Step 1 of 5 20% Tech Reformers Risk Assessment Powered by S2 Tech Reformers shares this risk assessment as an opportunity for education organizations to conduct a preliminary self-evaluation of their cybersecurity risk and does not constitute an endorsement of a specific vendor or product. This assessment is free and vendor-neutral. Unlike traditional industry risk assessments, it incorporates topics specific to the K12 environment such as educational technology and remote learning. Additionally, the tool itself is designed as an educational tool. Each question is paired with a user-friendly explanation to clearly explain the question being asked.* I agree to SecurityStudio’s Agreements and Terms. * I agree that SecurityStudio may share my information with Tech Reformers. I consent to receive a follow-up from Tech Reformers regarding my score Terms and Conditions version agreed toPrivacy Policy version agreed toYour First NameYour Last NameYour Email Address Your Phone NumberSchool District NameSchool District Size (student count)*What is the size of your District technology team?*When selecting your size please consider volunteers and student tech teams that are assisting with District technology operations.Do you have a line item in the budget for cyber/info security?YesNoA specific line item in the budget for cyber/info security can help you manage spend as well as giving visibility to District leadership. Within the past year have you experienced a security event or data breach (Ransomware, DDOS, lost staff device(s) or notification from an outside party of a data breach)?YesNoSecurity event is defined as any unauthorized access or attempted access of District data or systems. Data breach is a specific type of security event were District data of an amount defined by federal or state laws was lost or stolen, data breach is a legal term and should not be used to refer to any other type of security event. DDOS is short for Distributed Denial of Service, this is type of security event were the network or systems become overwhelmed with to many requests and stop responding rendering the network or system unusable. Ransomware is a specific type of malware that makes files and or systems inaccessible and unusable, generally this is accompanied by a demand for payment from the cyber-criminals to release your information back to you. Malware is computer code or programs that perform unauthorized activity. Have you done an external vulnerability assessment within the past 12 months?YesNoAn external vulnerability assessment is a specific type of security assessment that looks at the public / internet facing networks and systems to check for any known risks / vulnerabilities that could be exploited by a cyber-criminal to cause disruption or steal information.Have you done an internal vulnerability assessment within the past 6 months?YesNoAn internal vulnerability assessment is a specific type of security assessment that looks at the private/ internal facing networks and systems to check for any known risks / vulnerabilities that could be exploited by a cyber-criminal to cause disruption or steal information. score_text_goodA S "Satisfactory" estimated S2Score® means that you have really spent time, effort and made investments in building a good information/cybersecurity program. The foundation of your program is laid, and now you're in "maintenance mode," although you still have some major projects and tasks to accomplish. Your risk exposure starts to diminish for Districts with a "Satisfactory" S2Score, so it's very important to spend your time and investments wisely and to effectively communicate your information/cybersecurity measurement of risk. To accomplish this, schedule the full S2School assessment with your info/cybersecurity partner, which will give you a clear picture of where to focus via a detailed Action Plan. To support district technology leaders, Tech Reformers provides consulting and several trusted security solutions. To help you improve your district’s S2 Score, your risk profile, we will reach out to you to see how we can help. See more at Tech reformers or reach out to us directly via email at info@techrefromers.com or by telephone (206) 401-5530. score_text_excellentAn E or "Exceeds" S2Score® is a rarity and something to take pride in. It's obvious that your District has spent significant amounts of time, effort and investments to build a best-in-class information/cybersecurity program. You have the proper structures in place to maintain what you've painstakingly built, and now you can focus on 1) continuous improvement and 2) finding more tangible returns for your investment. Schedule the full S2School assessment with your info/cybersecurity partner, which will give you a clear picture of where to focus via a detailed Action Plan, so you can share this with your team, District Leadership, and School board. A compromise of your defenses will always be a possibility, but you will likely detect such an event early on and be able to limit damages. To support district technology leaders, Tech Reformers provides consulting and several trusted security solutions. To help you improve your district’s S2 Score, your risk profile, we will reach out to you to see how we can help. See more at Tech reformers or reach out to us directly via email at info@techrefromers.com or