Auditor Galloway recommends security, privacy training in Cyber Aware School audit of Waynesville School District

Auditors identify active user accounts for 40 former employees, volunteers

Missouri State Auditor Nicole Galloway has released the results of a cybersecurity audit of the Waynesville School District in central Missouri. The audit is the second in a series of five Cyber Aware School audits designed to examine data protection practices in schools, and includes recommendations to increase staff awareness and training for a potential cyber breach event.


"The risks posed by data breaches are just too high to wait to take action, particularly when it comes to protecting our state's children," Auditor Galloway said. "My team has made recommendations to officials in Waynesville to better safeguard students' personal information, and a key starting point is increased staff training. Cybersecurity requires ongoing efforts, but school employees can be the first line of defense against attacks."


In addition to recommending security and privacy awareness training for employees and users of the district's computerized systems, auditors identified a number of areas for improvement. Forty user accounts belonging to former district employees or volunteers remained active, even though the individuals were no longer with the district. Some current staff members were permitted to share user accounts and passwords without sufficient monitoring. The district also lacks a comprehensive data governance program, which could help ensure the integrity and confidentiality of personally identifiable information. Additionally, auditors recommended the district establish a process to ensure software acquired by third-party technology vendors complies with data security principles.


"Waynesville School District officials have already taken steps to address a number of the issues we identified, and those efforts will be critical in protecting students," Auditor Galloway said.


The complete audit report is available online here.


The Waynesville School District is one of five districts selected for an initial round of Cyber Aware School Audits. An audit of the Boonville School District in Cooper County was released in March.  Additional audits are in progress for Cape Girardeau School District in Cape Girardeau County and Park Hill School District in Platte County. An audit of the Orchard Farm School District in St. Charles County will begin later this year.


Since taking office, Auditor Galloway has made cybersecurity a priority across all components of government, including Missouri schools. The Cyber Aware School Audits are part of an ongoing emphasis on data protection practices and keeping Missourians' information secure. Last fall, an audit of the Department of Elementary and Secondary Education found the department was unnecessarily transmitting and storing student social security numbers in its Missouri Student Information System (MOSIS)- a practice the department has ended. The State Auditor's Office has also incorporated data security reviews into the standard audit process.