SecurityPlanningRubric
Thegridbelowdescribesthestatusofissuesthatdistrictscanexaminetodeterminecurrentdegreeofsecuritypreparedness.
Management
Basic Developing Adequate Advanced
DistrictAdministrativeLeadership SecurityGoals Providesminimaldirectionand
oversightonITrelatedsecurityissuestostakeholdersanddistrictleadership.
AcknowledgeseffortsmadebyCTOtomeetgoverningsecurityandconfidentialityrequirements.
DevelopsabasicmissionstatementonsecuritythatissharedandacteduponbyITdepartment.
AuthorizesCTOtoensure compliancewithgoverningsecurityandconfidentialityregulations.
Articulatesaclearmissionstatementonsecuritywithstakeholdersanddistrictleadership.
AuthorizesCTOandsecurityteam toensurecompliancewithgoverningsecurityandconfidentialityregulations.
ArticulatesaclearmissionstatementonsecuritythatisintegratedwithDistrictpolicyandoverallmission.
AuthorizesCTOandsecurityteam toensurecompliancewithgoverningsecurityandconfidentialityregulations.Regularlyprovidesoversightofhighlevelsecurityplanning.
Isperiodicallyinvolvedinhighlevelsecurityplanning.
LegalCompliance InitialefforthasbeenmadetobringITinstallationsintocompliancewithsecurity-relatedlaws(FERPA,CIPA,HIPPA,etc.),butactuallevelofcomplianceisnotclear.
ITunitmanagescompliancewithgoverningsecurity-relatedlaws(FERPA,CIPA,HIPPA,etc),asfarasmajorvulnerablyareconcerned:(content,filtering,confidentialdatabases.)
SecurityteamassistswithidentifyingpotentialconcernsforcompliancewithallStateandFederalLaws(FERPA,CIPA,HIPPA,electronicdiscovery,etc.).ITunitmakessuchcompliancepartofitsprotocolfornewinstallationsandperiodicsecurityreviews.
SecurityteamorexternalauditorverifiesfullcompliancewithallStateandFederalLaws(FERPA,CIPA.HIPPA,electronicdiscovery,etc.)Compliancereviewisroutinecomponentofnewinstallationsandperiodicreview.
PolicyImplementation Districtpolicygoverningsecurityeffortsislimitedtogeneralstatementsthatmaybechallengingtotranslateintospecificsecuritymeasures.
Districtpolicygoverningsecurityeffortsprovidesabasicsenseofdirectionforimplementingsecurity.
Districtpolicygoverningsecurityeffortsprovidesadequatedirectionforimplementingsecuritymeasures.
District policy governingsecurityeffortsprovideseffectivedirectionwithsufficientclaritytoensureappropriateimplementation.
Somepolicyareasmaybemissing(e.g.enforcementproceduresforsecurityviolations.)
Somepolicyareaoutofdateorlackclarity. DistrictleadersspecificallyauthorizetheITunittoenforcepolicy.
DistrictleadersspecificallyauthorizeITunittoenforcepolicy.SecurityTeamprovidesadditionaloversight.
Budget,HumanResources Nosupportspecificallyearmarkedforsecurity.
"Security"isnotabudgetlineitem,butsomepurchasingreflectssecurityneeds.
Keysecurity-relateditemsincludingpersonnel,hardware,software,etcincludedinbudgetplanning.
Keysecurity-relateditemsincludingpersonnel,hardware,software,etcincludedinbudgetplanning.
Communications Littleornoleadershipcommunicationonsecurityissuestodistrictleaders,boardmembers,etc(stakeholders).
Leadershipoccasionallydeliverssecuritymessagetostakeholders.
Leadershipregularlydeliversclearmessagetostakeholders.Isperiodicallyinvolvedinhighlevelsecurityplanning.
Leadershipeffectivelyandfrequentlyincorporatessecuritymessageintostakeholdercommunicationwhenappropriate.
Basic Developing Adequate AdvancedSecurityTeam
CharterResponsibilities Noformalteamexists. Adhocsecurityteamlacksformalauthorization.
Securityteamisauthorizedbythedistrictadministratorstodevelopasecurityplanandoverseeitsimplementation.
Securityteamisauthorizedbytheschoolboard/committeetodevelopasecurityplanandoverseeitsimplementation.