by telephone (206) 401-5530.score_text_fairA P "Progressing" estimated S2Score® means that you have done some good things with respect to your Districts information/cybersecurity; however, significant gaps/risks still exist. Some of the foundational components of the program are in place, and it's time for the program to mature into a more formal initiative. This is the point in the program where information/cybersecurity efforts and investments need to start providing real and tangible results. The question, "where should we focus our time and investments?" is an important one to support with facts instead of gut instinct. Start by scheduling the full S2School assessment with your info/cybersecurity partner, which will give you a clear picture of where to focus via a detailed Action Plan. A compromise is still very much possible, but you are more likely to detect it and respond with some effectiveness. If District Leadership is involved with information/cybersecurity, which they probably are, continued improvement will only help them make better risk-based decisions. To support district technology leaders, Tech Reformers provides consulting and several trusted security solutions. To help you improve your district’s S2 Score, your risk profile, we will reach out to you to see how we can help. See more at Tech reformers or reach out to us directly via email at info@techrefromers.com or by telephone (206) 401-5530.score_text_poorA I "Insufficient" estimated S2Score® means that you have significant areas of improvement for information/cybersecurity in your District. Your information/cybersecurity program is not mature enough for sustained improvement, and a significant compromise is possible in the short term. Whether or not your District would notice the threat, attack, data loss, or system compromise is not well known. Without significant improvements in your information/cybersecurity program, District Leadership’s decisions regarding security may not be easily defended should an adverse event occur. It’s imperative that you schedule the full S2School assessment with your info/cybersecurity partner, which will give you a clear picture of where to focus via a detailed Action Plan. To support district technology leaders, Tech Reformers provides consulting and several trusted security solutions. To help you improve your district’s S2 Score, your risk profile, we will reach out to you to see how we can help. See more at Tech reformers or reach out to us directly via email at info@techrefromers.com or by telephone (206) 401-5530.score_text_verypoorA GS "Getting Started" estimated S2SCORE® usually means that you’re at the beginning of your security journey or that haven't yet taken the necessary basic steps to protect your District from a variety of risks and threats. The information/cybersecurity program lacks formality, and a significant compromise is highly probable in the short term. To make matters worse, depending upon the type of threat, the system compromise may go unnoticed for an extended period. If a systems compromise were to become publicly known, District Leadership may not have the necessary proof to defend the District against civil actions. It’s imperative that you schedule the full S2School assessment with your info/cybersecurity partner, which will give you a clear picture of where to focus via a detailed Action Plan. To support district technology leaders, Tech Reformers provides consulting and several trusted security solutions. To help you improve your district’s S2 Score, your risk profile, we will reach out to you to see how we can help. See more at Tech reformers or reach out to us directly via email at info@techrefromers.com or by telephone (206) 401-5530.ADMINISTRATIVE CONTROLSAdministrative Controls are the way that we define the information/cyber security strategy, roles and responsibilities of workforce members (People). RISK MANAGEMENTPlease select all statements that apply to your District:Information/cyber security risk management processes are formally established, managed and agreed to by District leadership.YesNoRisk Management is the set of activities taken to reduce or prevent a risk from having a negative impact to District operations.The District approach to information/cyber security risk management is comprehensive; accounting for administrative (people), physical and technical threats as well as potential risks (vulnerabilities).YesNoComprehensive approach means to have cross functional teams comprised of stakeholders from each District function not just District technology team. Technical threats usually come in the form of virus, ransomware, DDOS or systems compromise.The District has transferred some information security risk by obtaining cyber liability insurance.YesNoHaving cyber liability insurance is a critical component of any basic information/cyber security program, having adequate and appropriate coverage can be the difference between recovering quickly from an event or being down for weeks. INFORMATION SECURITY GOVERNANCEPlease select all statements that apply to your District:The District has defined a set of information security guidelines or procedures (policies) that are formally approved by District leadership (superintendent and/or school board).YesNoHaving formal security guidelines or procedures for how you are going to