Third‑party cybersecurity audit finds strengths and gaps; district updates inventory and training, may seek capital funding

District IT staff presented findings from a third‑party cybersecurity audit that reviewed systems and processes over the past summer. The audit found strong practices in data protection, access‑control management and email/web protections, but identified improvement areas such as enterprise asset inventory, unauthorized device control, and vendor service‑provider access.

Bob Otting (district technology staff) described remedies already under way: updated inventory software that tracks purchases and versions, a standard‑tools list to prevent unauthorized software installs, phishing‑simulation training and an email quarantine system. Otting said the district has strengthened student passwords and is evaluating regular password resets and permission limits for students sending external mail. He added the district can retract certain emails from inboxes when suspicious messages are detected.

Trustees praised recent changes, including implementation of two‑step authentication. Several trustees asked how staff will proceed on expensive device‑level protections; Otting said some options (for example, port locking and NAC protections for unauthorized assets) are costly and could be candidates for bond funding, but staff are exploring lower‑cost alternatives in the near term.

Next steps: staff will continue to refine inventory controls, update required training courses, expand phishing simulations, and provide the board with cost estimates for hardware protections and potential bond requests if needed.