Executive Buy-In
The strongest predictor of the long-term success of an IT security program is ultimately its acceptance by the board of education, the superintendent’s cabinet, and the executive and leadership teams. In practice, although information security is the responsibility of the IT department, protecting data is a concern for all the district’s departments. With students and staff members accessing connected devices, the risk of a data incident increases.
When the district’s executive and leadership teams take information security seriously and are committed to protecting student, employee, and other records, the data security program will be much stronger, decreasing the likelihood that the district will face a debilitating security incident.
Employee Awareness
With strong executive and departmental buy-in, the district can promote a culture in which security is ingrained in everyday practices; employees can be the district’s biggest security strength or its biggest security weakness.
For instance, employees often bring their online habits from home to the workplace. If those habits are sloppy, employees can wreak havoc on the security environment and increase the chances of security breaches. Those bad habits include (1) using the same password for every log-on, (2) downloading applications from less-than-credible websites, and (3) clicking links in emails before quickly analyzing their legitimacy. If employees are accustomed to those practices at home, chances are they will continue them at work.
High-performing districts have established programs to train a highly aware staff.
It’s important to assess employees’ security know-how. An assessment will allow the district to tailor training to address common weaknesses and to develop learning opportunities to show employees why data security is important to them personally and critical to their role in protecting student and district information.
Formal Policies and Procedures for All Departments
Policies and procedures of high-performing districts make sense to their staffs who are required to follow them. Without effective policies and procedures and an employee commitment, the danger of employees’ finding ways to skirt the rules not only threatens the district’s security but also their own.
School districts that experience minimal security incidents have developed a culture of security in everyday practices across the district. Policies are consistent district-wide, and all departments are treated the same.
When all staff members agree on security standards that minimize risk without drastically affecting their day-to-day functions, the district is less likely to encounter major security problems.
Ongoing Checkpoints for Policies and Procedures
Establishing policies and procedures on which all departments agree is a good start, but it’s not enough. Districts must ensure not only that their policies and procedures are practiced, but also that they succeed.
Determining the effectiveness of a district’s data security program begins by establishing a baseline. Districts must understand their security program before they can improve it. Districts that experience fewer incidents typically have an information security risk assessment conducted annually by a third-party security expert. This assessment—which should consider administrative, physical, and technical controls—provides an objective look at how the security program is performing at that time. The assessment also provides a baseline against which to measure and track progress. When districts know where their greatest exposures are, they can take steps to strengthen their security.
School districts that experience minimal security incidents have developed a culture of security in everyday practices across the district.
When leaders know where a school is most vulnerable, understand how the policies and procedures increase their security landscape, and use employees’ strengths and weaknesses to constantly improve security, the school will be significantly less likely to experience a major security breach. In addition, should a security breach occur, the district will be better prepared to manage it.
Strategic Spending
With an ongoing risk assessment in place, the district can guide important security decisions going forward.
A useful risk assessment looks at all four controls that make up an information security program: administrative, physical, external technical, and internal technical. Assessing all four areas provides a full scope of what a security program looks like now and what it should look like in the future.
Districts should focus on improvement strategies that align with their security risk assessment. If the decision incurs a cost, it’s important to be able to justify that cost by demonstrating that it can make a dramatic impact on the overall risk profile and assessment score. If it doesn’t make an impact, the district probably won’t get buy-in, and it’s likely that the strategy did not significantly improve the district’s security anyway.
Recognition of Assets
You can’t secure what you don’t know you have, and districts’ security measures should directly affect their most valuable assets, as well as the risks associated with them. The practical application of protecting those assets, called asset management, is not only an important part of a good data security program, but also an important part of district operations.
Valuable assets extend far beyond the computers used by employees and students. Assets also include hardware and data; therefore, their creation, indexing, workflow, version storage, and access become hypercritical components of asset management for the district.
Districts are more likely to avoid a major compromise when they create, implement, and improve mature plans for asset management; know the different types of district assets; and understand how the assets should be treated.
Proper Data Classification
In managing information as an asset, districts must understand the kinds of data they possess and who should have access to them. This idea of data classification is a practice that, even at a basic level, can have a strong impact on the overall security of the organization.
Most organizations have three types of data: public, internal, and private. Who should have access to that information depends on where it fits into one of those three categories.
Public. Everyone has access to public information—it is meant to be seen by the outside world and does not require access or management restrictions. Examples include a district calendar and such school information as schedules, staff, and events.
Internal. Internal information is not meant to be seen by the outside world. If someone outside the district were to access it, it could be an issue; however, if those data were viewed by staff members at the school, it would not raise concern.
Private. Private data should only be accessed with special permission. These data include student individualized education programs, medical records, and grades. Strict access controls such data.
Simply stated, if the district understands the kinds of data in its ecosystem and can effectively control their access, it’s unlikely the data will be shared with anyone that shouldn’t have access. It’s up to each district to define the categories and their criteria. Districts with strong data classification procedures experience fewer incidents.
Summary
Although levels of security and the initiatives taken to get there vary, districts that avoid major compromises share many of the commonalities described in this article. It’s impossible to avoid all security incidents, but adopting a strong combination of these best practices will improve the district’s chances of managing risk.