Membership Noformalsecurityteamexists.ITStaffanddistrictleadershipconferonsecurityrequirementsonanadhocbasis.
AdhocSecurityteammembersincluderepresentativesfrom:Teacheroradministrator.ITstaff
Securityteammembersincluderepresentativesfrom:DistrictAdministration,SchoolBoard,orcommunityTeachingstaff,ITstaff,LegalStaff andHR.
Securityteammembersinclude:Superintendent,SchoolBoardmember,Teachingstaff,ITstaff,Legalstaff,HR,lawenforcementand communityrepresentative.
GeneralIncidenceResponse Noclearlydefinedproceduresinplaceforincidenceresponse.
Haveprocedureinplaceforreportingsecurityissues.
Clearproceduresinplacethatincludehowtoreportasecurity breachandstepsforresponse.
Clearlydocumentedproceduresinplacethatincludehowtoreportanddocumentsecurityissues, andstepsforresponseandfollowup.
RansomwareIncidenceResponse Noclearlydefinedproceduresinplaceforransomwarepreparationorresponse.
Haveprocedureinplaceforransomwarepreparation.
Clearproceduresinplacethatincludehowtoprepareforaransomwareincidentand stepsforresponse.
Clearproceduresinplacethatincludehowtoprepareforaransomwareincidentand stepsforresponse.
Basic Developing Adequate Advanced SecurityPlanning ITPlanninginGeneral Littleornoplanning. ITplanningincludessomeconsideration
ofsecurity.ITplanningincludessecurityasacomponent.
Securityprovisionsincludedincontractswithvendors,consultant,andoutsourcedservicesarereviewedforcompliancewithDistrictsecurityrequirements.
ITplanningfullyintegratessecurityrequirements.
Securityprovisionsincludedincontractswithvendors,consultants,andoutsourcesservicesarereviewedforcompliancewithDistrictsecurityrequirements.DistrictgeneralsecurityplanningisfullycoordinatedwithITsecurityplanning.
SecurityPlan Securitypracticesexistwithoutaformalsecurityplan.
SecurityplanexistsasaninternalITdepartmentdocument.
Securityplanwrittenorreviewedinpast24months.
Securityplanrevisedorreviewedinpast12monthsanddiscussedandapprovedbydistrictleadershipandschoolboard.
SecurityplandoesnotaddresscommunicationwithstakeholdersorcommunityincaseofanincidentSecurityplanincludesoccasionaltestingandmonitoring.
Securityplanincludeslimitedcommunicationwithstakeholdersincaseofanincident.SecurityPlanincludesoccasionaltestingand monitoring.
Securityplanincludescommunicationwithstakeholdersincaseofanincident.SecurityPlanisderivedfromasset-basedrisk assessmentprocessandincludesend- usertrainingandcommunicationandperiodictestingandmonitoring.
Thesecurityplanincludescommunicationwithstakeholdersandcommunityincaseofanincident.Securityplanisderivedfromasset-basedriskassessmentprocess,iscomprehensive:planlinksdistrictgoalsandpolicies,end-usertrainingandcommunicationandincludesperiodictestingandmonitoring.
SecurityAudit Nosecurityauditfortechnicalvulnerabilities,assessmentforsystemsholdingsensitivedata;reviewofsecuritypoliciescompletedwithinthepast36months
Internalsecurityauditcompletedwithinthepast36months.Scopeofauditlinkedtosecurityplan.
Internalsecurityauditcompletedwithinthepast18months.Scopeofauditlinkedtosecurityplan.Districtprovidesbudgetsupportforsecuritymeasures.
Securityplanisderivedfromasset-basedriskassessmentprocess,iscomprehensive:planlinksdistrictgoalsandpolicies,end-usertrainingandcommunicationandincludesperiodictestingandmonitoring.
SecurityPenetrationTesting Nopenetrationtesting Penetrationtestingcompletedwithinthepast36months.
Penetrationtestingcompletedwithinthepast18months
Securityplanisderivedfromasset-basedrisk assessmentprocess,iscomprehensive: planlinksdistrictgoalsandpolicies,end- usertrainingandcommunicationandincludesperiodictestingandmonitoring.
