a cosn leadership initiative in partnership with mass networks education partnership (mnep)

© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 1

Consortium for School NetworkingConsortium for

A CoSN Leadership Initiative In Partnership with

Mass Networks Education Partnership (MNEP)

www.securedistrict.cosn.org



The Mission

Provide vendor-neutral tools to help policy makers and technology leaders work together for effective action to:

1) analyze their district’s level of Cyber Security preparedness and vulnerability;

2) prioritize and implement the steps needed to improve their security status;3) prepare to ensure operational continuity

when a problem slips through.…in ways that helps technology contribute to their school’s primary goal of teaching and learning



Cyber Security Sponsorship

Additional support from:

BellSouth Foundation, Enterasys, Microsoft, Sonic Wall, Sun Microsystems, and media partner CMP’s Technology & Learning

magazine

In collaboration with the Northwest Regional Education Laboratory



Attack Sophistication vs. Intruder Knowledge

Source: w

ww

.cert.org



Why Worry?

A c c id e n ta l A c t io n s b y P e o p le

S t u d e n t s , s t a ff O u t s i d e r s I T s t a ff

D e l ib e ra te A c t io n s b y P e o p le S t u d e n t s S t a ff O u t s i d e r s A n o n y m o u s

R is k F a c to rs

P o te n t ia l O u tc o m e s

D i s c l o s u r e o r p u b l i c a t i o n o f s e n s i t i v e i n f o r m a t i o n

I n t e r r u p t i o n o f s e r v i c e o r a c c e s s

e m a i l , I n t e r n e t a d m i n i s t r a t i v e i n f o t e a c h i n g t o o l s , m a t e r i a l s

M o d i fi c a t i o n

o r c o r r u p t i o n o f

i n f o r m a t i o n s y s t e m s

D e s t r u c t i o n o r L o s s

i n f o r m a t i o n h a r d w a r e s o f t w a r e

S ys te m P ro b le m s

H a r d w a r e d e f e c t s N e t w o r k l i m i t s A p p l i c a t i o n d e f e c t s M a l w a r e a t t a c k s

P h ys ic a l P la n t , E n v iro n m e n t

p o w e r o u t a g e s h e a t , h u m i d i t y t e l e c o m m , I S P o u t a g e s F l o o d s , fi r e , e a r t h q u a k e s N o n - s e c u r e f a c i l i t i e s

A s s e t



Safety vs. Security•Safety: Individual behavior- Teaching someone to drive safely.

* Don’t give out personal information

* How to handle “inappropriate” material

•Security: An organizational responsibility- Making sure the car functions properly.

* Preventing virus penetrations

* Maintaining operational continuity during a crisis


Consortium for School NetworkingConsortium for Website: Home Page



The Planning Protocol

Outcome:Outcome:Security Project Description

goalsprocessesresourcesdecision-making standards

Phase 1: Set Security Goals

Outcome:Outcome:Prioritized Risk Assessment

A ranked list of vulnerabilities to guide Risk Reduction efforts

Phase 2: Risk Analysis

Outcome:Outcome:Implemented Security Plan

Risk Analysis and Risk Reduction Processes must be regularly repeated to ensure effectiveness

Phase 3: Risk Reduction

Outcome:Outcome:Crisis Management Plan

A blueprint for organizational continuity

Phase 4: Crisis Management



Some of the Tools Ten Questions Superintendents Most Often

Ask Eight Questions A Superintendent Should

Ask the Chief Technology Officer Cyber Security: An Introductory Slide

Show Self-Assessment Checklist Cyber Security Planning Grid Security Planning Template Cautionary Tales Case Studies Newsletter Plus: Workshops, Webinars, and Articles



Eight QuestionsEight Questions

Question 1:

How are we doing so far?

IncidentsIncidents.. Over the past year:

Was confidential data compromised?Was data lost or corrupted?Was equipment stolen or misused?Was email or Internet service interrupted?Did virus or spam attacks cause shutdowns?

Causes.Causes. Were problems caused by:

Inadequate technical safeguards?Insufficient staff training?Unauthorized access to or use of systems by insiders?Intrusion by outsiders?

Impact.Impact. Did security problems result in:

Loss of efficiency, productivity, or other costs?Failure to meet district educational objectives?Damage to reputation?Harm to students or staff?

A Superintendent Should Ask The Chief Technology Officer



Eight QuestionsEight Questions

A Superintendent Should Ask The Chief Technology Officer

1. How are we doing so far?2. Do we have a security plan?3. Do we have adequate security and privacy policies in

place?4. Are our network security procedures and tools up to date?

