Skip to Content

Login   Subscribe   Site Index   Contact Us   Google Translate™

NYS Comptroller

THOMAS P. DiNAPOLI

Audits of Local Governments and School Districts

Security of Personal, Private, and Sensitive Information (PPSI) in Mobile Computing Devices (2012-MR-2)
We also issued letter reports to the following school districts: Bath [pdf], Cato-Meridian [pdf], East Rochester [pdf], Geneseo [pdf], Horseheads [pdf], Marcus Whitman [pdf], Odessa-Montour [pdf], Penfield [pdf], South Seneca [pdf], Victor [pdf], Weedsport [pdf] and Wheatland-Chili [pdf].


Released: December 14, 2012 -- [read complete report - pdf]

Purpose of Audit

The purpose of our audit was to determine whether these districts are adequately controlling MCDs to protect confidential information for the period January 1, 2010, to May 4, 2012.

Background

PPSI is any information to which unauthorized access, disclosure, modification, destruction, or disruption of access or use could severely impact critical functions, employees, customers or third parties, or citizens of New York in general. Districts often provide mobile computing devices (MCDs) to certain employees for business purposes to facilitate work when employees are in meetings, in training, or traveling. MCDs include laptop and tablet computers and other small electronic devices, such as smart phones and personal digital assistants (PDAs), which function like a personal computer while providing the convenience of portability. The widespread use of MCDs also increases the risk that PPSI could be obtained for unauthorized purposes.

Key Findings

  • The majority of the 12 districts did not have adequate security policies and procedures in place, increasing the risk that PPSI could be accessed and misused by unauthorized persons.
  • Our tests of a sample of 383 district-owned MCDs found PPSI on 71 (18.5 percent) of these devices. Without proper safeguards in place, any confidential data on these MCDs could be at risk of exposure.
  • None of the districts had developed a classification scheme or performed an inventory of the PPSI the districts possess.

Key Recommendations

  • Adopt formal written policies and procedures to ensure a sound IT environment and to protect PPSI in mobile computing devices.
  • Develop written policies and procedures that outline the proper access, use, and protection of PPSI on MCDs.
  • Complete a classification and inventory of information the district maintains to assign the appropriate security level to each type of data, and then conduct an inventory of PPSI stored on all electronic equipment to account for the confidential data maintained.

Local Government and School Accountability Contact Information:

Phone: (518) 474-4037; Email: localgov@osc.state.ny.us
Address: Office of the State Comptroller, Division of Local Government and School Accountability
110 State Street, 12th Floor; Albany, NY 12236