About Us | Contact Us
View Cart

School Compliance Frameworks

By Dan Hadaway | Tuesday, September 16, 2014 - Leave a Comment

Where should you start?  How about choosing a framework?


If the Risk Assessment Answer Isn’t Enough!
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .


I’ve been asked to give a talk to school corporations about Information Security, as in “why should we be concerned, and if we are concerned, where should we start.”AwarenessPoster_Highschool01HORIZ

“It’s not a matter of if or when, it’s a matter of who’s next!”

– Me

The good news is that the entire world seems to be pulling its head out of the sand concurrently.  The organization contracting me to give this talk is indeed concerned about the safety and confidence of its ultimate customer . . . the Student . . . and, as it turns out, there are several school corporations attending and so the good news is that schools are starting to realize that soon the bad guys are going to figure out that they are soft, and have a treasure-trove of information that can be used to not only commit identify theft, but also a little ransoming and such.  Meanwhile, school principles and superintendents are learning the hard way that social media can introduce what we who have been studying the issue for a while call “reputational risk.”

And the organization wanted the main jist of my talk to be:  “why should we be concerned, and if we are concerned, where should we start.”

“What’s the one first step our superintendents can take when they get back to the office?”

So I have put enough thought into this to come up with three answers:

  1. A one word answer!
  2. A two word answer!
  3. A four word answer!
  4. A seven point answer!

The one word answer:  Awareness.  Thanks to Home Depot, Jimmy Johns, Target, etc. awareness is on the rise.  But there’s much to become aware about and the bad guys are hoping to get to your treasure trove before you become aware of it.

The two word answer:  Risk Assessment.  Look at any law or framework about information security and if they don’t start with a risk assessment they aren’t really about information security.  Business people maintain the first step in managing anything is to measure.  Well how then would we manage risk unless we start by measuring it?

The four word answer:  Choose a framework!  As a person who is not as familiar with schools as I am with banks, I’m not sure what framework a school corporation should comply to.  What I mean when I say that is, “what law, regulation, or “compliance method” do you want to choose to be your own method.  The good news:  most frameworks are the mostly the same, just using different language.  That’s why we say if you’re in compliance with GLBA you’re almost in compliance with HIPAA.  COPPA (Children’s On-line Privacy Protection Act) and CIPA (Children’s Internet Protection Act) are possible starting points for schools . . . . they should at least be part of the response to the one word answer (awareness).

And, I found the following whitepapers are worth a look not because they establish a sufficient framework, but because you can see what other school corporations may be using as their own target:

  • The SANS Institute School Security Framework:  The SANS Institute is a private U.S. company that specializes in Information Security training.  This white paper is very old (2003) and it does NOT start with a risk assessment.  (Because it is focused on network security, not technology risk management.)  I could not find an update younger than 2003.  You can consider this to be the balance to my argument.  It does lay out a very simple method of securing your school network, but of course does not address risk areas such as on-line banking, cyber-bullying, social media, etc.  I would NOT use this framework in 2014.
  • The Cisco School Information Security Framework:  Another white paper on the subject.  AGain, this is presented in my discussion here to highlight how little there really is right now in terms of guidance for schools.

Which brings me to my seven point answer.  Because the first thing you should be awareness (my one word answer) is that INFORMATION SECURITY IS NOT SIMPLE.  It’s not a “one-step” process.  It’s not something that can be crossed off the list.  It’s not a framework to comply to or the results of a risk assessment.  Information Security is an attitude, a habit or discipline, a business process.

And thus, my seven point answer:

  1. Start with the School Board:  We must get buy-in at the top and right now is the time to do it (while they are getting their credit cards changed because they used it at Target, or Jimmy Johns, or Dairy Queen, or Home Depot . . . . )
  2. Create a Multi-disciplinary Team:  That would include more than your IT people.  I would suggest Compliance, Risk Management, IT, Teacher, Student, Physical Security, Human Resources, and Marketing.  And yes, somebody from IT . . . . if they behave.
  3. Conduct a Risk Assessment:  You really do have to start by measuring so that you can prioritize mitigation, training, and testing.
  4. Establish an IT Governance Policy:  And get the school board to approve it.
  5. Enforce the Policy (over time):  This is so much easier to type than do.  Enforcing the policy should be an iterative process requiring a strategy and tactical plan (based on your risk assessment).
  6. Test enforcement:  At first this may simply be tabletop testing, comprehension exercises, due diligence quizzes.  Ultimately this should be some sort of audit program.
  7. Back to the School Board (Escalation)

And then start all over again.

Good luck!


Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”

 


same_strip_012513


 

Latest News
    Today we present a special BONUS awareness poster for YOUR customers (and users).  This update to the April 2022 Awareness Poster takes some cues from the Dan’s New Leaf article: Why Local? Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the […]
    Awareness is 9/11’s of the battle, if we use it! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . One of my old college buddies hates banks.  He was turned down for a loan a long time ago and just can’t let go.  I actually […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE SERVICE NEWS Dateline: Dayton, IN, June 22, 2022 We are proud to announce that infotex will now be supporting Endpoint Detection and Response (XDR/MDR)! We can manage/monitor solutions you already have or offer one as part of our service while still maintaining a segregated response posture. In recent years […]
    Over 85 percent of surveyed companies report having no  centralized monitoring of networked industrial devices… An article review. If you are involved in IT within your organization, you’re probably aware of the importance of being able to monitor relevant activity from your networked devices, especially if your organization is involved in healthcare, finance, or government.  […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    We always strive to bring you the best content that we possibly can. Your opinion on any content, presentation, service, or anything else you have received from us is important! Please click the button below to let us know how we are doing!  
    What to Expect in an Annual Information Security Report to the Board Webinar-Movie Information security ranks as a top risk to financial institutions, both in terms of likelihood and overall impact. It is important that boards receive annual comprehensive reporting from management about the information security risks and incidents, and the actions taken to address […]
    The Five Precepts of IT Vendor Management Webinar-Movie We’re going back to basics on Vendor Management. This webinar will give you a training tool to help out that new person that is starting to take on the gargantuan task that is Vendor Management.
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    The joint cybersecurity advisory includes the 15 most exploited vulnerabilities reported in 2021… An article review.  While a lot of attention is focused on previously undisclosed or “zero day” attacks, some of the most likely attack vectors are vulnerabilities that have been widely known for weeks or even months.  That’s according to a new joint […]