Where should you start?  How about choosing a framework?

If the Risk Assessment Answer Isn’t Enough!
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .

I’ve been asked to give a talk to school corporations about Information Security, as in “why should we be concerned, and if we are concerned, where should we start.”

“It’s not a matter of if or when, it’s a matter of who’s next!”

– Me

The good news is that the entire world seems to be pulling its head out of the sand concurrently.  The organization contracting me to give this talk is indeed concerned about the safety and confidence of its ultimate customer . . . the Student . . . and, as it turns out, there are several school corporations attending and so the good news is that schools are starting to realize that soon the bad guys are going to figure out that they are soft, and have a treasure-trove of information that can be used to not only commit identify theft, but also a little ransoming and such.  Meanwhile, school principles and superintendents are learning the hard way that social media can introduce what we who have been studying the issue for a while call “reputational risk.”

And the organization wanted the main jist of my talk to be:  “why should we be concerned, and if we are concerned, where should we start.”

“What’s the one first step our superintendents can take when they get back to the office?”

So I have put enough thought into this to come up with three answers:

1. A one word answer!
2. A two word answer!
3. A four word answer!
4. A seven point answer!

The one word answer:  Awareness.  Thanks to Home Depot, Jimmy Johns, Target, etc. awareness is on the rise.  But there’s much to become aware about and the bad guys are hoping to get to your treasure trove before you become aware of it.

The two word answer:  Risk Assessment.  Look at any law or framework about information security and if they don’t start with a risk assessment they aren’t really about information security.  Business people maintain the first step in managing anything is to measure.  Well how then would we manage risk unless we start by measuring it?

The four word answer:  Choose a framework!  As a person who is not as familiar with schools as I am with banks, I’m not sure what framework a school corporation should comply to.  What I mean when I say that is, “what law, regulation, or “compliance method” do you want to choose to be your own method.  The good news:  most frameworks are the mostly the same, just using different language.  That’s why we say if you’re in compliance with GLBA you’re almost in compliance with HIPAA.  COPPA (Children’s On-line Privacy Protection Act) and CIPA (Children’s Internet Protection Act) are possible starting points for schools . . . . they should at least be part of the response to the one word answer (awareness).

And, I found the following whitepapers are worth a look not because they establish a sufficient framework, but because you can see what other school corporations may be using as their own target:

• The SANS Institute School Security Framework:  The SANS Institute is a private U.S. company that specializes in Information Security training.  This white paper is very old (2003) and it does NOT start with a risk assessment.  (Because it is focused on network security, not technology risk management.)  I could not find an update younger than 2003.  You can consider this to be the balance to my argument.  It does lay out a very simple method of securing your school network, but of course does not address risk areas such as on-line banking, cyber-bullying, social media, etc.  I would NOT use this framework in 2014.
• The Cisco School Information Security Framework:  Another white paper on the subject.  AGain, this is presented in my discussion here to highlight how little there really is right now in terms of guidance for schools.

Which brings me to my seven point answer.  Because the first thing you should be awareness (my one word answer) is that INFORMATION SECURITY IS NOT SIMPLE.  It’s not a “one-step” process.  It’s not something that can be crossed off the list.  It’s not a framework to comply to or the results of a risk assessment.  Information Security is an attitude, a habit or discipline, a business process.

And thus, my seven point answer:

1. Start with the School Board:  We must get buy-in at the top and right now is the time to do it (while they are getting their credit cards changed because they used it at Target, or Jimmy Johns, or Dairy Queen, or Home Depot . . . . )
2. Create a Multi-disciplinary Team:  That would include more than your IT people.  I would suggest Compliance, Risk Management, IT, Teacher, Student, Physical Security, Human Resources, and Marketing.  And yes, somebody from IT . . . . if they behave.
3. Conduct a Risk Assessment:  You really do have to start by measuring so that you can prioritize mitigation, training, and testing.
4. Establish an IT Governance Policy:  And get the school board to approve it.
5. Enforce the Policy (over time):  This is so much easier to type than do.  Enforcing the policy should be an iterative process requiring a strategy and tactical plan (based on your risk assessment).
6. Test enforcement:  At first this may simply be tabletop testing, comprehension exercises, due diligence quizzes.  Ultimately this should be some sort of audit program.
7. Back to the School Board (Escalation)

And then start all over again.

Good luck!

Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”