deal with the various aspects of info/cyber security is a critical part of any Districts security program. Sometimes guidelines or procedures are referred to as IT Security Policy, this is not school board policy, at a minimum you should have a school board policy that refers to the security guidelines or procedures for specifics. Information security guidelines or procedures (policies) have been school board or District leadership within the last twelve (12) months or less.YesNoIt is necessary for District leadership to review any security guidelines or procedures at least annually or after any changes to ensure they are up to date and adequate. This responsibility can be delegated to a director of technology or a similar role.District has identified and empowered a director of technology, school board member, CISO or similar position within the District.YesNoHaving a single point person appointed to be responsible for the day to day info/cyber security operations is a must have, most Districts allow for the superintendent to delegate this responsibility to the CTO or Director of technology for the District. HUMAN RESOURCES SECURITYPlease select all statements that apply to your District:District leadership endorses and complies with the District's security guidelines or procedures (policies).YesNoHaving official support of the adopted security guidelines or procedures from District leadership is important to a successful security operations program.The District has developed and implemented a formal curriculum for information/cyber security security awareness, security education and training programs.YesNoFormal curriculum for information/cyber security can come in many forms, it could be a webinar, all staff presentation, phishing awareness training with just in time training or a you tube video, at a minim the curriculum should include safe use of user names and passwords, what a security event looks like, who to report it to and when to report.Background checks are performed on employees, third-party contractors and other associates in accordance with their roles and responsibilities, job functions and sensitive data access.YesNoBackground checks are not only important for physical safety but digital safety as well. Only allowing cleared people to access sensitive data is one more step you can take to keep students and staff safe from cybercrime.ASSET MANAGEMENTPlease select all statements that apply to your District:An asset management guideline/process exists and accounts for all information assets (physical, software and data) from acquisition through disposition/disposal.YesNoAn asset is any hardware device or software application used by the District to support learning or District operations. Any time a change is made to the inventory (new purchase, disposal of old equipment or software) it should be updated. Having a complete and up to date asset inventory will reduce the time it takes to respond and ultimately recover from a security event.Asset and/or information (data classifications per state standards, regulations, law) requirements have been defined, including the acceptable controls for protection.YesNoAcceptable controls are the steps you have taken to ensure the protection of the sensitive data in your care. You may have specific steps you have to take depending on your local laws. Consult an attorney for more information on your local requirements. A complete, up-to-date, and detailed inventory of all cloud hosted services used by the District is maintained.YesNoThe cloud is simply computer you don't own or have physical access to, you still have the same obligations to inventory, monitor and protect these systems and the data on them. Some examples of cloud services commonly seen in Districts include student information system (SIS), HR / payroll system, HVAC systems, meals, fess, and activities payment systems.FACILITY ACCESS MANAGEMENTPlease select all statements that apply to your District:The District has documented processes and procedures for the protection of physical facilities including access controls, both physical and logical.YesNoPhysical safety is a critical part of information/cyber security Physical controls include items such as door locks, CCTV and door alarms Logical controls include locking the device when is it not in use and monitoring for unusual or suspicious activity. At least bi-annual reviews of user accounts, privileged accounts, and service/system accounts are conducted according to a defined procedure.YesNoReviewing user accounts, especially system/ service and privileged user accounts, is an important step to ensure that: only authorized accounts have access to sensitive data; accounts with administrative permissions (ability to install software) or elevated permissions (access to very sensitive data, e.g. HR/Payroll, Special ED or medical data) are current and the permissions are still needed. The District has formally defined guidelines / practices for the use and protection of log-in (user account) information (passwords, PIN numbers, tokens, etc.).YesNoHaving clearly understood rules for the safe use and handling of user accounts and log-in information is key to keeping data and systems safe from cyber criminals. CRYPTOGRAPHY (Encryption)Please select all statements that apply to your District:The District has documented