PLEASE ROTATE YOUR DEVICE
November 17, 2022
Protecting your information is an ongoing, regular, and evolving process. No easy button, product, or single task will protect you from every attack. A good information security program encompasses many regularly performed activities that protect your valuable systems, infrastructure, data, and overall technology investment. These 10 processes will help you get your security program started.
Ohio has recently enacted ORC 1354, also known as the Ohio Data Protection Act or the Ohio Safe Harbor for Cybersecurity Compliance. ORC 1354 encourages businesses to comply with an industry-recognized cybersecurity framework, such as the NIST Cybersecurity Framework. Those who do may use such compliance as an affirmative defense to any tort action arising from an alleged failure to implement reasonable information security controls. Music to many a Superintendent’s, Treasurer’s, or Technology Director’s ears!
Assess the School District’s security program and its alignment with the selected framework. Review the controls described in the control framework, review practices in your organization against the controls, and adjust practices where necessary.
Schools should deploy simulated phishing campaigns and regular security awareness training on data protection, incident identification and response, and insider threats. This training applies to everyone, even the most senior school district members. The training should be bite-sized (short, recurring sessions instead of a single longer session) and well-communicated. The simulated phishing campaigns should be unannounced and conducted regularly (quarterly is recommended) and use various templates, delivery dates, and delivery times.
Complete an inventory of information systems on the network, including workstations and servers, virtual machines, configurations, software, IP cameras, smart boards, and other information appliances.
Employ a variety of account management strategies, such as:
At a minimum, review all systems monthly, and apply patches or update the firmware. Apply any identified critical vulnerability remediation within 48 hours of detection.
Have a plan! Your district backup plan should include multiple copies over time and should be stored offsite or offline. Backups should be tested at least annually and should follow the “3-2-1 rule”:
Run a centrally managed anti-virus solution or EDR on all endpoints with daily updates.
Begin utilizing CISA’s free vulnerability scanner. The minimum configuration should include monthly full and weekly remediation scans and target internal and external resources.
Plans should be documented and tested annually. All personnel with responsibilities within the plans should participate in the test for training. See already developed templates.
If you have any questions or need help with any/all of these points, please don’t hesitate to contact us. We’d happily set up a complimentary initial discussion about Vinson Protect and increasing your cybersecurity readiness.
3 EdTech “Game Changers” That Never Happened
Adopting an Interoperability Standard Doesn’t Guarantee Interoperability
Big Data Rising: The Latest IT Trend Only Reinforces the Importance of Interoperability
How School District Data Falls Through the Cracks — And Why It Matters
Why Securing Your School Data Should Be a Top Priority