Audit Buzz Newsletter February 2023

This issue of Audit Buzz summarizes the status of current engagements, discusses cybersecurity in K-12 school districts in the Knowledge Hive, and offers a training opportunity to Fairfax County Public Schools (FCPS) employees. Stay up to date with Office of Auditor General's (OAG) current and future work by subscribing to Audit Buzz. 

Prior editions of Audit Buzz are archived here on OAG's website.

As always, we appreciate the cooperation and courtesies extended to our staff by FCPS management and staff during all past, current, and future audit engagements.

Engagement and Office Updates

Current Engagement Update

Knowledge Hive

• At the February Audit Committee meeting, OAG presented the following agenda items (full agenda and reports can be found on BoardDocs):   
  • Status of FY23 internal audit engagements
  • Audit Recommendation Follow-Up as of October 31, 2022
  • FY23 Succession Planning and Leadership Development Audit
  • FY23 Business Process Audits (BPA) Summary and BPA reports for Mantua Elementary, Whitman Middle, Kings Glen Elementary, Jackson Middle and the Office of Facilities and Transportation Services.
• In addition to the ongoing Continuous Monitoring, we are currently conducting the IT Cybersecurity and Employee Evaluation Process audits.

Cybersecurity in K-12 School Districts

Is there a cyber threat to K-12 school districts?

According to the Microsoft’s Global Threat Activity monitoring, the education sector as a whole is one of the most targeted sectors in the world. K-12, from kindergarten to 12^th grade, in particular, is a huge target, and reports by industry experts such as the K-12 Information Security Exchange indicates an alarming steady increase in cybersecurity incidents across US schools.

What are the cyber threats to K-12 school districts?

K-12 school districts are a target because they collect and maintain a range of sensitive information from students, parents, staff, volunteers, etc. In addition, the education sector has not invested in cybersecurity controls or trainings over the past decade as aggressively as other industries have. Vendors and partners who service the K-12 sector have historically not prioritized cybersecurity. These factors create a perfect storm of sorts that makes K-12 a prime target for attackers. K-12 all across the nation face a range of cybersecurity dangers from various threat actors using various methods. The threat actors may be motivated by the promise of monetary gain, by the desire to steal data, or simply to cause disruption of K-12 classes. The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have noted that threat actors target K-12 remote education to cause disruptions and steal data. Cyber threat actors include criminal groups, nations, and terrorists.  In addition, insiders, including students, staff, and vendors, can threaten K-12 security.

What are the cyberattacks used against K-12 school districts?

The threat actors conduct cyberattacks using various methods, including but not limited to ransomware, video conferencing disruptions, denial-of-service attacks, and phishing.

• Ransomware: A type of malicious software that attempts to block access to a data system and demands a fee to be paid in exchange for restoring access. In some instances, the attacker may gain access to the data, resulting in a data breach. They may also sell access to valuable student data to another malicious actor.
• Video Conferencing Disruptions: Disruptions of teleconferences and online classrooms, often with hate images and threatening language.
• Denial-of-Service Attacks: Prevent or impair the authorized use of networks, systems, or applications by exhausting resources.
• Phishing: An attempt to acquire data or other resources through a fraudulent solicitation in email or on a website where the actor pretends to be a reputable person or business. Phishing accounts for 90% of all breaches.

What is the total number of K-12 cybersecurity incidents?

Although the total number of K-12 cybersecurity incidents is unknown, research from federal and private sector sources show that cyber threats are escalating, and becoming more sophisticated, and pervasive. According to data from the MS-ISAC, reported ransomware incidents against K-12 schools increased significantly in August and September 2020. According to the Government Accountability Office (GAO), 57 percent of all ransomware incidents reported to the MS-ISAC involved K-12 school districts, compared to 28 percent of reported ransomware incidents around the end of the 2019-2020 school year (January through July 2020).

Do cyber incidents impact K-12 school districts?

Incidents can significantly impact schools’ ability to continue operations and cause learning and loss due to downtime and the time it takes schools to recover from an incident. Monetary losses could be significant due to technical and legal assistance needed to recover data, restore services, implement corrective controls, and post-breach assistance to impacted parties. In fact, the average cost of data breach in the education sector is almost $4 million. 

Does FCPS take cybersecurity seriously?

FCPS established the Office of Cybersecurity in the summer of 2021, and has introduced several cybersecurity controls since that have made the district safer. Examples of controls include Multi-Factor Authentication, revoking administrative rights for laptops, and Domain Name System security. Recent security projects include launching an email security awareness program and an enterprise logging solution.

OAG is currently performing an IT Cybersecurity Audit, with the objectives to:

1. Assess the sufficiency in monitoring the security of FCPS’ IT network, both schools and non-school-based environments,
2. Evaluate compliance with applicable FCPS policies and regulations, and their reasonableness and applicability in the current IT environment,
3. Determine if the Department of Information Technology processes are aligned with leading practices to manage network security to protect the information they hold, and
4. Determine opportunities for employee awareness of IT security and evaluate the effectiveness.

OAG expects to complete this audit in about six months, and will then report the results to the Audit Committee.

Did you Know?

OAG Outreach and Education: Continuing Professional Education (CPE) Opportunity

OAG is registered with the National Association of State Boards of Accountancy (NASBA) and serves as the sponsor for the FCPS Continuing Professional Education (CPE) programs, dedicated to support FCPS employees with complimentary CPE credits required by various certification agencies.  OAG is pleased to offer a new NASBA training opportunity for FCPS employees to earn up to 3 CPE credits:

Course:  Internal investigation overview, with the focus on discrimination, child abuse, and fraud waste or abuse related matters

Date: May 5, 2023

Time: 9:00 AM - 12:00 PM

This training is designed for all FCPS employees, which will cover (a) mandatory reporting requirements, (b) roles and responsibilities of various internal stakeholders, and (c) real-life scenario. The Office of Division Counsel, Department of Human Resources, and the Office of Auditor General, will be presenting and sharing their experience at this training.

FCPS employees may sign-up for the training on MyPDE.

Upcoming Events 

Next Audit Committee Meeting

The next Audit Committee meeting is scheduled for March 8, 2023 at 4:30 PM.  Please refer to BoardDocs for meeting information once it becomes available. 

Fraud, Waste, and Abuse Hotline:
(571) 423-1333 (anonymous voicemail)
InternalAudit@fcps.edu (email is not anonymous)

Office of Auditor General Website | Audit Buzz Archive