requirements for encrypting data at rest and in motion.YesNoData at rest is data stored on a systems or storage device. Data in motion is data traveling across the internet or network (e.g. https://) and is usually represented by a small lock icon in the upper left corner of the browsers address bar. Having formal documentation calling out the need for and type of encryption to be used to protect data helps keep processes consistent. This is especially helpful when asking vendors to adhere to the District's encryption standards. Encryption is a technical way of making data unreadable in the event it is lost or stolen.The District has implemented procedures for applying encryption at rest (e.g. storage) and in motion (e.g. https).YesNoEncryption has to be applied for it to work. Having a solid understanding of how to apply encryption is part of a solid security program. Encryption is a technical way of making data unreadable in the event it is lost or stolen. Data at rest is data stored on a systems or storage device. Data in motion is data traveling across the internet or network (e.g. https://) and is usually represented by a small lock icon in the upper left corner of the browsers address bar.Roles and responsibilities for encryption tool and key management have been defined by District leadership.YesNoUtilization of encryption requires the use of keys just like a door lock. Given the volume of users and devices, having a solid practice for keeping track of and managing the keys is an important part of any security program. SECURITY OPERATIONSPlease select all statements that apply to your District:The District can monitor for and respond to security events and take appropriate action based on guidelines/procedures (policy).YesNoHaving visibility to activities going on with devices and across the network is needed for rapid detection and response to security events. This is accomplished by active monitoring of District devices and networks.Vendors have been assessed for risk and vendor systems are monitored for security events (if applicable).YesNoA lot of security events start with a vendor who has poor information/cyber security practices. Holding your vendors to a high standard of information/cyber security supports student and staff safety.INCIDENT MANAGEMENTPlease select all statements that apply to your District:The District follows a formal process to report information security events, such as loss of service, loss of equipment, loss of facilities, system malfunctions, student information security events (student as attacker), human error and non-compliance with policies and information security guidelines.YesNoKnowing who and how to report security events to can be the difference between a manageable security event and a full blown disaster. Making sure all staff are trained on what to report, to whom and when, is as foundational as a fire drill.Incident response procedures are tested on a periodic basis (bi-annually).YesNoJust like we do for fire drills, severe weather drills, and other safety drills, we must also practice our information/cyber security indecent response procedures. It is simply another type of crisis for which to plan and prepare.Evidence collection and forensic procedures are documented.YesNoHaving a well documented and understood evidence collection procedure can save you time and headaches. It is also necessary if you intended to pursue criminal charges. Key technology staff should be formally trained in the collection and handling of digital evidence. You may be able to get this training from a Digital Forensics Investigator course, your local School Resource Officer, Department of Homeland Security or the FBI. BUSINESS CONTINUITY MANAGEMENTPlease select all statements that apply to your District:The District has a documented Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP).YesNoThe Business Continuity Plan is the set of steps and actions that are taken in the event of a significant disruption to District operations to ensure minimal impact and continued operations and learning. The Disaster Recovery Plan is for recovering from a significant physical or digital disaster e.g. tornado hits building, data center fire, fiber optic cable cut, to name a few. It will outline steps and procedures to ensure a timely recovery of critical services to restore District operations and learning as soon as possible given the nature of the disaster. The District's critical assets have been identified and defined (critical asset defined as loss of asset would cause students to go home or District operations to stop).YesNoCritical assets are necessary for District operations and learning. These can include Servers, HVAC, physical security systems such as door locks, classroom phones and CCTV. They can also include systems such as HR/Payroll, lunch payment systems, etc. Each District has to decide for themselves what is considered a critical asset. (e.g. superintendent's laptop)Disaster recovery plans are tested at least annually (within 12 months).YesNoHaving a plan is great but an untested plan is as good as no plan at all, just like with fire drills we MUST practice them at least annually. COMPLIANCE (whats the law say)Please select all statements that apply to your District:All Federal, state and local regulations are followed by the District and its