Weekly Tech Tidbit – I’m from the state and I’m here to help! – Surviving a technology audit

Weekly Tech Tidbit – I’m from the state and I’m here to help! – Surviving a technology audit

Blog-image

It is important to have accountability to the taxpayers independently proving that each school district has adequate financial controls in place and is properly managing the money it has been entrusted.  In this era of identity theft, ransomware, and electronic financial theft, it is equally important to have adequate technical controls in place to protect your network and your district's private data.

Periodically the NYS Comptroller's office audits both the financial and technical sides of all school districts. The last thing your Superintendent wants is to read an article in the paper critical of the district's financial and technical policies. We can't help you on the financial side, but we do know a thing or two about the network and data security.

Here are a few tips to keep your district's name out of the paper and make your audit relatively boring and uneventful.

  1. If you know you are getting audited, reach out to us.  We are happy to help describe or clarify what is or isn't going on with your network security.   Your security has multiple layers.  Some may be in the district.  Some may be at your local BOCES or regional RIC.   Some may be with us.   Any evaluation of your district's security that doesn't account for multiple levels of security from multiple sources sells your district short and doesn't tell the true story of what is going on.
  2. We have done a number of presentations over the years on what to say to the auditors.  We will probably do it again.  If you want a copy of an older presentation, let us know.
  3. Auditors will care deeply about security and protecting financial information and personally identifiable information.  Make sure you have good answers for what you are doing to protect this information.
  4. Auditors realize that lack of patching will create computers that are at risk.   And patching includes both Windows and third-party application patching.   If you haven't implemented WSUS or SCCM or KACE type products, this will be a point of contention.   I have harped upon your need to have a patch management/software deployment solution.   If you don't have one, start the process now as it will be on the auditor's list of major deficiencies.
  5. Auditors will also care about:
    1. Granular password policies with forced password changes for users touching financial and personally identifiable information.
    2. Password protected screensavers with reasonably aggressive timeouts to make it harder for people to gain access to users who wander away leaving their workstations on.
    3. Web browsers that won't cache credentials and passwords.
    4. Web filtering that blocks shopping and social media and other sites we know are bad.
    5. Server closet security.  They hate shared closets.
    6. Data sharing applications and remote control applications such as Dropbox, and LogMeIn.  Uncontrolled, unlogged, access or the ability to share data without controls will get you in trouble.
    7. Administrator type accounts.   Make sure you have limited users and limited admins.   Don't use default admin account names.
    8. Synchronized browsers.  Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari all have linked synchronized browsers.  Make sure the browsers can't sync and make sure all browser history the auditors see if after syncing was disabled in the district.
    9. Firewall Logging.  The auditors are expecting your firewall traffic to be logged for archival purposes.   Furthermore, they really want the logs to be read!   We all know reading logs is like trying to drink out of a firehose.   However, we do have our Managed Firepower service offering where our staff actively review the nightly Firepower reports.  If you are are interested in that service, let us know.

Remember CSI is available to actively participate in your audit with the state and help you with any meetings, evaluating their preliminary reports for inaccuracies, and implementing any suggestions that help keep the district's name out of the paper.

If you have questions or need help, reach out to us.