Legislative Post Audit identified vulnerabilities in district IT security controls

The Kansas State Department of Education (KSDE) is partnering with Kansas school districts to develop cybersecurity guidance and recommendations that can help schools from becoming targets for cyberattacks, according to a presentation to the Kansas State Board of Education.

Kathi Grossenbacher, KSDE’s Information Technology (IT) director, provided an overview of a Legislative Post Audit limited-scope cybersecurity audit at the Tuesday, Jan. 11, 2022, State Board of Education meeting. She also discussed the collaboration between KSDE and school districts to address security issues.

The objective of the audit was to answer the following question: What do school districts report regarding IT security standards and resources?

A survey was sent to all 286 public accredited districts and the Kansas School for the Deaf and the Kansas State School for the Blind. There were 147 districts that responded, which is a response rate of 51%, Grossenbacher said.

Survey results showed that many school districts haven’t implemented basic IT security controls. Fifty-eight percent of respondents don’t require security awareness training, and 63% don’t annually assess IT security risks, the survey results showed.

Districts reported that staff-related issues, such as the inability to hire sufficient IT staff members and the inability to offer a competitive wage, are significant barriers.

“This audit identified some real vulnerabilities we weren’t aware existed in our districts,” Grossenbacher said. “This has provided an opportunity for KSDE and IT directors across the state to come together to address these issues and to provide support to districts struggling in this area. Establishing this guidance for districts creates a true continuity of operation that ensures cybersecurity remains a key priority in Kansas.”

The Legislative Division of Post Audit recommended that the Kansas Legislature consider directing KSDE to establish a set of minimum IT security standards for school districts in the form of either guidance or requirements.

KSDE began collaborating with districts and developed the publication, “Cybersecurity Guidance and Recommendations for Kansas School Districts.” A K-12 Technology Council is being formed and will be chaired by IT directors who can help provide professional development to all district technology staff members.

KSDE also has developed a security policy template and an example of an acceptable use template. The agency also is developing IT security and data privacy training that will be available to Kansas districts and is in the process of creating a KSDE K-12 Technology webpage, Grossenbacher said.