vendors (e.g. FERPA, COPPA, CIPPA, CCPA GDPR, MNGDPA, etc.).YesNoOne area that is often overlooked is, vendor management. Are the vendors you do business with adhering to the relevant laws regarding student data? This can include things such as how soon they have to notify you in the event of a data breach they experience. If you are unsure if your vendors are compliant conduct a vendor risk assessment using a tool such as S2 Vendor. https://securitystudio.com/vendors/Security reviews, audits and assessments are conducted by an outside independent party on an annual basis.YesNoHaving an outside independent security firm perform an assessment of your security program and practices is a key part of ensuring student and staff safety. Security is a complex area and having an outside expert take a look at least annually can be the difference between finding a flaw the needs to be fixed and finding yourself on the news explaining why students had to go home due to a cyber- attack. PHYSICAL CONTROLSPhysical security controls are the security controls that can often be touched and provide physical protection of District assets (Door locks, CCTV, Vape detector, Emergency phone, etc.) FACILITY SECURITYPlease select all statements that apply to your District:District physical security policies and procedures are in place and include at a minimum: evacuation plans, active shooter response, lock down procedures, and severe weather eventsYesNoMost of these procedures can be found in the District crisis management plans. If your District is lacking formal crisis management plans for security events, work with your school board and neighboring Districts to get one implemented ASAPDistrict conducts physical security risk assessments at least annually in partnership with an outside security firm, School Resource Officer or other law enforcement agencyYesNoPhysical security assessments are a critical part of any school safety plan, they should be conducted on an annual basis, with testing and spot checks performed quarterly at a minimum.Public (main entrance during school hours) and non-public entrances are clearly marked.YesNoA security challenge faced by most school Districts is the handling of start/end of day and lunch time access, as generally there are some types of security exceptions in place allowing for multiple points of exit or entry for these time periods. It is important to make the rules clearly understood and ensure extra monitoring during these times. Students are prone to being helpful and may open the door for any well-dressed adult or fellow student.Non-public entrances are sufficiently secured with effective controls, this includes accounting for start/end of day and lunchtime exceptions.YesNoHaving clear signage to redirect visitors to the appropriate entrance (usually main entrance) is a best practice. Having these entrances locked, alarm protected and monitored by CCTV and alarm during school hours enhances the District's safety.Procedures for securing the District facility during community use events has been established and documented.YesNoCommunity use of District facilities presents unique challenges for maintaining building security. Appoint a District representative (usually the custodian) to secure the facility during and after the community use event. A best practice is to train your staff on what suspicious activity looks like. One way to recapture the additional expense is to charge a security service fee for any community events. CCTV is in use to monitor the exterior of the District facility (school grounds).YesNoHaving CCTV to monitor the exterior (school grounds) of the District facilities enhances the overall physical safety of the facility. A consideration unique to schools is law enforcement access to District CCTV systems. If you allow law enforcement access ensure you have appropriate security and legal controls in place. CCTV is in use to monitor the interior of the District facility (school building).YesNoHaving CCTV to monitor the interior (school building) of the District facility enhances the overall safety of the facility. A consideration unique to schools is law enforcement access to these CCTV systems. if you allow law enforcement access ensure you have appropriate security and legal controls in place. During the school day visitors are registered with the front office and must sign in and out.YesNoChecking visitors in and out of buildings is a key part of safety and security. Knowing who is in the building, when and why, enhances the overall safety of everyone in the building.Locations of sensitive equipment, chemicals, dangerous machinery are known and secured.YesNoHaving an understanding of the locations of sensitive equipment and dangerous substances or machinery and ensuring those items are properly secured, is a core part of any security program. This is especially true in schools were curious children could stumble upon something dangerous without an understanding of the consequences of their actions. Athletic areas (e.g. sound booth, equipment room) are secured and monitored by CCTV if not staffed during the normal school day.YesNoAthletic areas (e.g. sound booth, equipment room) are an often overlooked part of a facilities security program. Best practice is to have CCTV and door alarms in place if these areas are not staffed.EQUIPMENT