Hidden
score_text_good
A S "Satisfactory" estimated S2Score® means that you have really spent time, effort and made investments in building a good information/cybersecurity program. The foundation of your program is laid, and now you're in "maintenance mode," although you still have some major projects and tasks to accomplish. Your risk exposure starts to diminish for Districts with a "Satisfactory" S2Score, so it's very important to spend your time and investments wisely and to effectively communicate your information/cybersecurity measurement of risk. To accomplish this, schedule the full S2School assessment with your info/cybersecurity partner, which will give you a clear picture of where to focus via a detailed Action Plan.
Hidden
score_text_excellent
An E or "Exceeds" S2Score® is a rarity and something to take pride in. It's obvious that your District has spent significant amounts of time, effort and investments to build a best-in-class information/cybersecurity program. You have the proper structures in place to maintain what you've painstakingly built, and now you can focus on 1) continuous improvement and 2) finding more tangible returns for your investment. Schedule the full S2School assessment with your info/cybersecurity partner, which will give you a clear picture of where to focus via a detailed Action Plan, so you can share this with your team, District Leadership, and School board. A compromise of your defenses will always be a possibility, but you will likely detect such an event early on and be able to limit damages.
Hidden
score_text_fair
A P "Progressing" estimated S2Score® means that you have done some good things with respect to your Districts information/cybersecurity; however, significant gaps/risks still exist. Some of the foundational components of the program are in place, and it's time for the program to mature into a more formal initiative. This is the point in the program where information/cybersecurity efforts and investments need to start providing real and tangible results. The question, "where should we focus our time and investments?" is an important one to support with facts instead of gut instinct. Start by scheduling the full S2School assessment with your info/cybersecurity partner, which will give you a clear picture of where to focus via a detailed Action Plan. A compromise is still very much possible, but you are more likely to detect it and respond with some effectiveness. If District Leadership is involved with information/cybersecurity, which they probably are, continued improvement will only help them make better risk-based decisions.
Hidden
score_text_poor
A I "Insufficient" estimated S2Score® means that you have significant areas of improvement for information/cybersecurity in your District. Your information/cybersecurity program is not mature enough for sustained improvement, and a significant compromise is possible in the short term. Whether or not your District would notice the threat, attack, data loss or system compromise is not well known. Without significant improvements in your information/cybersecurity program, District Leadership’s decisions regarding security may not be easily defended should an adverse event occur. It’s imperative that you schedule the full S2School assessment with your info/cybersecurity partner, which will give you a clear picture of where to focus via a detailed Action Plan.
Hidden
score_text_verypoor
A GS "Getting Started" estimated S2SCORE® usually means that you’re at the beginning of your security journey or that haven't yet taken the necessary basic steps to protect your District from a variety of risks and threats. The information/cybersecurity program lacks formality, and a significant compromise is highly probable in the short term. To make matters worse, depending upon the type of threat, the system compromise may go unnoticed for an extended period of time. If a systems compromise were to become publicly known, District Leadership may not have the necessary proof to defend the District against civil actions. It’s imperative that you schedule the full S2School assessment with your info/cybersecurity partner, which will give you a clear picture of where to focus via a detailed Action Plan.
ADMINISTRATIVE CONTROLS Administrative Controls are the way that we define the information/cyber security strategy, roles and responsibilities of workforce members (People).
RISK MANAGEMENT Please select all statements that apply to your District:
Information/cyber security risk management processes are formally established, managed and agreed to by District leadership. Risk Management is the set of activities taken to reduce or prevent a risk from having a negative impact to District operations.
The District approach to information/cyber security risk management is comprehensive; accounting for administrative (people), physical and technical threats as well as potential risks (vulnerabilities). Comprehensive approach means to have cross functional teams comprised of stakeholders from each District function not just District technology team.
Technical threats usually come in the form of virus, ransomware, DDOS or systems compromise.
The District has transferred some information security risk by obtaining cyber liability insurance. Having cyber liability insurance is a critical component of any basic information/cyber security program, having adequate and appropriate coverage can be the difference between recovering quickly from an event or being down for weeks.
