inspector General states that the audit was “to determine whether [Indiana Department of Education] has internal controls in place to prevent, detect, report and respond to unauthorized access and disclosure of personally identifiable information.”
It was performed because Indiana received federal grants to build and maintain its longitudinal data system, which contains information like test scores and attendance records. Those systems are supposed to help states efficiently analyze and manage education data, as well as facilitate research to improve student achievement.
IDOE received a $5.2 million grant in 2007 and a nearly $4 million grant in 2012, both from the federal Institute of Education Sciences, to develop Indiana’s system. Its system is called the Indiana Network of Knowledge.
IDOE officials in Superintendent Jennifer McCormick’s administration say they were informed of the audit—which covered internal controls from April 2016 to February 2017— after taking over from former Superintendent Glenda Ritz’s administration in January. They maintain there was no “fast and loose use of student data.”
“I think it’s really important to point out that the audit did not find any breach of the system or any evidence that student data has been compromised,” said John Keller, chief technology officer for the IDOE. “Great care was taken to preserve the confidentiality of individuals and the physical security of the data. In our view, the net findings were essentially saying, ‘You didn’t follow some of your documentation protocols that you said you would follow.’”
The review found that the IDOE did not provide enough oversight during the development of the state’s longitudinal student data system, despite its assertion it would implement security controls to comply with federal and state privacy laws. It also found the state did not “plan to perform regular audits for compliance.”
"Based on the evidence above, we found that IDOE not only failed to document and perform the minimum state system security controls to detect and prevent unauthorized access and disclosure of personally identifiable information in its [longitudinal data system], but also did not comply with state law as it assured it would do” in the 2012 grant application, according to the report.
The review also found that the IDOE at one point did not ensure its data warehouse, which feeds data to that longitudinal data system, met minimum security standards identified by the state, and that the IDOE stated there were no written policies or procedures “for the protection of personally identifiable information” in the warehouse.
"IDOE did not begin to follow the requirements of the [Indiana Office of Technology] Information Security Framework until December 2016; therefore, there is no assurance that IDOE’s data warehouse has the required security controls and IDOE may be unaware of vulnerabilities in its data warehouse,” according to the report.
An attached letter sent in May from Keller to the federal agency noted that the statewide longitudinal data system was transferred to the Indiana Management and Performance Hub on July 1, pursuant to a new state law.
It stated the IDOE will work with the relevant state agencies to ensure the system and data warehouse “conforms to state and federal data protection and security requirements,” which it said would be completed by June 30, 2018.
The federal agency in the report encouraged the IDOE to “take more immediate action wherever possible to provide for the security of the IDOE data warehouse."
Keller told IBJ the state would “certainly take every action we can to make sure we’re beating” the 2018 deadline.