The Oregon Department of Education (department) oversees the education of over 560,000 students in Oregon’s public K-12 education system. The annual distribution of the State School Fund of $3 billion and federal funding of about $750 million help fund Oregon’s public education.
The department’s computer systems reasonably ensure the integrity of data used to distribute the State School Fund and appropriately process school district claims for federal funding. However, improvements are needed to provide better security for computer systems and student data, manage changes to computer systems, and ensure systems can be restored in the event of a disaster.
Computer systems ensure integrity of student and school data
Department staff use the Consolidated Collection System to analyze and aggregate school and student data. They use information from this system to allocate monies to Oregon’s schools and education service districts. Computer systems reasonably ensured the integrity of student and school information through automated processes that accurately identify students and detect potential data errors. In addition, department analysts use system information to validate student and school data.
Computer systems appropriately receive and process School district claims for federal funding
The department uses the Electronic Grant Management System and the Federal Cash Ordering System to receive and process requests for federal program expenditure reimbursements. We found that computer controls reasonably ensure that these systems could appropriately receive and process school district claims for federal funding. These systems ensure grant claims do not exceed available balances and reject claims that otherwise would be ineligible for reimbursement.
Security measures for computer systems were insufficient
Although the department provides important protection measures for security, improvements are needed to better secure their computer systems and data. Weaknesses we identified relate to the department’s processes for planning, configuring, managing, and monitoring information technology security components. As such, the department does not provide an appropriate layered defense to protect agency computer applications. Thus, confidential student level information is at increased risk of disclosure or compromise.
Management of changes to computer systems needs improvement
The department has formal processes and tools for managing changes to their systems, but staff do not always fully utilize them. Independent and technical reviews of computer code changes did not always occur and processes were not in place to ensure only approved code could be placed in production. These weaknesses increase the risk that developers could introduce unauthorized or untested changes to the systems.
System files and data are appropriately backed up but procedures for timely restoration after a disaster are absent
The department has processes in place to back up critical data and can restore individual files as needed. However, department management and staff have not fully developed and tested a comprehensive disaster recovery plan capable of restoring critical systems and data in the event of a disaster or major disruption. Without a disaster recovery plan, the department cannot ensure it can timely restore operations in the event of a disaster.
We recommend that Department of Education management ensure resolution of identified security weaknesses, improve processes for changing computer code, and fully develop and test processes for restoring computer systems after a disaster.
The full agency response can be found at the end of the report.