cyber security planning rubric 006 - k-12 blueprint · security planning rubric ... district...

SecurityPlanningRubric

Thegridbelowdescribesthestatusofissuesthatdistrictscanexaminetodeterminecurrentdegreeofsecuritypreparedness.

Management

Basic Developing Adequate Advanced

DistrictAdministrativeLeadership SecurityGoals Providesminimaldirectionand

oversightonITrelatedsecurityissuestostakeholdersanddistrictleadership.

AcknowledgeseffortsmadebyCTOtomeetgoverningsecurityandconfidentialityrequirements.

DevelopsabasicmissionstatementonsecuritythatissharedandacteduponbyITdepartment.

AuthorizesCTOtoensure compliancewithgoverningsecurityandconfidentialityregulations.

Articulatesaclearmissionstatementonsecuritywithstakeholdersanddistrictleadership.

AuthorizesCTOandsecurityteam toensurecompliancewithgoverningsecurityandconfidentialityregulations.

ArticulatesaclearmissionstatementonsecuritythatisintegratedwithDistrictpolicyandoverallmission.

AuthorizesCTOandsecurityteam toensurecompliancewithgoverningsecurityandconfidentialityregulations.Regularlyprovidesoversightofhighlevelsecurityplanning.

Isperiodicallyinvolvedinhighlevelsecurityplanning.

LegalCompliance InitialefforthasbeenmadetobringITinstallationsintocompliancewithsecurity-relatedlaws(FERPA,CIPA,HIPPA,etc.),butactuallevelofcomplianceisnotclear.

ITunitmanagescompliancewithgoverningsecurity-relatedlaws(FERPA,CIPA,HIPPA,etc),asfarasmajorvulnerablyareconcerned:(content,filtering,confidentialdatabases.)

SecurityteamassistswithidentifyingpotentialconcernsforcompliancewithallStateandFederalLaws(FERPA,CIPA,HIPPA,electronicdiscovery,etc.).ITunitmakessuchcompliancepartofitsprotocolfornewinstallationsandperiodicsecurityreviews.

SecurityteamorexternalauditorverifiesfullcompliancewithallStateandFederalLaws(FERPA,CIPA.HIPPA,electronicdiscovery,etc.)Compliancereviewisroutinecomponentofnewinstallationsandperiodicreview.

PolicyImplementation Districtpolicygoverningsecurityeffortsislimitedtogeneralstatementsthatmaybechallengingtotranslateintospecificsecuritymeasures.

Districtpolicygoverningsecurityeffortsprovidesabasicsenseofdirectionforimplementingsecurity.

Districtpolicygoverningsecurityeffortsprovidesadequatedirectionforimplementingsecuritymeasures.

District policy governingsecurityeffortsprovideseffectivedirectionwithsufficientclaritytoensureappropriateimplementation.

Somepolicyareasmaybemissing(e.g.enforcementproceduresforsecurityviolations.)

Somepolicyareaoutofdateorlackclarity. DistrictleadersspecificallyauthorizetheITunittoenforcepolicy.

DistrictleadersspecificallyauthorizeITunittoenforcepolicy.SecurityTeamprovidesadditionaloversight.

Budget,HumanResources Nosupportspecificallyearmarkedforsecurity.

"Security"isnotabudgetlineitem,butsomepurchasingreflectssecurityneeds.

Keysecurity-relateditemsincludingpersonnel,hardware,software,etcincludedinbudgetplanning.

Communications Littleornoleadershipcommunicationonsecurityissuestodistrictleaders,boardmembers,etc(stakeholders).

Leadershipoccasionallydeliverssecuritymessagetostakeholders.

Leadershipregularlydeliversclearmessagetostakeholders.Isperiodicallyinvolvedinhighlevelsecurityplanning.

Leadershipeffectivelyandfrequentlyincorporatessecuritymessageintostakeholdercommunicationwhenappropriate.

Basic Developing Adequate AdvancedSecurityTeam

CharterResponsibilities Noformalteamexists. Adhocsecurityteamlacksformalauthorization.

Securityteamisauthorizedbythedistrictadministratorstodevelopasecurityplanandoverseeitsimplementation.

Securityteamisauthorizedbytheschoolboard/committeetodevelopasecurityplanandoverseeitsimplementation.

Membership Noformalsecurityteamexists.ITStaffanddistrictleadershipconferonsecurityrequirementsonanadhocbasis.

AdhocSecurityteammembersincluderepresentativesfrom:Teacheroradministrator.ITstaff

Securityteammembersincluderepresentativesfrom:DistrictAdministration,SchoolBoard,orcommunityTeachingstaff,ITstaff,LegalStaff andHR.

Securityteammembersinclude:Superintendent,SchoolBoardmember,Teachingstaff,ITstaff,Legalstaff,HR,lawenforcementand communityrepresentative.