AND INFORMATIONPlease select all statements that apply to your District:All sensitive systems and equipment are in secure areas (e.g. data center, data closets, maintenance areas, etc.).YesNoKeeping sensitive systems and equipment safe from tampering is an important part of a security program. As a rule you should keep all sensitive equipment secure and inaccessible to unauthorized people. Areas containing sensitive equipment or systems have electronically controlled access (badge access) or are under surveillance from CCTV.YesNoHaving a record of who has accessed sensitive areas can be an important piece of information when reconstructing a series of events following a security event.Fire suppression control systems are adequate, code compliant and protected within a secure location.YesNoEnsuring the safety and security of fire suppression systems is very important to the safety of students and staff.Backup power systems are in place for critical assets and life, health safety systems (e.g. electronic door locks, CCTV, HVAC, etc.)YesNoEnsuring continuous power to critical systems for the protection of health life and safety is a must have. This should include any system that the District has deemed critical to health, life or safety. This should also include any system critical to District operations (student learning).Sensitive areas/systems are reasonability secured after hours against entry or tampering (classrooms, network closets, media center, District office, etc.)YesNoSchool presents a unique after hours environment. Make sure doors are locked for areas not needed to support after hours functions, and those areas are monitored by CCTV in the cases of tampering. Generally speaking any area that is not a common area should be locked. TECHNICAL CONTROLS (INTERNAL)Internal Technical Controls are used to protect the information and data systems from threats not addressed by external technical controls, this could include threats from rouge students or staff.NETWORK CONNECTIVITYPlease select all statements that apply to your District:The District has firewalls in place that separate all internal District networks from all public/guest networks.YesNoEnsuring public/guest internet traffic is separate of District internet and networks is a critical part of reducing cyber-crime. Content filters are in use and kept up to date per CIPA (Children’s Internet Protection Act) and other state and federal requirements.YesNoContent filters keep the bad parts of the internet away from kids and staff. CIPA is the shorthand for the Children's Internet Protection Act. Categories for content filtering are typically defined in the content filter and kept up to date automatically by the content filter vendor. Always double check to ensure that updates from the vendor are happening and are properly applied to the content filter. In addition to CIPA there are other federal data protection requirements applicable to the District. Your state may also have additional requirements for the protection of student and staff data. Malware scans are run periodically on all internal District networks.YesNoMalware is computer code or software that takes unauthorized actions usually to steal data or gain control over District systems. Frequent scanning for malware contributes to student and staff safety.Access control lists or VLANS are in place to segment critical/sensitive systems from other parts of the network.YesNoA VLAN is a Virtual Local Area Network. A Local Area Network (LAN) is a collection of computers on the same network. How LAN's are designed varies widely from District to District. Sometimes a school building is a LAN, sometimes LAN's comprise entire Districts. By separating buildings, systems and sensitive systems into separate VLAN's you can reduce your risk to those systems. An access control list or ACL is a set of rules that tells each computer what it can access on the network or internet.REMOTE ACCESSPlease select all statements that apply to your District:Multi-factor authentication is used for remote (VPN) access to all District networks.YesNoMulti Factor Authentication or MFA is when you have a second method of proving who you are when accessing a system. This can come in the form of a text message, email, authenticator application on your phone, hardware token (USB stick) or a phone call. A VPN is a Virtual Private Network this is a secure method of remotely connecting to the District's internal network.Remote access connection attempts and traffic are constantly monitored.YesNoA remote connection attempt occurs when a computer not inside the school's network (building) attempts to access the District's network. Once a successful connection is made the data exchanged between the computers is called traffic. Keeping a log of these connections and traffic can help you see valid traffic and potentially suspicious or harmful traffic.Third-party remote access connections are only enabled after an adequate review of the third-party information security practices and protections.YesNoThird Party access (HVAC, managed services, hosted applications) can present an additional area of risk. Monitoring these connections can give you an early warning of trouble, allowing you to investigate and containing a security event before it gets out of hand. Ensuring your third parties have adequate security