INFORMATION SECURITY GOVERNANCE Please select all statements that apply to your District:
The District has defined a set of information security guidelines or procedures (policies) that are formally approved by District leadership (superintendent and/or school board). Having formal security guidelines or procedures for how you are going to deal with the various aspects of info/cyber security is a critical part of any Districts security program. Sometimes guidelines or procedures are referred to as IT Security Policy, this is not school board policy, at a minimum you should have a school board policy that refers to the security guidelines or procedures for specifics.
Information security guidelines or procedures (policies) have been school board or District leadership within the last twelve (12) months or less. It is necessary for District leadership to review any security guidelines or procedures at least annually or after any changes to ensure they are up to date and adequate. This responsibility can be delegated to a director of technology or a similar role.
District has identified and empowered a director of technology, school board member, CISO or similar position within the District. Having a single point person appointed to be responsible for the day to day info/cyber security operations is a must have, most Districts allow for the superintendent to delegate this responsibility to the CTO or Director of technology for the District.
HUMAN RESOURCES SECURITY Please select all statements that apply to your District:
District leadership endorses and complies with the District's security guidelines or procedures (policies). Having official support of the adopted security guidelines or procedures from District leadership is important to a successful security operations program.
The District has developed and implemented a formal curriculum for information/cyber security security awareness, security education and training programs. Formal curriculum for information/cyber security can come in many forms, it could be a webinar, all staff presentation, phishing awareness training with just in time training or a you tube video, at a minim the curriculum should include safe use of user names and passwords, what a security event looks like, who to report it to and when to report.
Background checks are performed on employees, third-party contractors and other associates in accordance with their roles and responsibilities, job functions and sensitive data access. Background checks are not only important for physical safety but digital safety as well. Only allowing cleared people to access sensitive data is one more step you can take to keep students and staff safe from cybercrime.
ASSET MANAGEMENT Please select all statements that apply to your District:
An asset management guideline/process exists and accounts for all information assets (physical, software and data) from acquisition through disposition/disposal. An asset is any hardware device or software application used by the District to support learning or District operations.
Any time a change is made to the inventory (new purchase, disposal of old equipment or software) it should be updated. Having a complete and up to date asset inventory will reduce the time it takes to respond and ultimately recover from a security event.
Asset and/or information (data classifications per state standards, regulations, law) requirements have been defined, including the acceptable controls for protection. Acceptable controls are the steps you have taken to ensure the protection of the sensitive data in your care. You may have specific steps you have to take depending on your local laws. Consult an attorney for more information on your local requirements.
A complete, up-to-date, and detailed inventory of all cloud hosted services used by the District is maintained. The cloud is simply computer you don't own or have physical access to, you still have the same obligations to inventory, monitor and protect these systems and the data on them.
Some examples of cloud services commonly seen in Districts include student information system (SIS), HR / payroll system, HVAC systems, meals, fess, and activities payment systems.
FACILITY ACCESS MANAGEMENT Please select all statements that apply to your District:
The District has documented processes and procedures for the protection of physical facilities including access controls, both physical and logical. Physical safety is a critical part of information/cyber security Physical controls include items such as door locks, CCTV and door alarms
Logical controls include locking the device when is it not in use and monitoring for unusual or suspicious activity.
At least bi-annual reviews of user accounts, privileged accounts, and service/system accounts are conducted according to a defined procedure. Reviewing user accounts, especially system/ service and privileged user accounts, is an important step to ensure that: only authorized accounts have access to sensitive data; accounts with administrative permissions (ability to install software) or elevated permissions (access to very sensitive data, e.g. HR/Payroll, Special ED or medical data) are current and the permissions are still needed.
The District has formally defined guidelines / practices for the use and protection of log-in (user account) information (passwords, PIN numbers, tokens, etc.). Having clearly understood rules for the safe use and handling of user accounts and log-in information is key to keeping data and systems safe from cyber criminals.
CRYPTOGRAPHY (Encryption) Please select all statements that apply to your District:
The District has documented requirements for encrypting data at rest and in motion. Data at rest is data stored on a systems or storage device.
Data in motion is data traveling across the internet or network (e.g. https://) and is usually represented by a small lock icon in the upper left corner of the browsers address bar.
Having formal documentation calling out the need for and type of encryption to be used to protect data helps keep processes consistent. This is especially helpful when asking vendors to adhere to the District's encryption standards.