GeneralIncidenceResponse Noclearlydefinedproceduresinplaceforincidenceresponse.

Haveprocedureinplaceforreportingsecurityissues.

Clearproceduresinplacethatincludehowtoreportasecurity breachandstepsforresponse.

Clearlydocumentedproceduresinplacethatincludehowtoreportanddocumentsecurityissues, andstepsforresponseandfollowup.

RansomwareIncidenceResponse Noclearlydefinedproceduresinplaceforransomwarepreparationorresponse.

Haveprocedureinplaceforransomwarepreparation.

Clearproceduresinplacethatincludehowtoprepareforaransomwareincidentand stepsforresponse.

Basic Developing Adequate Advanced SecurityPlanning ITPlanninginGeneral Littleornoplanning. ITplanningincludessomeconsideration

ofsecurity.ITplanningincludessecurityasacomponent.

Securityprovisionsincludedincontractswithvendors,consultant,andoutsourcedservicesarereviewedforcompliancewithDistrictsecurityrequirements.

ITplanningfullyintegratessecurityrequirements.

Securityprovisionsincludedincontractswithvendors,consultants,andoutsourcesservicesarereviewedforcompliancewithDistrictsecurityrequirements.DistrictgeneralsecurityplanningisfullycoordinatedwithITsecurityplanning.

SecurityPlan Securitypracticesexistwithoutaformalsecurityplan.

SecurityplanexistsasaninternalITdepartmentdocument.

Securityplanwrittenorreviewedinpast24months.

Securityplanrevisedorreviewedinpast12monthsanddiscussedandapprovedbydistrictleadershipandschoolboard.

SecurityplandoesnotaddresscommunicationwithstakeholdersorcommunityincaseofanincidentSecurityplanincludesoccasionaltestingandmonitoring.

Securityplanincludeslimitedcommunicationwithstakeholdersincaseofanincident.SecurityPlanincludesoccasionaltestingand monitoring.

Securityplanincludescommunicationwithstakeholdersincaseofanincident.SecurityPlanisderivedfromasset-basedrisk assessmentprocessandincludesend- usertrainingandcommunicationandperiodictestingandmonitoring.

Thesecurityplanincludescommunicationwithstakeholdersandcommunityincaseofanincident.Securityplanisderivedfromasset-basedriskassessmentprocess,iscomprehensive:planlinksdistrictgoalsandpolicies,end-usertrainingandcommunicationandincludesperiodictestingandmonitoring.

SecurityAudit Nosecurityauditfortechnicalvulnerabilities,assessmentforsystemsholdingsensitivedata;reviewofsecuritypoliciescompletedwithinthepast36months

Internalsecurityauditcompletedwithinthepast36months.Scopeofauditlinkedtosecurityplan.

Internalsecurityauditcompletedwithinthepast18months.Scopeofauditlinkedtosecurityplan.Districtprovidesbudgetsupportforsecuritymeasures.

Securityplanisderivedfromasset-basedriskassessmentprocess,iscomprehensive:planlinksdistrictgoalsandpolicies,end-usertrainingandcommunicationandincludesperiodictestingandmonitoring.

SecurityPenetrationTesting Nopenetrationtesting Penetrationtestingcompletedwithinthepast36months.

Penetrationtestingcompletedwithinthepast18months

Securityplanisderivedfromasset-basedrisk assessmentprocess,iscomprehensive: planlinksdistrictgoalsandpolicies,end- usertrainingandcommunicationandincludesperiodictestingandmonitoring.

SecurityImplementation StaffCompetency ITstaffinsufficientlytrainedindesktop

supportornetworkmanagement.Jobdescriptionindicatesmixednetworkanddesktopsupportroleswithoutspecificmentionofsecurity-relatedtasks.

Cleardivisionofresponsibilitybetweennetworkanddesktopsupport,withclearassignmentofresponsibilityforsecuritytasksandroles.

Cleardivisionofresponsibilities,includingsecurity-relatedtasks.Additionally,ITstaffiscross-trainedtoprovidebackupsupport.

StaffingLevels TechnologystaffingisinsufficienttoprovidebasicITsupportservices.Criticalserviceinterruptionsaffectingtheentiredistrictorindividualschoolslastdaysorweeks.

DedicatedITstaffexists,butininsufficientnumberstoprovidebasicITsupportservices.Staffrespondsandresolvestechnologyserviceinterruptionsaffectingtheentiredistrictoranentireschoolwithintwoworkingdays.

DedicatedITstaffexists andprovidesfunctionalITsupportservices.Staffrespondsandresolvestechnologyserviceinterruptionsaffectingtheentiredistrictoranentireschoolwithinthesameworkingday.Problemsaffectingasingleclassroomareresolvedwithintwoworkingdays.

