Getting Ahead of the Security Curve

By Robert Allende on December 17, 2020

Identifying your K-12 security landscape: vulnerabilities, threats and risks

K-12 education institutions have been the victim of many angles of attack: bad actors, budget cuts, ongoing pandemic circumstances, staffing issues, growing technology and compliance requirements compounded with an evolving security threat landscape. In addition, due to staffing and lean budgets many K-12 school districts have developed security capabilities out of necessity vs. planning and a structured program approach.

 

The end result to this complex myriad of circumstances has often led to a mixed approach to cyber security that is based on budget availability and initial need versus a planned approach supported by a formal security program framework plan.

 

A more comprehensive and long term approach starts with a continuous method (security assessment) to identify all items that should be considered by your K-12 district to identify your specific security requirements, critical systems, threats by impact and that process feeds into simple risk management program. The outcome of the risk management program will drive short, mid- and long-term security program, budget and staffing plans that are based on your specific needs, not vendor-dictated features and the latest technology “must have” feature sets.

 

What keeps your K-12 in play?

 

A key component when considering a security lifecycle program is the security assessment function to identify critical components that are mission critical to your K-12 district. My suggestion: Go outside the typical network security box and include all items associated with critical functions and services important to your K-12 district and then apply security to the items identified.

 

Examples of critical items can include:

  • All applications needed to provide educations to the students, Student Information Systems, HR & payroll, vendor management, procurement and cloud-based services
  • Staffing functions and facility support: IT, security, senior administration, legal, HR and compliance personal and all associated workflow capabilities, critical facility functions (ex: water, HVAC & electricity)
  • Network and IT functions: Email system, text & 911 support, critical network devices, must have security sensors, back up and fail over capabilities
  • Emergency Support: Access to extended IT support, emergency responders, facility management and catastrophic support personal

 

The goal behind the process is to identify what is really needed to keep your K-12 operation and place your security budget and efforts around securing critical items as opposed to implementation general security measures, which typically don’t ensure critical systems stay protected and functional during time of need. Security is there to ensure continuous K-12 operations and the systems needed to support it, the continued assessment process is a fundamental component to the overall lifecycle approach.

 

Creating a Security Lifecycle

The time is now to ensure your K-12 organization’s security framework and practices are optimized for managing your K-12 cyber security risks. If you do not have a recurring 3-year security plan, create one. The program starts with a quality security assessment to help create a foundation for your K-12 specific lifecycle plan. A comprehensive cyber security framework doesn’t happen overnight, so give yourself a roadmap to follow as you build the capacity you need.

 

Of critical importance to ensure your valuable K-12 security resources are focused is utilizing the Security Lifecycle plan to clearly identify what you need to be working on now and what’s next in your security planning and work plan program.

 

This security plan will help you identify critical issues, open items in need of remediation, outline overall security risk for your K-12 district and help you set a plan and budget on a 3-year program lifecycle.

 

These security opinions and recommendations are based on the outcome of numerous security discussions with K-12 and higher education customers. If you would like to discuss more or see how these recommendations can apply to your K-12 district please contact Red River, we are here to help.

 

security@redriver.com