About Us | Contact Us
View Cart

School Compliance Frameworks

By Dan Hadaway | Tuesday, September 16, 2014 - Leave a Comment

Where should you start?  How about choosing a framework?

If the Risk Assessment Answer Isn’t Enough!
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .

I’ve been asked to give a talk to school corporations about Information Security, as in “why should we be concerned, and if we are concerned, where should we start.”AwarenessPoster_Highschool01HORIZ

“It’s not a matter of if or when, it’s a matter of who’s next!”

– Me

The good news is that the entire world seems to be pulling its head out of the sand concurrently.  The organization contracting me to give this talk is indeed concerned about the safety and confidence of its ultimate customer . . . the Student . . . and, as it turns out, there are several school corporations attending and so the good news is that schools are starting to realize that soon the bad guys are going to figure out that they are soft, and have a treasure-trove of information that can be used to not only commit identify theft, but also a little ransoming and such.  Meanwhile, school principles and superintendents are learning the hard way that social media can introduce what we who have been studying the issue for a while call “reputational risk.”

And the organization wanted the main jist of my talk to be:  “why should we be concerned, and if we are concerned, where should we start.”

“What’s the one first step our superintendents can take when they get back to the office?”

So I have put enough thought into this to come up with three answers:

  1. A one word answer!
  2. A two word answer!
  3. A four word answer!
  4. A seven point answer!

The one word answer:  Awareness.  Thanks to Home Depot, Jimmy Johns, Target, etc. awareness is on the rise.  But there’s much to become aware about and the bad guys are hoping to get to your treasure trove before you become aware of it.

The two word answer:  Risk Assessment.  Look at any law or framework about information security and if they don’t start with a risk assessment they aren’t really about information security.  Business people maintain the first step in managing anything is to measure.  Well how then would we manage risk unless we start by measuring it?

The four word answer:  Choose a framework!  As a person who is not as familiar with schools as I am with banks, I’m not sure what framework a school corporation should comply to.  What I mean when I say that is, “what law, regulation, or “compliance method” do you want to choose to be your own method.  The good news:  most frameworks are the mostly the same, just using different language.  That’s why we say if you’re in compliance with GLBA you’re almost in compliance with HIPAA.  COPPA (Children’s On-line Privacy Protection Act) and CIPA (Children’s Internet Protection Act) are possible starting points for schools . . . . they should at least be part of the response to the one word answer (awareness).

And, I found the following whitepapers are worth a look not because they establish a sufficient framework, but because you can see what other school corporations may be using as their own target:

  • The SANS Institute School Security Framework:  The SANS Institute is a private U.S. company that specializes in Information Security training.  This white paper is very old (2003) and it does NOT start with a risk assessment.  (Because it is focused on network security, not technology risk management.)  I could not find an update younger than 2003.  You can consider this to be the balance to my argument.  It does lay out a very simple method of securing your school network, but of course does not address risk areas such as on-line banking, cyber-bullying, social media, etc.  I would NOT use this framework in 2014.
  • The Cisco School Information Security Framework:  Another white paper on the subject.  AGain, this is presented in my discussion here to highlight how little there really is right now in terms of guidance for schools.

Which brings me to my seven point answer.  Because the first thing you should be awareness (my one word answer) is that INFORMATION SECURITY IS NOT SIMPLE.  It’s not a “one-step” process.  It’s not something that can be crossed off the list.  It’s not a framework to comply to or the results of a risk assessment.  Information Security is an attitude, a habit or discipline, a business process.

And thus, my seven point answer:

  1. Start with the School Board:  We must get buy-in at the top and right now is the time to do it (while they are getting their credit cards changed because they used it at Target, or Jimmy Johns, or Dairy Queen, or Home Depot . . . . )
  2. Create a Multi-disciplinary Team:  That would include more than your IT people.  I would suggest Compliance, Risk Management, IT, Teacher, Student, Physical Security, Human Resources, and Marketing.  And yes, somebody from IT . . . . if they behave.
  3. Conduct a Risk Assessment:  You really do have to start by measuring so that you can prioritize mitigation, training, and testing.
  4. Establish an IT Governance Policy:  And get the school board to approve it.
  5. Enforce the Policy (over time):  This is so much easier to type than do.  Enforcing the policy should be an iterative process requiring a strategy and tactical plan (based on your risk assessment).
  6. Test enforcement:  At first this may simply be tabletop testing, comprehension exercises, due diligence quizzes.  Ultimately this should be some sort of audit program.
  7. Back to the School Board (Escalation)

And then start all over again.

Good luck!

Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”




Latest News
    You’ve heard it from every MSSP you’ve met: the definition of a SIEM is in the eye of the beholder. But at infotex, we are not talking about the database – an asset whose definition is continuously evolving. We’re talking about the way three teams collaborate in an overall Technology Risk Monitoring process. And whether […]
    A new study shows organizations are responding to cyber attacks faster than ever, so why is that bad news? An article review. When it comes to cyber attacks, the sooner an organization can begin to respond to an attack the better, so the results of a new study showing a drop in the amount of […]
    …a Crash Course of Security Measures The first article by Sara Fultz, Creative Assistant of infotex! Introduction: As the managing partner of infotex, I am proud to introduce the “debut article” for Sara Fultz.  I told Sara “write an article showing us what you’ve learned that the technical staff will appreciate.” As I read her […]
    infotex Programming Coordinator, Michael Hartke, introduces a high level overview of the upcoming update to the infotex SIEM. Look for more movies in the coming months informing our Clients, and those just now learning about us, about the SIEM and its features and functions.
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office.  
    As the investigation of the SolarWinds Hack was ongoing, another hack stole some of the limelight… This is the final update on the SolarWinds hack unless a major development comes to light. You can see the previous article here: “Autopsy of the SolarWinds Hack Update“. One of the largest cyber-espionage campaigns in the history of […]
    Employees working from home may find it more difficult to follow security policies… An article review. The surge in employees working from home during the pandemic created many headaches for IT departments around the world, many of whom had no telecommuting policies or procedures before the start… but what about the employees who had to […]
    A Webinar-Movie infotex presents the 2021 update of a previously released webinar presented by our Lead Non-Technical Auditor, Adam Reynolds. This movie-short is intended for those who are planning to participate in an infotex Incident Response Test. Not sure about the importance of an Incident Response Test? Check out onetest.infotex.com for more information! Please let […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS INFOTEX PROMOTES BRYAN BONNELL TO DIGITAL MEDIA MANAGER infotex, the Managed Security Service Provider, announced Bryan Bonnell’s promotion from Senior Data Security Analyst to Digital Media Manager.  “He will continue his normal DSA duties on a limited basis, because we want everybody to stay in touch with […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS RYAN HENSLER OF INFOTEX, EARNS CISSP CERTIFICATE Ryan Hensler, Senior NOC Associate of infotex, Inc., recently received the CISSP certification. “Ryan has proven himself to be a seasoned security professional both in his work for infotex and now through achieving this certification.” said Sean Waugh, Information Security Officer. […]