Fulltimededicated ITstaff.Respondsandresolvescriticaltechnologyincidentsonthesamedaytheyarereported.Minorincidentsareresolvedbythenextbusinessday. ITsystems operateatahighlevelofreliabilityduetoeffectiveorganizationalpractices.

SecurityStaffing Noonespecificallyassignedtoattendtosecurity.

CTOorothermanagementstaffalsodealswithsecurity.

Astaffpersonisassignedtomanagesecurity.ThesecurityofficerreportstotheCTO

AChiefSecurityOfficerexists.ThesecurityofficerreportsoutsideITdepartment

Technology Basic Developing Adequate Advanced PerimeterDefense

Overview Architectureatbasicstage;shortcomingsexistinallareas.

Architecturelackscapacityforgrowthorimplementationofstrongersecuritymeasures;shortcomingsexistintwoormoreareas.

AppropriateArchitecturewithroomtogrow.

DMZ Computerhostorsmallnetworkinsertedasa'neutralzone'betweenadistrict'sprivatenetworkandtheoutsidepublicnetwork.

DMZ:buildingserversdoubleasfirewalls(noDMZ).

FirewallinplacebutnoDMZtoprotectemailandwebservers.

DMZ,firewall,VPNservicesexistbutmaybeinadequateforfuturegrowth.

DMZ,firewall,VPNconfiguredforappropriateexternalaccess,emailandwebservices.

Firewall Firewallsoftwarenotpresentatallnetworkentrypoints.

Perimeter/intrusiondefense:installed,firewallconfiguredandmonitored.

Perimeter/intrusiondefense:fullyconfigured,firewallconfiguredandmonitored.

Perimeter/intrusiondefense:alayeredstrategyfromdesktoptofirewallprovidesfullyintegratedprotection.

VPN-Networkaccessforremoteusers NoVPNconfigured. NoVPNorinsufficientVPNcontrols.

VPNpermitsalimitednumberofuserstoaccessthenetworkremotely.

VPNconfiguredtoprovidesecureaccesstoallauthorizedremoterusers.

VirusProtection Virusprotectionisnotinstalledonallnetwork-connecteddevices.Virusdefinitionupdatesareperformedsporadically.

Virusprotectioninstalledonalldevices;centrally–managedupdatesforatleasthalfofclientcomputers;allothercomputersreceiveregular,manualupdates.

Centrallymanaged,integratedvirusprotection.Firewall,intrusiondetectionisdeployedtomostendpoints.

Centrallymanaged,integratedvirusprotection,firewall,intrusiondetectionforallendpoints.

WirelessAccessControl WirelessAccess:Relianceonend-usercautionorlight,localizedusagetolimitrisk.

Wirelessaccessmaybespreadingfasterthanitcanbeproperlycontrolled.Notallaccesspointsareproperlyconfigured.

Wirelessaccessisproperlyconfigured.Secondarystrategiesmayincludenon-technicaltactics(e.g.poweringoffaccesspointsoverweekends).Intrusionrisksarebalancedagainst

Wirelessaccessproperlyconfigured;secondarystrategies(VPN,segmentation)providerisksareminimizedbymonitoringandstrongauthenticationcontrol.

IPS-IntrusionPreventionSystem NoIPSconfigured IPSisconfiguredsporadically.IPSisnot fullyfunctioning.

IPSisconfiguredandmonitoringcritical IPSisproperlyconfiguredandfully facilitiessuchasnetworksegments

ContentFiltering Webfilteringhasbeenimplementedtomeettherequirementsoflocalpolicy,statelaws,andfederallaws.

Webfilterlogsarereviewedregularlyto noteuseanddetermineadjustmentsincategories.

Userscanrequestmodificationstowebfilterblockingforschooluse;requestsarereviewedandactiontakenwithin48 hoursofrequest.

Schoolemployeeshaveoverridestowebfilterforschoolpurposes.

Basic Developing Adequate AdvancedLANManagement

Backups Backupsmaynotincludeallmissioncriticalservers.

Dailyandweeklybackups.Off-sitestoragenotestablished.

Consistentbackupsincludingoff-sitestorage;periodicallytested.

Consistentbackupsincludingoff-siteroutinelytested.Filerestorationpracticeincludedincrisismanagementpreparednessandransomwareresponse.

RoutineNetworkMonitoring&Testing

Minimallyschedulednetworkchecks.Nofileintegritytesting.Nocapacityforpasswordtesting.

Dailychecksforvirusprotection,networkserviced,backupstatus.Nofileintegritytesting.NocapacityforDistrict-widepasswordtesting.

Dailychecksfornetworkintrusion,virusprotection,networkseries,backupstatus.Monthlyfileintegritytesting.Passwordtestingevery60-90days.