Basic Developing Adequate Advanced
SecurityImplementation StaffCompetency ITstaffinsufficientlytrainedindesktop
supportornetworkmanagement.Jobdescriptionindicatesmixednetworkanddesktopsupportroleswithoutspecificmentionofsecurity-relatedtasks.
Cleardivisionofresponsibilitybetweennetworkanddesktopsupport,withclearassignmentofresponsibilityforsecuritytasksandroles.
Cleardivisionofresponsibilities,includingsecurity-relatedtasks.Additionally,ITstaffiscross-trainedtoprovidebackupsupport.
StaffingLevels TechnologystaffingisinsufficienttoprovidebasicITsupportservices.Criticalserviceinterruptionsaffectingtheentiredistrictorindividualschoolslastdaysorweeks.
DedicatedITstaffexists,butininsufficientnumberstoprovidebasicITsupportservices.Staffrespondsandresolvestechnologyserviceinterruptionsaffectingtheentiredistrictoranentireschoolwithintwoworkingdays.
DedicatedITstaffexists andprovidesfunctionalITsupportservices.Staffrespondsandresolvestechnologyserviceinterruptionsaffectingtheentiredistrictoranentireschoolwithinthesameworkingday.Problemsaffectingasingleclassroomareresolvedwithintwoworkingdays.
Fulltimededicated ITstaff.Respondsandresolvescriticaltechnologyincidentsonthesamedaytheyarereported.Minorincidentsareresolvedbythenextbusinessday. ITsystems operateatahighlevelofreliabilityduetoeffectiveorganizationalpractices.
SecurityStaffing Noonespecificallyassignedtoattendtosecurity.
CTOorothermanagementstaffalsodealswithsecurity.
Astaffpersonisassignedtomanagesecurity.ThesecurityofficerreportstotheCTO
AChiefSecurityOfficerexists.ThesecurityofficerreportsoutsideITdepartment
Technology Basic Developing Adequate Advanced PerimeterDefense
Overview Architectureatbasicstage;shortcomingsexistinallareas.
Architecturelackscapacityforgrowthorimplementationofstrongersecuritymeasures;shortcomingsexistintwoormoreareas.
Architecturelackscapacityforgrowthorimplementationofstrongersecuritymeasures;shortcomingsexistintwoormoreareas.
AppropriateArchitecturewithroomtogrow.
DMZ Computerhostorsmallnetworkinsertedasa'neutralzone'betweenadistrict'sprivatenetworkandtheoutsidepublicnetwork.
DMZ:buildingserversdoubleasfirewalls(noDMZ).
FirewallinplacebutnoDMZtoprotectemailandwebservers.
DMZ,firewall,VPNservicesexistbutmaybeinadequateforfuturegrowth.
DMZ,firewall,VPNconfiguredforappropriateexternalaccess,emailandwebservices.
Firewall Firewallsoftwarenotpresentatallnetworkentrypoints.
Perimeter/intrusiondefense:installed,firewallconfiguredandmonitored.
Perimeter/intrusiondefense:fullyconfigured,firewallconfiguredandmonitored.
Perimeter/intrusiondefense:alayeredstrategyfromdesktoptofirewallprovidesfullyintegratedprotection.
VPN-Networkaccessforremoteusers NoVPNconfigured. NoVPNorinsufficientVPNcontrols.
VPNpermitsalimitednumberofuserstoaccessthenetworkremotely.
VPNconfiguredtoprovidesecureaccesstoallauthorizedremoterusers.
VirusProtection Virusprotectionisnotinstalledonallnetwork-connecteddevices.Virusdefinitionupdatesareperformedsporadically.
Virusprotectioninstalledonalldevices;centrally–managedupdatesforatleasthalfofclientcomputers;allothercomputersreceiveregular,manualupdates.
Centrallymanaged,integratedvirusprotection.Firewall,intrusiondetectionisdeployedtomostendpoints.
Centrallymanaged,integratedvirusprotection,firewall,intrusiondetectionforallendpoints.
WirelessAccessControl WirelessAccess:Relianceonend-usercautionorlight,localizedusagetolimitrisk.
Wirelessaccessmaybespreadingfasterthanitcanbeproperlycontrolled.Notallaccesspointsareproperlyconfigured.
