About Us | Contact Us
View Cart

School Compliance Frameworks

By Dan Hadaway | Tuesday, September 16, 2014 - Leave a Comment

Where should you start?  How about choosing a framework?


If the Risk Assessment Answer Isn’t Enough!
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .


I’ve been asked to give a talk to school corporations about Information Security, as in “why should we be concerned, and if we are concerned, where should we start.”AwarenessPoster_Highschool01HORIZ

“It’s not a matter of if or when, it’s a matter of who’s next!”

– Me

The good news is that the entire world seems to be pulling its head out of the sand concurrently.  The organization contracting me to give this talk is indeed concerned about the safety and confidence of its ultimate customer . . . the Student . . . and, as it turns out, there are several school corporations attending and so the good news is that schools are starting to realize that soon the bad guys are going to figure out that they are soft, and have a treasure-trove of information that can be used to not only commit identify theft, but also a little ransoming and such.  Meanwhile, school principles and superintendents are learning the hard way that social media can introduce what we who have been studying the issue for a while call “reputational risk.”

And the organization wanted the main jist of my talk to be:  “why should we be concerned, and if we are concerned, where should we start.”

“What’s the one first step our superintendents can take when they get back to the office?”

So I have put enough thought into this to come up with three answers:

  1. A one word answer!
  2. A two word answer!
  3. A four word answer!
  4. A seven point answer!

The one word answer:  Awareness.  Thanks to Home Depot, Jimmy Johns, Target, etc. awareness is on the rise.  But there’s much to become aware about and the bad guys are hoping to get to your treasure trove before you become aware of it.

The two word answer:  Risk Assessment.  Look at any law or framework about information security and if they don’t start with a risk assessment they aren’t really about information security.  Business people maintain the first step in managing anything is to measure.  Well how then would we manage risk unless we start by measuring it?

The four word answer:  Choose a framework!  As a person who is not as familiar with schools as I am with banks, I’m not sure what framework a school corporation should comply to.  What I mean when I say that is, “what law, regulation, or “compliance method” do you want to choose to be your own method.  The good news:  most frameworks are the mostly the same, just using different language.  That’s why we say if you’re in compliance with GLBA you’re almost in compliance with HIPAA.  COPPA (Children’s On-line Privacy Protection Act) and CIPA (Children’s Internet Protection Act) are possible starting points for schools . . . . they should at least be part of the response to the one word answer (awareness).

And, I found the following whitepapers are worth a look not because they establish a sufficient framework, but because you can see what other school corporations may be using as their own target:

  • The SANS Institute School Security Framework:  The SANS Institute is a private U.S. company that specializes in Information Security training.  This white paper is very old (2003) and it does NOT start with a risk assessment.  (Because it is focused on network security, not technology risk management.)  I could not find an update younger than 2003.  You can consider this to be the balance to my argument.  It does lay out a very simple method of securing your school network, but of course does not address risk areas such as on-line banking, cyber-bullying, social media, etc.  I would NOT use this framework in 2014.
  • The Cisco School Information Security Framework:  Another white paper on the subject.  AGain, this is presented in my discussion here to highlight how little there really is right now in terms of guidance for schools.

Which brings me to my seven point answer.  Because the first thing you should be awareness (my one word answer) is that INFORMATION SECURITY IS NOT SIMPLE.  It’s not a “one-step” process.  It’s not something that can be crossed off the list.  It’s not a framework to comply to or the results of a risk assessment.  Information Security is an attitude, a habit or discipline, a business process.

And thus, my seven point answer:

  1. Start with the School Board:  We must get buy-in at the top and right now is the time to do it (while they are getting their credit cards changed because they used it at Target, or Jimmy Johns, or Dairy Queen, or Home Depot . . . . )
  2. Create a Multi-disciplinary Team:  That would include more than your IT people.  I would suggest Compliance, Risk Management, IT, Teacher, Student, Physical Security, Human Resources, and Marketing.  And yes, somebody from IT . . . . if they behave.
  3. Conduct a Risk Assessment:  You really do have to start by measuring so that you can prioritize mitigation, training, and testing.
  4. Establish an IT Governance Policy:  And get the school board to approve it.
  5. Enforce the Policy (over time):  This is so much easier to type than do.  Enforcing the policy should be an iterative process requiring a strategy and tactical plan (based on your risk assessment).
  6. Test enforcement:  At first this may simply be tabletop testing, comprehension exercises, due diligence quizzes.  Ultimately this should be some sort of audit program.
  7. Back to the School Board (Escalation)

And then start all over again.

Good luck!


Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”

 


same_strip_012513


 

Latest News
    Reasons why we should be considered! infotex provides a number of services that can be checked out if you click over to offerings.infotex.com! We even made a movie with all the reasons why infotex should be your next MSOC!  
    infotex and GoTo To all infotex managed security service Clients: As recently reported by major news outlets there was a data breach affecting GoTo (formerly LogMeIn) wherein attackers stole encrypted backups containing customer information in November 2022.  Based on the advisory from GoTo the products they offer that are affected include LogMeIn Pro, LogMeIn Central, […]
    An option for increasing security for ALL organizations. . . The threat landscape is evolving daily, and it is becoming increasingly difficult for even large organizations providing cyber defense services to keep up. As Brandao (2021) notes, it is important for organizations to adapt holistic technologies that can correlate all attack events. Therefore, developing XDR […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
    A relic of the internet’s less secure past, many small firms struggle to secure their email systems… An article review. With a great deal of cybersecurity related news focused on new threats and similarly new techniques aimed at combating them, it can be easy to forget some of the older threats that have never gone […]
    Seven Trends . . . …that small bank Information Security Officers face in 2023 Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Welcome to the Magnificent Seven, my annual predictive article about the seven trends in technology that will impact the Information Security Officers of […]
    System Security and Cybersecurity are not the same thing. . . Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Regarding “information security,” the last thirty years have seen an evolution of frameworks, laws, and assessment approaches which intimidate the management team with their complexity.  […]
    The cryptographic algorithm is vulnerable to attack and is no longer considered secure… An article review. NIST has announced that it plans to retire the SHA-1 cryptographic algorithm by the end of 2030, citing multiple vulnerabilities in the standard, effectively ending its use after nearly 30 years.  Introduced in 1995, SHA-1 used a 160-bit hash […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
    Trending: Awareness Posters Meet Infographics Here are the top seven posters as of the last twelve months! As always, our Awareness Posters were a hit in 2022! So we decided to run some reports to see what our most popular posters were since November 2021. As everybody loves top ten lists and contests, we thought […]