Livemonitoringfornetworkintrusion,virus protection.Dailychecksonnetworkservices,backupstatus.Maintenancelogskept.Monthlyfileintegritytesting..Passwordtestingevery60-90days.Twice-yearlywirelessnetworkintrusiondetection.

MajorSystemsMaintenance Majorservices(email,internetaccess)occasionallyunavailablefor8hoursormore.

Majorservices(email,internetaccess)rarelyunavailablefor8hoursormore.

Majorservices(email,internetaccess)rarelyunavailableformorethan4hours.

Majorservices(email,internetaccess)rarelyunavailableformorethan2hours.

Redundancy ServersmaylackRAID(computerdatastorageschemesthatcandivideandreplicatedataamongmultiplediskdrives)reliability;nosparepartsonhandforcriticalnetworkdevices.

SomecriticaldistrictservershaveRAIDreliability;somesparepartsonhand.

Mostcriticalserversareprotectedbyredundantunits.Sparecomponentsmaynotbeavailableforallcriticalnetworkdevices.

Allcriticalserversareprotectedbyredundantunits.Sparecomponentsareavailableforallcriticalnetworkdevices.

Documentation Nodailymaintenanceandmonitoringlogs.Systemdocumentationislargelyabsent.Equipmentinventorymanagedatthebuildinglevel.

Maintenancelogskept.Systemdocumentationisminimal;knowledgeofsystemconfigurationishighlydependentonindividuals.Clientendpointinventorymanagedatbuildinglevel;allnetworkcomponentsmanagedbycentralITgroup.

Maintenancelogskept.Systemdocumentationismaintainedforcriticalservicesandnetworkmanagement.Clientendpointinventorymanagedatdistrictlevel.

Maintenancelogskept.Systemdocumentationismaintainedforallservicesandnetworkmanagement.Clientendpointinventorymanagedatdistrictlevel.

ExternalPartnersandVendors Externalpartners’orvendors’securitypracticesarenotknownorverified.

Externalpartners’orvendors’securitypractices:documentationexistsbutpracticesarenotverified.

Externalpartners’orvendors’securitypractices:vendorsassertthatfederal,state,anddistrictrequirementsaremet.Vendorcredentialsarechecked.Emergencyproceduresforservicerestorationareestablished.

Externalpartners’orvendors’securitypractices:externalauditreportsverifythatfederal,stateanddistrictrequirementsaremet.Redundantsystemsareinplace;emergencyproceduresforservicerestorationareestablished.Ifrequired,allcodeisescrowed.

Encryption Encryptionisimplementedsporadicallyonthenetwork,ornotatall.

Passwordsareencryptedintransitandinstorageoncentralizedserversandapplications.Wirelessnetworksareencryptedwithsharedkeys.

Allinterfaces(web,filetransfer,etc.)toapplicationscontainingstudent,employeeandfinancialdataareencrypted.Passwordsareencryptedintransitandinstorageoncentralizedserversandapplications.Wirelessnetworksareencryptedwithsharedkeys.

Allstudent,employeeandfinancialdatasubjecttoregulatorycompliancerequirementsisencryptedinstorageandintransit.Passwordstoallcentralizedapplicationsareencryptedinstorageandintransit.Wirelessnetworksareencryptedwithindividualkeysthataretiedtonamedusers.

WANSecurity Segmentation Splittinganetworkintosubnetworks,forimprovedperformance,increasedsecurityandcontainingnetworkproblems.

Segmentation:nonetworksegmentationbeyondbuilding-level.

Segmentation:networkappropriatelysegmented.

Segmentation:centrally-managedbuildingLANs,switches,servers.

Authentication/Authorization Authentication/Authorization:notavailable.

Authentication/Authorization:notmanagedviatheWAN,ifatall.EndusershavenoaccessbeyondlocalLANstoWANresources(excepttospecificsystems).

Authentication/Authorization:system-wideimplementationmaybeincomplete.

Authentication/Authorization:deployedthroughoutthedistrict.

Multipath Nomultipathinternetaccess. Nomultipathinternetaccess. Multipathinternetaccessavailableforcriticalfunctions.

Multipathinternetaccessavailable

Standardization BuildingLANsnotstandardized,requirelocalmaintenance.

BuildingLANsnotstandardized,requirelocalmaintenance.

MostbutnotallbuildingLANs,switches,serverssupportremotemanagement.

Standardizedhardwareandnetworkconfigurationthroughoutdistrict.

RemoteLANManagement WANlacksremotemonitoringandmanagementofrouters,switchedand LANservers.

ExistingWANdevicesmaynotsupportremotemonitoringandmanagement.AsWANexpands,newdeviceswillsupportremotemanagement;legacydevicesmayremaininservicepast“retirement”age.

ITplanincludeseliminationoflegacydevicesthatcannotberemotelymanaged.