practices in place can reduce your risk of having a negative impact from the vendor's systems should they experience a security event DIRECTORY SERVICESPlease select all statements that apply to your District:Staff accounts are periodically reviewed for validity and access levels.YesNoReviewing Staff accounts quarterly allows you to ensure only authorized staff members have access to the information needed to preform their duties. It also allows you to remove any access or account that is no longer valid due to role changes or departure. Student accounts are periodically reviewed and decommissioned once the student is no longer in the District.YesNoCleaning up student accounts annually ensures that District only has authorized students in the system. Often students who have left the District still maintain access to District resources. Service accounts are periodically reviewed for validity and access levels.YesNoService accounts are key part of ed tech / IT operations. Generally they are created for automated jobs that need to run (e.g. backups, data transfers/updates) or for software application to function properly. Reviewing service accounts periodically (quarterly) helps ensure only authorized accounts can access sensitive data. Abuse of these accounts is also a common method of cyber criminals to access data, so keeping an eye on them is an important step in protecting safety and data.3rd-party accounts are periodically reviewed for validity and access levels.YesNoThird party accounts a a key part of ed tech / IT operations, generally they are for automated jobs that need to run (e.g. backups, data transfers/updates) or for software application to function properly. reviewing these periodically (quarterly) help ensure only authorized accounts can access sensitive data, abuse of these accounts is also a common method of cyber criminals to access data. so keeping an eye on them is an important step in protecting safety and data.The District uses group policy or other centralized account management solution.YesNoHaving a centralized account management solution (e.g. Active Directory, NETWARE, Google, LDAP or other directory service) for managing users, computers and applications makes it much easier to keep track and to administer the users, computers and applications in use by the District. SERVERS AND STORAGEPlease select all statements that apply to your District:All servers (on prem and cloud hosted) have anti-malware protection installed.YesNoAnti-Malware is special software that detects and blocks known malware strains, just like immunization protects from a real virus. Computer virus Malware is a virus that is a whole computer program. Having Anit-malware software installed is like having a vaccination against the virus. Critical servers have additional protections such as local firewall, file integrity monitoring and host-based intrusion prevention.YesNoYour most critical servers are the "Crown Jewels" of the District. These are the systems that allow learning to happen, control safety, building access and communication. Without any one of these systems students would have to be sent home. Having appropriate protections in place for these systems is paramount. Local firewall is a software application that keeps the bad internet traffic away from the computer. File integrity monitoring helps you to know if the data in a file is trustworthy. Host based intrusion prevention, allows you to block someone who is attempting to gain unauthorized access to a District system. Servers are prevented from other services not relevant to server operation such as checking email or browsing the web.YesNoAs a general rule servers should only be allowed to perform the actions that are specific to their purpose, doing additional activities on these systems such as surfing the web or checking email can present significant additional risk to these systems that they would not otherwise face. ED-TECH SYSTEMSPlease select all statements that apply to your District:All Ed-tech devices (workstations, laptops, Chromebooks, iPads, tablets) have anti-malware protection installed.YesNoAnti-Malware is special software that detects and blocks known malware strains, just like immunization protects from a real virus. Computer virus Malware is a virus that is a whole computer program. having Anit-malware software installed is like having a vaccination against the virus. Users do not have local admin rights to their devices.YesNoMost users do not need local admin rights on their devices. Local admin rights are an elevated type of computer account that allows for special activities that are potentially dangerous to the safety and security of the system. If we follow the rule of least privilege, a user should only have the level of access they need to perform their job duties, anything above that presents a risk to the safety and security of the District and students.Ed-Tech devices are built and deployed according to secure standards or using a pre-hardened build.YesNoUsing a pre-hardened image helps you maintain consistency and improves your system security. A hardened image means that the configuration of the operating systems and software applications have been Defined and set up in advance so that all systems have equal settings configured to the current best practices as recommended by security