About Us | Contact Us
View Cart

School Compliance Frameworks

By Dan Hadaway | Tuesday, September 16, 2014 - Leave a Comment

Where should you start?  How about choosing a framework?

If the Risk Assessment Answer Isn’t Enough!
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .

I’ve been asked to give a talk to school corporations about Information Security, as in “why should we be concerned, and if we are concerned, where should we start.”AwarenessPoster_Highschool01HORIZ

“It’s not a matter of if or when, it’s a matter of who’s next!”

– Me

The good news is that the entire world seems to be pulling its head out of the sand concurrently.  The organization contracting me to give this talk is indeed concerned about the safety and confidence of its ultimate customer . . . the Student . . . and, as it turns out, there are several school corporations attending and so the good news is that schools are starting to realize that soon the bad guys are going to figure out that they are soft, and have a treasure-trove of information that can be used to not only commit identify theft, but also a little ransoming and such.  Meanwhile, school principles and superintendents are learning the hard way that social media can introduce what we who have been studying the issue for a while call “reputational risk.”

And the organization wanted the main jist of my talk to be:  “why should we be concerned, and if we are concerned, where should we start.”

“What’s the one first step our superintendents can take when they get back to the office?”

So I have put enough thought into this to come up with three answers:

  1. A one word answer!
  2. A two word answer!
  3. A four word answer!
  4. A seven point answer!

The one word answer:  Awareness.  Thanks to Home Depot, Jimmy Johns, Target, etc. awareness is on the rise.  But there’s much to become aware about and the bad guys are hoping to get to your treasure trove before you become aware of it.

The two word answer:  Risk Assessment.  Look at any law or framework about information security and if they don’t start with a risk assessment they aren’t really about information security.  Business people maintain the first step in managing anything is to measure.  Well how then would we manage risk unless we start by measuring it?

The four word answer:  Choose a framework!  As a person who is not as familiar with schools as I am with banks, I’m not sure what framework a school corporation should comply to.  What I mean when I say that is, “what law, regulation, or “compliance method” do you want to choose to be your own method.  The good news:  most frameworks are the mostly the same, just using different language.  That’s why we say if you’re in compliance with GLBA you’re almost in compliance with HIPAA.  COPPA (Children’s On-line Privacy Protection Act) and CIPA (Children’s Internet Protection Act) are possible starting points for schools . . . . they should at least be part of the response to the one word answer (awareness).

And, I found the following whitepapers are worth a look not because they establish a sufficient framework, but because you can see what other school corporations may be using as their own target:

  • The SANS Institute School Security Framework:  The SANS Institute is a private U.S. company that specializes in Information Security training.  This white paper is very old (2003) and it does NOT start with a risk assessment.  (Because it is focused on network security, not technology risk management.)  I could not find an update younger than 2003.  You can consider this to be the balance to my argument.  It does lay out a very simple method of securing your school network, but of course does not address risk areas such as on-line banking, cyber-bullying, social media, etc.  I would NOT use this framework in 2014.
  • The Cisco School Information Security Framework:  Another white paper on the subject.  AGain, this is presented in my discussion here to highlight how little there really is right now in terms of guidance for schools.

Which brings me to my seven point answer.  Because the first thing you should be awareness (my one word answer) is that INFORMATION SECURITY IS NOT SIMPLE.  It’s not a “one-step” process.  It’s not something that can be crossed off the list.  It’s not a framework to comply to or the results of a risk assessment.  Information Security is an attitude, a habit or discipline, a business process.

And thus, my seven point answer:

  1. Start with the School Board:  We must get buy-in at the top and right now is the time to do it (while they are getting their credit cards changed because they used it at Target, or Jimmy Johns, or Dairy Queen, or Home Depot . . . . )
  2. Create a Multi-disciplinary Team:  That would include more than your IT people.  I would suggest Compliance, Risk Management, IT, Teacher, Student, Physical Security, Human Resources, and Marketing.  And yes, somebody from IT . . . . if they behave.
  3. Conduct a Risk Assessment:  You really do have to start by measuring so that you can prioritize mitigation, training, and testing.
  4. Establish an IT Governance Policy:  And get the school board to approve it.
  5. Enforce the Policy (over time):  This is so much easier to type than do.  Enforcing the policy should be an iterative process requiring a strategy and tactical plan (based on your risk assessment).
  6. Test enforcement:  At first this may simply be tabletop testing, comprehension exercises, due diligence quizzes.  Ultimately this should be some sort of audit program.
  7. Back to the School Board (Escalation)

And then start all over again.

Good luck!

Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”




Latest News
    Artificial intelligence carries risk, but so does organic ignorance … Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . At a recent conference, I noticed two camps emerging in the debate over artificial intelligence. Some people embrace AI as a tool, while others support Elon […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS NEW EMPLOYEE FOR INFOTEX We are pleased to announce the appointment of Nathan Taylor as our new Network Administrator at infotex.  “We are very excited to have Nathan join our team as a Network Administrator and look forward to his contributions to maintaining and improving our infrastructure!” […]
    about artificial intelligence . . . And who will protect us from it . . .  Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Just watched some press on the the Senate hearings over regulating AI. The normal senator faces, Sam Altman of OpenAI, […]
    The Evolution of an Inside Term Used in our Vendor Risk Report Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Those who audit infotex know that our vendor risk report refers to a couple of our providers as “ransomware companies.” This reference started evolving […]
    Another awareness poster for YOUR customers (and users). Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
    New tools could allow unskilled attackers to launch increasingly sophisticated attacks… An article review. Imagine a world where you receive a call from your boss asking you to assist them with something… only it’s not your boss, but an AI being used by an attacker.  This isn’t science fiction, it’s an actual attack that has […]
    Unavailability Strikes Where it doesn’t matter anyway Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . So, I’m writing today’s article from a resort in the middle of Wisconsin.  I want to make sure I’m staying on top of my New Leaf, which is to […]
    . . . and the importance of segregated response. The latest edition of Executive Vice President, Michael Hartke’s article series! In 2007 when I first joined infotex, coming from small to medium sized business general IT support into the world of cybersecurity, the one thing that was very hard for me to internally rectify was […]
    How concerts can help us understand APTs . . . Especially if you use your imagination! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . My daughter reminded me of a concert Stacey and I attended way back in 2013, in Chicago.  It was one […]
    Mutiny! The Malicious Insider Threat Webinar Registration A Webinar-Video It is often awkward to bring up the one attack vector most of us have not addressed. The malicious insider threat. Even if we can flaunt all statistics and claim that the likelihood of an insider attack is low in our bank, the impact is still […]