Access Controls Over Student Information Systems (2014-MR-1)

Issued Date
August 19, 2014

[read complete report - pdf]

We also released 6 letter reports to the following school districts: Altmar-Parish-Williamstown (APW) Central School District [pdf], Indian River Central School District [pdf], Lowville Academy and Central School District [pdf], Madison Central School District [pdf], Poland Central School District [pdf], Westhill Central School District [pdf].

Purpose of Audit

The purpose of our audit was to determine if school districts have adequately controlled access to Student Information Systems for the period July 1, 2011 through April 30, 2013.


School districts use software applications, often referred to as Student Information Systems (SIS), to store and manage student data in a centralized database. SIS commonly contain extensive personal, private and sensitive information (PPSI) about students, including parent and emergency contacts, attendance, disciplinary actions, testing, schedules, grades and medical information. School districts provide SIS access to teachers, administrators, various staff members and external information technology support staff. In addition, many school districts provide parents and student with limited access to the information.

Key Findings

  • Individual users in all six districts were assigned more access rights than needed for their job duties. 90 users out of 229 tested (39 percent) had access to one or more functions, such as changing grades, even though it was not their job responsibility to perform these functions.
  • None of the districts had adopted written policies and procedures for adding users, establishing users’ access rights, deactivating or modifying user accounts and monitoring user access. Also, none of the districts had an effective process in place for adding and changing user rights.
  • Four of the six districts have features within SIS that allow users to assume the identity or the account of another user.
  • None of the districts reviewed audit logs or change reports for potentially unauthorized changes.

Key Recommendations

  • Establish written policies and procedures for SIS administration.
  • Review current procedures for assigning user access rights and strengthen controls to ensure individuals are assigned only those access rights needed to perform their duties.
  • Strictly control access and review SIS data for users of the assume-identity and assume-account features.
  • Periodically review available audit logs for unusual or inappropriate activity.