Channel 2 Action News has learned that a team of independent experts concluded the Atlanta School System’s information technology system is badly managed and wide open for hacking and thefts.
The school district paid nearly $70,000 for the study, but refuses to release it because of an exemption in the state open records law. Channel 2 obtained the final report, conducted by the Adams Harris Company, from a whistleblower
Channel 2’s Richard Belcher consulted the WSB-TV IT manager who gave the hardware a D grade and an F grade for what he called “the human element.” Belcher then asked the opinion of an independent IT professional.
“IT management 101 is not in place,” said Devon Chalmers, a technical consultant with Delta Logix. “Basic, basic IT Management 101. APS is failing,” said Chalmers.
“Is this a system that needs a complete management reworking?” Belcher asked.
“In my professional opinion, I would say Yes,” Chalmers responded.
Chalmers said the study found the school district’s system doesn’t have a disaster recovery program, doesn’t manage the software patches or repairs available and doesn’t have one person responsible for security.
Chalmers also found the IT management system doesn’t have sufficient controls to keep former employees out of the system.
The report found that the school system doesn't keep track of assets valued at less than $5,000, which would include a long list of items such as laptops, desktops and notebook computers, according to Chalmers.
"Those items all cost under $5,000, so those items are not tracked and thus can walk out the door,” he said.
When asked to grade the system Chalmers said, "I would definitely give it a D or an F on both sides."
A school system spokesman sent Belcher a statement on Wednesday afternoon with a much different view.
“The Enterprise Security Assessment report concludes that ‘the APS IT department is effectively mitigating risks by securing APS’ network, systems, and data. A number of best-of-breed technologies are being deployed to provide security, availability and data integrity,’” wrote spokesman Keith Bromery.
Bromery wrote, “The report goes on to state, ‘Current network personnel are very knowledgeable and skilled in their duties.’ While the report does contain ‘vulnerability assessment findings,’ the analysis concludes that these issues are resolvable with the adoption of specified procedures and upgrades. The purpose of any IT security assessment is to identify areas needing improvement so that actions can be taken to ensure the integrity of the district’s technology assets and the security of data contained within these systems. APS has initiated appropriate actions in response to the security assessment recommendations contained in the report.”