5. Is our network perimeter secured against intrusion?6. Is our network physically secure?7. Have we made users part of the solution?8. Are we prepared to survive a security crisis?



Five topic areas to get a handle on where the district is nowFive topic areas to get a handle on where the district is now

Topic Area

1. Management

2. Technology

3. IT Operations

4. Physical and Environmental Security

5. Users

District Security ChecklistDistrict Security Checklist



Area Topic Points

1. Management

2. Technology

3. IT Operations

4. Physical and Environmental Security

5. Users

Topic Area Points

1. Management

Do you have a Security Plan, less than 12 months old, in place? 10

Have you performed a Security Audit in the past 12 months 5

Is security planned and managed by a Security Leadership Team?

6

Do you have an updated Crisis Management plan in place? 10

Do you have detailed District Security Policies in place? 4

District Security ChecklistDistrict Security Checklist



District District Security Security ChecklistChecklist



Risk Reduction

The Security Grid•Organized in Rubric format

• You know where you are• You know what are the

priority issues• You know what are the

next steps



Security Planning Grid

Provides benchmarks for assessing key security preparedness Provides benchmarks for assessing key security preparedness factors factors

Uses the same topic areas for consistencyUses the same topic areas for consistency Helps prioritize security improvement action stepsHelps prioritize security improvement action steps

Security Area Basic Developing Adequate Advanced

Management

Leadership:

Little participation in IT security

Aware but little support provided

Supports and funds security

Aligns security with organizational mission

Technology

Network design and IT operations:

broadly vulnerable

security roll out is incomplete

mostly secure seamless security

Environmental & Physical:

Infrastructure:

not secure partially secure mostly secure secure

End Users

Stakeholders:

unaware of role in security

Limited awareness and training

Improved awareness, Mostly trained

Proactive participants in security



Management

Basic Developing AdequateAdequate AdvancedAdvanced

District Leadership

Oversight:-- goals

No articulated security goals.Security goals sketched out.

Security goals stated clearly.Security goals stated clearly.

-- legal complianceAwareness of legal issues: basicExtent of compliance: unknown

Awareness: growingCompliance: OK at network level

Awareness: desktop to internetCompliance: not fully auditable

Awareness: desktop to internetCompliance: fully auditable

-- policyNo policy specifically targets technology use.

Policy in early stages, addresses legal issues.

Policy ties technology use to mission.

Policy meshes seamlessly with district mission.

Support: -- budget & staffing-- communication

No support specifically for security

“Security” is not a budget line item

Commitment to TCO-based budgeting and HR needs.Appropriate communication.

Strong support restrained by performance indicators.Effective communication.

Security Management

Security Team: Charter

No formal Security Team Team lacks formal authorization.

School Board approves Team purpose

School Board reviews Team accomplishments

Security Team: Members

Informal Team Stakeholder groups representedStrong leadership representation

Security Planning

Security Plan No security plan. Basic security plan.Security plan linked to goals & audit.

Security plan linked to goals & audit.

Security Audit No security audit.Internal security audit done.

External security audit done.External security audit done.

Crisis Management Plan

No Crisis Mgt Plan specifically for IT.

Basic IT Crisis Mgt Plan. Updated IT Crisis Mgt Plan.IT Crisis Mgt Plan fully tested.

Security Implementation

IT Staffing Levels staff - computer ratio 1:>750staff - computer ratio 1:750

staff - computer ratio 1:500 staff - computer ratio 1:250

Staff competency Generalists lacking expertiseGeneralists; few network specialists

Differentiated expertiseDifferentiated expertise, cross-trained

Security Staff No one paying attention to security

CTO or other management staff also deals with security

A staff person focuses on securityA Chief Security Officer exists

Security Planning GridSecurity Planning Grid


Consortium for School NetworkingConsortium for Phase Three: Risk

Reduction

ManagementManagement Basic Developing AdequateAdequate AdvancedAdvanced

District Leadership

Oversight:-- goals

No articulated security goals.

Security goals sketched out but little substance.

Security goals stated clearly.

Security goals stated clearly.

-- legal compliance

Awareness of legal issues: basicExtent of compliance: unknown

Awareness: growingCompliance: OK at network level

Awareness: desktop to internetCompliance: not fully auditable

Awareness: desktop to internetCompliance: fully auditable

-- policy No policy specifically targets technology use.

Policy in early stages, addresses legal issues.

