The Education Department's student aid program risks unauthorized data loss or access problems if the department doesn't improve its information security, a new report says.
The Education Department falls short on security for the computer systems that handle millions of students’ personal and financial information in the Federal Student Aid program, according to a new audit report from the department's inspector general.
The Federal Student Aid (FSA) program, which manages about $69 billion a year, has college students’ personally identifiable information and financial data. Although the audit does not say any breaches that affect that personal information took place, it does indicate that FSA's practices are putting that data at risk.
The IG's office made eight findings of lax security practices -- especially in the certification and accreditation process -- in the student aid systems, according to the report released Oct. 13. A redacted version was published on the IG's Web site.
“The FSA Chief Operating Officer and the Department Chief Information Officer must improve security controls over the certification and accreditation process for information systems to adequately protect the confidentiality, integrity and availability of department systems and the data residing in the systems,” Charles Coe, the department's assistant inspector general, wrote in the report.
Education officials generally agreed with the findings and recommendations. They stated that the recommended actions have either been enacted or are being worked on. In 2006, the department installed a new data center to improve its workflow.
The audit found that the FSA did not properly review system security plans before certification and accreditation, didn't effectively manage interconnection agreements, didn't have controls in place to manage authorizations to operate, didn't have proper controls in place to continuously monitor system documentation, and didn't properly conduct vulnerability scanning.
The FSA needs to improve contingency planning and needs to improve controls over privacy impact assessments and also needs to update certification and accreditation procedures to incorporate the Office of Management and Budget’s guidance regarding interim authorizations to operate, the report stated.
By allowing those authorizations, Education's systems were operating with identified security deficiencies and were susceptible to potential threats and vulnerabilities. It is important that those risks and deficiencies are resolved immediately rather than taking months to mitigate, or by issuing interim authorizations, the audit stated.