Allrouters,switchesandLANserversareremotelymonitoredandmanaged.

RemoteLANManagement WANlacksremotemonitoringandmanagementofrouters,switchedandLANservers.

ExistingWANdevicesmaynotsupportremotemonitoringandmanagement.AsWANexpands,newdeviceswillsupport remotemanagement;legacydevicesmay remaininservicepast“retirement”age.

ITplanincludeseliminationoflegacydevicesthatcannotberemotelymanaged.

Allrouters,switchesandLANserversare remotelymonitoredandmanaged.

PatchManagement Servers,othernetworksdevices:sporadic.EndPointDevices:virusdataandsystem updates(patchmanagement)arethe responsibilityoftheenduser.Classroomorlabcomputers:desktopmanagementsoftwaremaybeinuse forupdatesinafewlocations.

Servers,othernetworkdevices:routineupdates.EndPointDevices:ITunitprovidesinstructions andremindersforvirusdatafileand systemupdates(patchmanagement)to enduserswhosecomputersarenot automaticallyupdated.Classroomorlab computers:centralITstaffusedesktopmanagementsoftwareforupdatesin somelocations.

Servers,othernetworkdevices:automated updates.EndPointDevices: mostvirusdataandsystemupdates (patchmanagement)aremanaged remotelyformostcomputers.Classroomandlabcomputers:centralITstaffhaveestablishedefficientprotocolstorefreshoperatingsystemsanddeploysoftwareinmanylocations.

Server,othernetworkdevices:automatedupdates.EndPointDevices:all virusdataandsystemupdates(patchmanagement)aremanagedremotely. Classroomandlabcomputers:centralIT staffhaveestablishedefficientprotocols torefreshoperatingsystemsanddeploy softwareinalllocations.

PatchManagement Servers,othernetworksdevices:sporadic.EndPointDevices:virusdataandsystem updates(patchmanagement)arethe responsibilityoftheenduser.Classroomorlabcomputers:desktopmanagementsoftwaremaybeinuseforupdatesinafewlocations.

Servers,othernetworkdevices:routineupdates.EndPointDevices:ITunitprovidesinstructions andremindersforvirusdatafileand systemupdates(patchmanagement)to enduserswhosecomputersarenot automaticallyupdated.Classroomorlab computers:centralITstaffusedesktopmanagementsoftwareforupdatesinsomelocations.

Servers,othernetworkdevices:automated updates.EndPointDevices: mostvirusdataandsystemupdates (patchmanagement)aremanagedremotelyformostcomputers.Classroomandlabcomputers:centralITstaffhaveestablishedefficientprotocolstorefreshoperatingsystemsanddeploysoftwareinmanylocations.

Server,othernetworkdevices:automatedupdates.EndPointDevices:all virusdataandsystemupdates(patchmanagement)aremanagedremotely. Classroomandlabcomputers:centralIT staffhaveestablishedefficientprotocols torefreshoperatingsystemsanddeploysoftwareinalllocations.

SoftwareLicensing Softwarelicensingmanagedatthebuildinglevel

Softwarelicensingforoperatingsystems,virusprotectionandofficeproductivitysoftwareissite-licensedbycentralITgroup;othersoftware,purchasedwithoutcentralguidanceorcontrollingpolicyiscontrolledatthebuildinglevel.

Softwarelicensingforoperatingsystems,virusprotectionandoffice productivitysoftwareissite-licensedby ITgroup;othersoftwareispurchasedwithcentralguidance

Softwarelicensingforoperatingsystems, virusprotectionandofficeproductivity softwareissitelicensedbycentralIT group;othersoftwareispurchasedwith centralguidanceorcontrollingpolicytocoordinatetrainingandencourage shareableknowledgeandincreasedcostsavings. There isaproceduretoself- auditlicensesatdistrictlocations

SoftwareLicensing Softwarelicensingmanagedatthebuildinglevel

Softwarelicensingforoperatingsystems, virusprotectionandofficeproductivity softwareissite-licensedbycentralIT group;othersoftware,purchasedwithout centralguidanceorcontrollingpolicyis controlledatthebuildinglevel.

Softwarelicensingforoperating systems,virusprotectionandofficeproductivitysoftwareissite-licensedby ITgroup;othersoftwareispurchasedwithcentralguidance

Softwarelicensingforoperatingsystems, virusprotectionandofficeproductivity softwareissitelicensedbycentralIT group;othersoftwareispurchasedwithcentralguidanceorcontrollingpolicyto coordinatetrainingandencourage shareableknowledgeandincreasedcost savings.There isaproceduretoself-auditlicensesatdistrictlocations

PointSecurity Installation,Configuration,Repairof

desktopcomputersClientdesktopcomputers:noremotemanagement.Nocapacitytorebuildcomputersusingimagingsoftware.

