Our audit found that the Oregon Department of Education (Oregon) Consolidated Collection System, Oregon’s Statewide Longitudinal Data System, had a lack of documented internal controls in the system that increases the risk that Oregon will be unable to prevent or detectunauthorized access and disclosure of personally identifiable information. Specifically, we found that Oregon did not ensure that the Consolidated Collection System met the minimum requirements in Oregon’s Department of Administrative Services State Standards, which require the system controls and documentation of those controls. Since Oregon did not meet the minimum State requirements, it was notin compliance with Statewide Longitudinal Data Systems grant requirements. In addition, Oregon had policies and procedures that address reporting and responding to unauthorized access and disclosure of personally identifiable information in its data system. However, we could not determine whether the procedures were effective because Oregon had not reported any system breaches in the Consolidated CollectionSystem.
Salem, OR
United States
