School Cheating Scandals Are A Lesson In Separation of Duties
powers-old-account 270000NC1K Visits (3416)
The news reports from about the alleged cheating scandals at the Atlanta Public School system reminded me of a news story I had flagged to go look at later as a possible example of an IT security story to post here. Looking back in my archives, the story was "D.C. schools investigate security breaches in 2011 tests." But when I dug into the stories, I found that both scandals looked remarkably alike.
In the Atlanta Public Schools scandal, the accusations are that there was massive forgery of test answer sheets. It was so widespread that weekend "erasure parties" were held were perpetrators gathered to erase incorrect answers on students sheets and mark them with the correct answers. From the story on WSBT News:
"Among the other findings, the report stated that the changing of answers was often done at weekend gatherings, or so-called erasure parties. The report stated that children were denied special-educational assistance because their falsely reported CRCT scores were too high, and during testing, teachers pointed to the correct answer while standing at students' desks."
In the DC Schools story:
"Amid heightened scrutiny of the chronically troubled school system's large testing gains, the Office of the State Superintendent ordered an investigation into 18 classrooms with a suspicious number of incorrect answers erased and corrected in the 2010 testing."
I have no opinion on how far the cheating did or did not go. I haven't been following the cases closely enough to say how much has or has not been proven. But I'm going to stick to the easy observation here:
Teachers and Staff at the schools should not have physical access to the test sheets!
This is a very basic separation of duties control issue. You don't have to have a degree in threat modelling and risk assessment to see this. All it takes is looking at the overall process from front to end to see that there's a problem giving teachers custody of the test sheets, especially after they have been filled in by the students.
Reading between the lines a bit. The testing companies apparently had some secondary process controls in place. Apparently they had an idea of what a "normal" number of erased and corrected answers on a test were and were looking at individual test sheets to see which ones had an "abnormal" number of erasures.
That's a good monitoring control and apparently it worked well enough to raise some red flags. But it also means that the tests had to be thrown out. It would have been far better to use separation of duty as a preventive control so that it was not possible for people who had a career interest in the school's test scores to have physical access to the test sheets. I'm imagining processes like chain of custody processes for evidence in criminal investigation.