Clientdesktopcomputers:mixedlocalandcentralresponsibilities.Somecomputerscanberebuiltusingimagingsoftware.

Clientdesktopcomputers:strongcentralpolicy,distributedmanagement.Mostcomputerscanberebuiltusingimagingsoftware.

Clientdesktopcomputers:strongcentralpolicy,distributedmanagement.Maximizedefficientrepairsusingimagingsoftware.

Standardization Nostandardizationplanexists.Anydefactostandardforhardwareandsoftwareresultfromepisodicbulkpurchasingandordonations.Nocycleofhardwarereplacementexists.

Legacysoftwareandhardwarehampersstandardizationefforts.Nocycleofhardwarereplacementexists.TypicallyfourorfivegenerationsofbothPCsandMacsmaybeonline.

Legacysoftwareandhardwareareintheprocessofbeingphasedout.5to6yearreplacementcycleestablished.Numberofoperatingsystemssupportedhasbeenreducedto2,MacandPC.

Standardizationgoalsareachieved.3-4yearreplacementcycleestablished.Themajorityofallcomputersuseoneoperatingsystem.

Passwords Passwordprotectionisendusersresponsibility;periodicpasswordchangesarenotrequired.

Passwordpoliciesexistbyarenotcentrallyenforcednorroutinelyusedinall locations.

PasswordpolicyismonitoredbyLANorWANmanagers.

Centralpasswordpolicyincludingperiodicpasswordchanges,ismonitored andenforcedbyWANmanagers.

AdvancedUserSecurity Simplepasswordloginisallthatrequiredtoaccessmostareasofthenetwork

Passwordloginisrequiredandtherearesomeareasofnetworknotaccessibleforallusers

Strongpasswordrequirementsareinplaceforat-risklocations,databases,orsystems

Twofactorauthenticationareinplaceonallcomputersandotherendpoints.

Basic Developing Adequate AdvancedCloudSecurity

SecurityResponsibilities ContractdoesnotdelineatedivisionofresponsibilitybetweendistrictandCSP

ContractdoesnotdelineatedivisionofresponsibilitybetweendistrictandCSP

ContractdelineatessomeofthedivisionofresponsibilitybetweendistrictandCSPbuttheremaybegaps

ContractdelineatesfulldivisionofresponsibilitybetweendistrictandCSP

Contract ContractandSLAdonotincludeEventloggingandnotificationDDOSprotectionAvailabilityrequirementsIntrusiondetectionandpreventionDataownership

ContractorSLAincludessomeofEventloggingandnotificationDDOSprotectionAvailabilityrequirementsIntrusiondetectionandpreventionDataownership

ContractorSLAincludesEventloggingandnotificationDDOSprotectionAvailabilityrequirementsIntrusiondetectionandpreventionDataownership

• Datasecurity

• Compliancewithlegalandpolicyrequirementsofthedistrict

Egress Contractdoesnotspecifywhathappenswithdatawhenthedistrictconcludestheircontract

Contractspecifiesthatdataisreturnedtothedistrictwhenthedistrictconcludestheircontract.

Contractspecifiesthatdataisreturnedtothedistrictandwipedeverywherewhenthedistrictconcludestheircontract.

BusinessContinuity Basic Developing Adequate Advanced

CrisisManagementPlan DisasterRecoveryPlanningisthe

processthatrequiresdetailedplanningandpreparationpriortoanevent–whethermanmadeornatural,andthensettingthegroundworkforunderstandingtheprocessofrespondingandrecovery.ITCrisisManagementplanidentifyingMitigation/Prevention, Preparedness,Response,andRecoverydoesnotyetexist.StaffhasnotbeentrainedspecificallyforITcrisismanagement.District CrisisManagementplanincludesfewifanyreferencestotechnologyorITsecurity.

ITCrisisManagementplanhasbeenoutlined;itmayhavebeencompletedmorethanayearearlierandhasnotbeenupdated.Stafftrainingforcriseshasbeenminimal.

DistrictCrisisManagementPlanincludesbriefreferencestoITandsecurityissues.

ITCrisisManagementplanusessameasset-basedmodelasthesecurityplan;itincludesdetailsofmajorsystems.Theplanmayhavebeencompletedmorethanayearearlierandhasnotbeenupdated.Theplanincludesaninventoryofrequiredequipment.

ITCrisisManagementplanusesthesameasset-basedmodelasthesecurityplan;itincludesdetailsofallsystemsfromISPtodesktop.Planisreviewedandupdatedevery12months.Theplanincludesaninventoryofrequiredequipmentredundancyandfacilitiesforhotsiterequirements.

CrisisManagementTraining Noplaninplacetotrainpersonnelforcrisissituations.

Personneltrainedforcrisissituations,nosimulationsconducted.