Encryption is a technical way of making data unreadable in the event it is lost or stolen.
The District has implemented procedures for applying encryption at rest (e.g. storage) and in motion (e.g. https). Encryption has to be applied for it to work. Having a solid understanding of how to apply encryption is part of a solid security program.
Encryption is a technical way of making data unreadable in the event it is lost or stolen.
Data at rest is data stored on a systems or storage device.
Data in motion is data traveling across the internet or network (e.g. https://) and is usually represented by a small lock icon in the upper left corner of the browsers address bar.
Roles and responsibilities for encryption tool and key management have been defined by District leadership. Utilization of encryption requires the use of keys just like a door lock. Given the volume of users and devices, having a solid practice for keeping track of and managing the keys is an important part of any security program.
SECURITY OPERATIONS Please select all statements that apply to your District:
The District can monitor for and respond to security events and take appropriate action based on guidelines/procedures (policy). Having visibility to activities going on with devices and across the network is needed for rapid detection and response to security events. This is accomplished by active monitoring of District devices and networks.
Vendors have been assessed for risk and vendor systems are monitored for security events (if applicable). A lot of security events start with a vendor who has poor information/cyber security practices. Holding your vendors to a high standard of information/cyber security supports student and staff safety.
INCIDENT MANAGEMENT Please select all statements that apply to your District:
The District follows a formal process to report information security events, such as loss of service, loss of equipment, loss of facilities, system malfunctions, student information security events (student as attacker), human error and non-compliance with policies and information security guidelines. Knowing who and how to report security events to can be the difference between a manageable security event and a full blown disaster. Making sure all staff are trained on what to report, to whom and when, is as foundational as a fire drill.
Incident response procedures are tested on a periodic basis (bi-annually). Just like we do for fire drills, severe weather drills, and other safety drills, we must also practice our information/cyber security indecent response procedures. It is simply another type of crisis for which to plan and prepare.
Evidence collection and forensic procedures are documented. Having a well documented and understood evidence collection procedure can save you time and headaches. It is also necessary if you intended to pursue criminal charges.
Key technology staff should be formally trained in the collection and handling of digital evidence. You may be able to get this training from a Digital Forensics Investigator course, your local School Resource Officer, Department of Homeland Security or the FBI.
BUSINESS CONTINUITY MANAGEMENT Please select all statements that apply to your District:
The District has a documented Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP). The Business Continuity Plan is the set of steps and actions that are taken in the event of a significant disruption to District operations to ensure minimal impact and continued operations and learning.
The Disaster Recovery Plan is for recovering from a significant physical or digital disaster e.g. tornado hits building, data center fire, fiber optic cable cut, to name a few. It will outline steps and procedures to ensure a timely recovery of critical services to restore District operations and learning as soon as possible given the nature of the disaster.
The District's critical assets have been identified and defined (critical asset defined as loss of asset would cause students to go home or District operations to stop). Critical assets are necessary for District operations and learning. These can include Servers, HVAC, physical security systems such as door locks, classroom phones and CCTV. They can also include systems such as HR/Payroll, lunch payment systems, etc. Each District has to decide for themselves what is considered a critical asset. (e.g. superintendent's laptop)
Disaster recovery plans are tested at least annually (within 12 months). Having a plan is great but an untested plan is as good as no plan at all, just like with fire drills we MUST practice them at least annually.
COMPLIANCE (whats the law say) Please select all statements that apply to your District:
All Federal, state and local regulations are followed by the District and its vendors (e.g. FERPA, COPPA, CIPPA, CCPA GDPR, MNGDPA, etc.). One area that is often overlooked is, vendor management. Are the vendors you do business with adhering to the relevant laws regarding student data? This can include things such as how soon they have to notify you in the event of a data breach they experience. If you are unsure if your vendors are compliant conduct a vendor risk assessment using a tool such as S2 Vendor.
https://securitystudio.com/vendors/
Security reviews, audits and assessments are conducted by an outside independent party on an annual basis. Having an outside independent security firm perform an assessment of your security program and practices is a key part of ensuring student and staff safety. Security is a complex area and having an outside expert take a look at least annually can be the difference between finding a flaw the needs to be fixed and finding yourself on the news explaining why students had to go home due to a cyber- attack.
