By Claire Withycombe
Oregon Capital Bureau
SALEM — The state agency that holds the education records of more than half a million Oregon students can tighten its control of that information, state auditors say.
The Oregon Department of Education regularly checks its computer systems for vulnerabilities and performs other “critical security tasks,” but the agency isn’t actively managing software or users to prevent breaches, according to a report released Wednesday by Secretary of State Bev Clarno.
The agency has at least partially put into place more than half of a set of controls that experts consider basic security measures.
But “significant work remains to fully implement” those measures, auditors wrote.
For instance, the agency hasn’t updated the list of software programs that are authorized to run on its systems since 2014.
That list includes software with “significant known vulnerabilities,” auditors wrote, and the department hasn’t taken steps to make sure that only authorized software is installed on its computers.
Auditors found that unauthorized software has been installed on “numerous” computers. That puts the agency at a higher risk for missing when its computers have malicious software or software with known weaknesses, leaving the agency prone to attacks that can access student data or “disrupt operations.”
The education department is supposed to keep information about students secure and protect their privacy.
The agency, though, lacks an overall plan to manage security, which means the agency could be more vulnerable to cyberattacks.
Those problems could partially stem from some bureaucratic reshuffling, auditors found.
A recent state law consolidate ..
Support the originator by clicking the read the rest link below.