Personneltrainedforcrisissituations,simulationsconductedtotestBusinessContinuityPlanwhendeveloped.

Personneltrainedforcrisissituations,simulationsconductedfromshutdowntostartuptoassessBusinessContinuityPlanonanannualbasis.

TechnologyAssetInventory Noplanexistsforcriticalcomponentstomaintainorrestoreservicesintheeventofanaturalorman-madecrisis.

Acceptablelevelsofserviceneedsduringtherecoveryperiodofacrisishavebeendeterminedtoidentifywhatprocessesneedtobemaintainedorrestoredfirsttokeeptheschoolrunning.

Atechnologyassetinventoryhasbeencompletedtodetermineanddocumentthemission-criticaltechnology

Atechnologyassetinventoryhasbeencompletedtodetermineanddocumentthemission-criticaltechnologycomponents,theirlocation,howthey’reconfigured,andwhoisresponsibleformanagement.Essentialemployeesandothercriticalpartners(vendors,sub-contractors,services,logistics,etc.)requiredtomaintainbusinessoperationsbylocationandfunctionduringtheeventhavebeenidentified.Criticalbackupareinplaceforbothequipmentandstaff.

EnvironmentalSafety

PhysicalSecurity

Basic Developing Adequate Advanced AnticipationofNaturalDisasters Floodorwaterdamage:network

devicesmaybeinbasementsorsittingonfloors.

Floodorwaterdamage:networkdevicesmaybeinbasementsorsittingonfloors.

Floodorwaterdamage:criticalinfrastructurenotatrisk.

Floodorwaterdamage:criticalinfrastructurenotatrisk.Redundantequipmentandwarningsystemsareinplacetoguardagainstotherdisasters.

FireProtection Fire:Nodedicatedalarms.Networkequipmentmaybelocatedinunlocked,multi-usespaces(offices,classrooms,etc.Nofiresuppressionsysteminplace.

Fire:Nodedicatedalarms.Networkequipmentmaybelocatedinspacealsousedforstorageorcustodialpurposes.Nocoolingorfiresuppressionsystemsinplace.

Fire:Alarmsinstalled,Networkequipmentinclean,dedicatedspace.Coolingsystemsandfiresuppressionsystemsinplace.

Fire:Alarmsandsuppressionequipmentinstalled.Networkequipmentinclean,dedicatedspace.

ClimateControl Temperatureandhumidity:nodedicatedHVACfornetworkservices.

Temperatureandhumidity:networkdevicesmaylackprotectionfromextremeheat,dampness.

Temperatureandhumidity:networkdevicesproperlyventilated.

PowerSupply Power:minimalUPSsupportforservers.

Power:mostservers&networkdevicesonUPS.

Power:allservers&networkdevicesprotected by uninterruptable powersupplyunits.

Power:allservers&networkdevicesprotectedbyUPSunitswithbackuppoweravailable.

InspectionReview Nospecialenvironmentalinspectionsaremade.

Facilitiesareinspectedoccasionallyforhazards.

Facilitiesandemergencyequipmentareinspectedonregularbasisbyexternalexperts.

Basic Developing Adequate Advanced Facilities Manynetworkdevicesareinsharedor

uncontrolledlocations,e.g.bookcupboards,custodialclosets.Networkcablingmaybeexposed,withinreach,orsubjecttodamageduringroutinebuildingcleaningandmaintenance.

Mostnetworkdevicesindedicated,securelocations.Networkcablingmaybeexposed,withinreach,orsubjecttodamageduringroutinebuildingcleaningandmaintenance.

Allnetworkdevicesareindedicated,securelocations.Mostnetworkcablingissecure.

Allnetworkdevicesareindedicatedsecurespaces.Allnetworkcablingissecure.

EndUserEquipment Notallequipmentisphysicallysecuredwhererequired.

Notallequipmentisphysicallysecuredwhererequired.

Mostequipmentisphysicallysecured(locks,cables)whererequired.

Allequipmentisphysicallysecured(locks,cables)whererequired.Equipmentselectioncriteriaincludephysicaldurability.

EndUsers Basic Developing Adequate Advanced Awareness Stakeholdersgenerallylackexpertise

on,andawarenessofsecurityissues.Expertise:Leadersmaylackexperienceonstrategictechnologyplanning,includingsecurityissues.Awareness: Usersaregenerallyawareoforganizationalsecurityconcernsbut lackspecificknowledgeonwhattodo.

Expertise:ThosechargedwithoversightofITattendsometrainingsonstrategicandmanagerialtopics.Awareness:Usersaregenerallyawareofessentialsecurityguidelinesandfollowsomesecurityprocedures.

Expertise:Districtleadersdemonstratecompetency andknowledgeofstrategicandmanagerialITtopics,includingsecurity.Awareness:Usersintegrateessentialsecuritypracticesintoeverydayuseoftechnology.