Policy ties technology use to mission.

Policy meshes seamlessly with district mission.

Support: -- budget & staffing-- communication

No support or communication specifically for security.

Support is inconsistent. No budget line item for “Security”

Commitment to TCO-based budgeting and HR needs.Appropriate communication.

Strong support restrained by performance indicators.Effective communication.



Consortium for School NetworkingConsortium for Phase Three: Risk

Reduction

Management Basic Developing AdequateAdequate AdvancedAdvanced

Security Planning

Security Plan

No security plan.Basic security plan.



Security Audit

No security audit.Internal security audit done.

External security audit done.

External security audit done.

Crisis Management Plan

No Crisis Mgt Plan specifically for IT.

Basic IT Crisis Mgt Plan.

Updated IT Crisis Mgt Plan.

IT Crisis Mgt Plan fully tested.




Technology Basic Developing AdequateAdequate AdvancedAdvanced

Architecture

Architecture: overview

Architecture at basic stage

Architecture lacks capacity for growth

Appropriate Architecture

Appropriate Architecture with room to grow.

Perimeter Defense

DMZ, Firewall, Virus Protection, Content and Spam Filters, VPN, Wireless Access

No DMZ.No Virus protection, content filtering at minimal levels

Basic DMZ. Firewall functions separated from servers; patch mgt remains manual.

Full DMZ. All email, web services protected. Automated patch management.

Full DMZ. All protection services are automated; network monitored in real time.

WAN Design

Plan:-- Authorization-- AuthenticationImplementation:-- Standardization-- Centralized Mgt

WAN incomplete;no redundancy or standardization

WAN almost complete; building LANs not standardized.Redundancy only on most critical network components

WAN complete; properly segmentedMost building LANs standardized.Centralized mgt is incomplete

Centralized WAN management. Redundancy for network components

Internet

Bandwidth, Internet Access

Minimal: may match current needs

Inadequate for accelerating demands

Bottlenecks occur during peak demand

Capacity for future demands

Security Planning GridSecurity Planning Grid Phase Three: Risk

Reduction



End user computers

Installation, repair

Patch Mgt, Updates

Software Licensing

Password Mgt

User Support

End user computer security not enforceable or verifiable.

Manual patching: inconsistent updates.

Lack of user support severely limits productivity

End user computer security improved but not enforceable.

Patching is manual but consistent

User support frequently delayed

End user computer security enforceable or verifiable.

Automated patching and updates in most buildings

User support meets minimal requirements

End user computer security is effective throughout district

Fully automated updates or thin-client setup.

Multi-tier user support results in significantly improved outcomes.

IT Operations

LAN Mgt 'Fire-fighting' mode 'Growing pains' 'Reliable technology' ‘Growth-oriented'

Backups

Network Monitoring

Documentation

External Vendors

-- Backups not secure--Few standards or policies

--Systems occasionally down

--No preventive maintenance

--External vendors: not documented

-- some standards, few policies-- Systems usually reliable

-- monitoring & maintenanceon critical devices

-- External vendors: not verified

-- Standards & policies in place.-- Systems rarely down

-- routine maintenance butdocumentation still skimpy

-- External vendors: not audited

-- clear policies-- effective, flexible standardization

--Systems: highly reliable-- efficient maintenance-- appropriate documentation-- All vendors: fully audited

Security Planning GridSecurity Planning Grid Phase Three: Risk

Reduction


Consortium for School NetworkingConsortium forhttp://SecureDistrict/

CoSN.org



NEW -- CoSN Leadership Initiative

Accessible Technologies for All Studentswww.accessibletech4all.org

Increased Achievement and Success for All Students through the Use of Accessible Technologies



Taking Total Cost of Ownership (TCO) to the Classroomwww.classroomtco.cosn.org

Other CoSN Leadership Initiatives

Safeguarding the Wired Schoolhousewww.safewiredschools.cosn.org

3D: Vision to Know & Dowww.3d2know.cosn.org



CoSN’s mission is to advance the K-12 education community’s capacity to effectively use technology to improve learning through advocacy, policy and leadership development

www.cosn.org

The Cyber Security project is done in partnership with: Mass Networks Education Partnership

www.massnetworks.org email: [email protected]

http://securedistrict.cosn.org



Keith Krueger,[email protected]

www.cosn.org1710 Rhode Island Avenue NWSuite 900Washington, DC 20036-3007

a cosn leadership initiative in partnership with mass networks education partnership (mnep)

Documents