CLEARFIELD – At Monday night’s regular meeting, Lois Richards, executive director of the Clearfield County Career and Technology Center, advised the Joint Operating Committee that she has addressed an audit observation related to their Classmate software program, which logs student attendance and grades.
In response to a June 21 letter from audit coordinator Connie Derr of the Pennsylvania Department of Education, Richards outlined the school’s corrective action plan. She concurred with the audit report’s observations and recommendations, which related “unmonitored vendor system access and logical access control weaknesses.”
“Note that some issues have already been corrected per the auditor’s recommendation. The rest are either in process or plans are being made to correct,” she wrote in her letter to Derr. She indicated she and the tech will be responsible for the monitoring of these procedures.
She said the school tech is working with the Classmate vendor to resolve the issues that were noted on the audit. She said that they intended to fulfill the corrective action plan within the next several months. She said those issues included the following:
– Assigning unique user IDs and passwords to Classmate employees who work at the school.
– Requesting that the vendor sign off on the Acceptable Use Policy.
– Installing a new firewall, that access should be limited. She indicated the vendor currently only has unlimited access to the Classmate server.
Richards said they are in the process of changing the current Acceptable Use Policy to include provisions for password security and syntax requirements and violations/incidents. In addition, she said the school has already corrected the following:
– She and the tech both receive notification from Classmate when updates and upgrades are due via e-mail. She said the tech gives permission and sets up the date that the upgrade will be done by e-mail.
– The school maintains documentation that terminated employees were removed from the system. She said it was previously done over the phone between her and the tech.
– All users now change their passwords every 30 days.
– A list was created of personnel with authorized access to the server area.
– A fire extinguisher was installed in the area that houses the servers.