Training Limitedtrainingopportunitiesdonotincludesecuritytopics.

SecurityismentionedinITtrainingandprofessionaldevelopmentbuttrainingisnotconsistentlytiedtosecuritypolicy.

SecurityintegratedintoITtrainingandprofessionaldevelopment.

SecurityintegratedinITtrainingandprofessionaldevelopment.

Districtleaders:OftenchoosenottoparticipateinITtraining.

Districtleaders:OccasionallyparticipateinITtraining.

Districtleaders:ReceivesameITtrainingasallusers.

Districtleaders:Receiveregularusertraining,plustrainingonstrategicITtopics.

EndUsers:Trainingnotrequired. EndUsers:Notallaretrained. Endusers:Mostaretrained. EndUsers:Professionaldevelopment,includingsecuritytraining,istiedtodistrictmissionandsecurityrequirements.

Community: Littleornotrainingavailable.

Community:Occasionalawarenessandoutreachsessionsareofferedtothecommunity.

Community:Periodicsecurityawarenessworkshopsareofferedtothecommunity.

Community:Securityisintegratedintooutreachprograms.

AccessControl Controlofstudentaccesstocomputersdependsondirectsupervision.

Studentaccesstocomputersisappropriatelycontrolledinsomelocations.

Studentaccess to computers isappropriatelymonitoredwhererequired.

Studentaccesstocomputersisappropriatelycontrolledandremotelymonitoredwhererequired.

Staffaccesstonetworkdevicesisnotrestricted.

Staffaccesstonetworkdevicesisrestrictedinsomelocations.

Staffaccesstonetworkdevicesisrestrictedwhereappropriate.

Communication ITunitcommunicatestostakeholdersonlysporadically.

ITunitcommunicatestostakeholdersafewtimesperyear.

ITunitupdatesstakeholdersonorganizationalsecurityconcernsonamonthlybasis,ormorefrequentlyifsignificantvulnerabilitiesarise.

Leadership:ReceivedregularupdatesonITandsecurityissues.

Leadership:ReceivesregularupdatesonITandsecurityissues.

EndUsers:Receiveoccasionalmessageissuedonsecurityconcerns.

End Users: Messages issued onsecurity concerns are disseminatedusing avarietyofmediaatappropriateintervalstoengageusers.

EndUsers:Messagesissuedon securityconcernsaredisseminatedusingavarietyof media at appropriate intervals toengageusers.

Community:ReceivedoccasionalpublicityonITorsecurityissues.

Community:ReceivesregularpublicityonITorsecurityissues.

Community:RecurringoutreachtothecommunityincludesITadvice,securityawareness.

Feedback Noorganizedfeedbackmechanismsexist.

Limitedeffortmadetotrackstakeholderopinionandsatisfaction.

Helpdesktracksproblemsandsuggestions.

ITunitreliesonstakeholderstobringcomplaintsandsuggestionsforward.

Surveyofuseropinionsmaybeperformedeveryotheryear.

Surveyofuseropinionsperformedyearly.

AllnewITinitiativesincludingchangesinsecuritypolicyarereviewedbyusergroups.

UsersprovideinputtoITinitiativesthroughorganizedmeanssuchasspecialinterestgroupsorregularlyscheduledmeetings.

Summary:CommunityofTrust ITunitalmostnocapacitytomonitorsecurity.ITsystemsareextremelyvulnerabletointernaldamage.

Increasinglikelihoodforsecurityfailures-withoutclearpolicyorsecureinfrastructure–mayresultinaclimateofsuspicionorconfusion.

Decreasinglikelihoodforsecurityfailures–theresultofclearpolicyandsignificantlyimproved infrastructure–reduceslingeringsuspicionandconfusion.

Asecurenetworkwithreliableinfrastructureandtransparentsecuritypolicies,provideseffective,mission-drivenlearningopportunitieswithouttheweightofsurveillance.

cyber security planning rubric 006 - k-12 blueprint · security planning rubric ... district...

Documents

planning commission staff report - california

plc planning staff meeting

planning staff report on the application

staff report ketchum planning and zoning …

planning rubrics - rubric 1: planning for … · evidence...

collaborative planning session - robeson.k12.nc.us team...

staff report to the planning commission

development services - planning division staff report

planning rubrics - rubric 1: planning for … · planning...

instructional planning documentation. outcomes develop an...

timeplan software staff planning

oakland city planning commission staff report

loudoun county public schools rubric and sample tasks for...

planning commission staff report date: may 15, 2019 ·...

health planning solutions: medical staff planning

2012 swasfaa conference using rubrics to guide … swasfaa...

multinational planning augmentation team tempest express...

planning & zoning board staff report

park south planning bd staff memo

caep accreditation reporting measures€¦ · edtpa rubric...