professionals. An image is a "template" of a computers set up, using images reduces setup time and ensures a uniformed consistency across all District devices. MOBILE DEVICES (e.g. cell phones, laptops)Please select all statements that apply to your District:The number, type and assignment of mobile devices through the District is well-known and documented.YesNoHaving an accurate inventory of all mobile devices helps you keep track of the comings and goings of these devices. Mobile devices are more susceptible to attack given their mobile nature, they are more likely to connect to public networks, or be lost or stolen than stationary devices within the District facility.Encryption is enabled on mobile devices.YesNoIf a device was to be lost or stolen having encryption in place would greatly reduce the chances that the data could be accessible.Staff mobile devices are configured to only allow connection to approved wireless networks.YesNoConfiguring devices to only connect to approved networks greatly reduces the chances the device will be exposed to questionable networks and cyber criminals. Approved networks are networks that are trusted by the District, usually the staff network and any approved VPN or mobile internet hotspot for remote work.LOGGING, ALERTING, AND MONITORINGPlease select all statements that apply to your District:The District captures event logs for activities such as (e.g. logon/off, failed password attempts, PowerShell execution, local admin use and file server access).YesNoLogs are records of activity keep by the computer, logs are the primary means that security professionals use to reconstruct a series of events to catch the activities of cyber criminals. The better your logs the greater the chance you catch something suspicious early and can actually tell what is going on with your systems. Logs are sent to a separate logging collection system or off network storage (off site).YesNoSending your logs to a location separate of the District's network (off site) is a way to protect the integrity of the information should it be needed to reconstruct a series of events for investigation of a security event or be provided to law enforcement as evidence. VULNERABILITY MANAGEMENTPlease select all statements that apply to your District:The District has a formal vulnerability and patch management program in place (e.g. patches /updates are applied on a pre-defined schedule, emergency patches/ updates are applied on an as needed basis).YesNoKeeping systems up to date is the #2 thing you can do to reduce your risk of a security event. #1 is user awareness training. Following a pre-defined schedule can make this task easy, the majority of successful cyber-attacks leveraged a security vulnerability that was fixed (patched) by the manufacture 6 months ago or longer. Keeping your systems up to date is a key part of any security program.BACKUP AND RECOVERYPlease select all statements that apply to your District:A backup inventory (what is backed up and how often).YesNoBackups are stored in a location a reasonable distance away from the primary location.YesNoBackups are tested and validated on a periodic basis.YesNo TECHNICAL CONTROLS (EXTERNAL)External Technical Controls are used to protect the information and data systems from threats not addressed by internal technical controls, this could include threats from outside bad actors.BEST PRACTICESPlease select all statements that apply to your District:Firewall rules are reviewed on a regular scheduled basisYesNoReviewing your firewall rules on a quarterly bias ensures only authorized network traffic is being permitted. Cyber threats change daily so a frequent review of your firewall rule sis a best practice. Network based intrusion detection/prevention (IDS/IPS) has been deployed to protect public facing systems from internet-based attacks.YesNoIDS stands for Intrusion Detection System. This is software that actively looks for attempts to access District systems from an unauthorized computer or network connection. IPS stands for Intrusion Prevention Detection System. This is software that blocks unauthorized attempts to access District computers, networks and systems. You want to have IPD/IDS in place on any public/internet facing system, having this implemented will help you see the cyber criminals before they complete a successful attack and disrupt District operations or worse yet steal District. data. The District conducts a penetration test of the external facing systems at least annually.YesNoHaving a professional penetration test (cybersecurity professionals behaving like nefarious hackers, aka cyber-criminals) on your external / internet facing systems can help you see the risk facing these systems and better prepare you to defend against real cyber-criminals who are looking to cause disruption, physical harm and steal you data for profit. External vulnerability scans are performed on a quarterly basis.YesNoScanning external / internet facing systems from known vulnerabilities will help you keep students and staff safe from the perils of cyber-crime which can have physical consequences (think door security systems, CCTV, fire alarm). The better prepared you are to know your risks the better prepared you are to protect yourself from them. CommentsThis field is for validation purposes and should be left unchanged.