Wirelessaccessisproperlyconfigured.Secondarystrategiesmayincludenon-technicaltactics(e.g.poweringoffaccesspointsoverweekends).Intrusionrisksarebalancedagainst
Wirelessaccessproperlyconfigured;secondarystrategies(VPN,segmentation)providerisksareminimizedbymonitoringandstrongauthenticationcontrol.
IPS-IntrusionPreventionSystem NoIPSconfigured IPSisconfiguredsporadically.IPSisnot fullyfunctioning.
IPSisconfiguredandmonitoringcritical IPSisproperlyconfiguredandfully facilitiessuchasnetworksegments
ContentFiltering Webfilteringhasbeenimplementedtomeettherequirementsoflocalpolicy,statelaws,andfederallaws.
Webfilterlogsarereviewedregularlyto noteuseanddetermineadjustmentsincategories.
Userscanrequestmodificationstowebfilterblockingforschooluse;requestsarereviewedandactiontakenwithin48 hoursofrequest.
Schoolemployeeshaveoverridestowebfilterforschoolpurposes.
Basic Developing Adequate AdvancedLANManagement
Backups Backupsmaynotincludeallmissioncriticalservers.
Dailyandweeklybackups.Off-sitestoragenotestablished.
Consistentbackupsincludingoff-sitestorage;periodicallytested.
Consistentbackupsincludingoff-siteroutinelytested.Filerestorationpracticeincludedincrisismanagementpreparednessandransomwareresponse.
RoutineNetworkMonitoring&Testing
Minimallyschedulednetworkchecks.Nofileintegritytesting.Nocapacityforpasswordtesting.
Dailychecksforvirusprotection,networkserviced,backupstatus.Nofileintegritytesting.NocapacityforDistrict-widepasswordtesting.
Dailychecksfornetworkintrusion,virusprotection,networkseries,backupstatus.Monthlyfileintegritytesting.Passwordtestingevery60-90days.
Livemonitoringfornetworkintrusion,virus protection.Dailychecksonnetworkservices,backupstatus.Maintenancelogskept.Monthlyfileintegritytesting..Passwordtestingevery60-90days.Twice-yearlywirelessnetworkintrusiondetection.
MajorSystemsMaintenance Majorservices(email,internetaccess)occasionallyunavailablefor8hoursormore.
Majorservices(email,internetaccess)rarelyunavailablefor8hoursormore.
Majorservices(email,internetaccess)rarelyunavailableformorethan4hours.
Majorservices(email,internetaccess)rarelyunavailableformorethan2hours.
Redundancy ServersmaylackRAID(computerdatastorageschemesthatcandivideandreplicatedataamongmultiplediskdrives)reliability;nosparepartsonhandforcriticalnetworkdevices.
SomecriticaldistrictservershaveRAIDreliability;somesparepartsonhand.
Mostcriticalserversareprotectedbyredundantunits.Sparecomponentsmaynotbeavailableforallcriticalnetworkdevices.
Allcriticalserversareprotectedbyredundantunits.Sparecomponentsareavailableforallcriticalnetworkdevices.
Documentation Nodailymaintenanceandmonitoringlogs.Systemdocumentationislargelyabsent.Equipmentinventorymanagedatthebuildinglevel.
Maintenancelogskept.Systemdocumentationisminimal;knowledgeofsystemconfigurationishighlydependentonindividuals.Clientendpointinventorymanagedatbuildinglevel;allnetworkcomponentsmanagedbycentralITgroup.
Maintenancelogskept.Systemdocumentationismaintainedforcriticalservicesandnetworkmanagement.Clientendpointinventorymanagedatdistrictlevel.
Maintenancelogskept.Systemdocumentationismaintainedforallservicesandnetworkmanagement.Clientendpointinventorymanagedatdistrictlevel.
ExternalPartnersandVendors Externalpartners’orvendors’securitypracticesarenotknownorverified.
Externalpartners’orvendors’securitypractices:documentationexistsbutpracticesarenotverified.
Externalpartners’orvendors’securitypractices:vendorsassertthatfederal,state,anddistrictrequirementsaremet.Vendorcredentialsarechecked.Emergencyproceduresforservicerestorationareestablished.
Externalpartners’orvendors’securitypractices:externalauditreportsverifythatfederal,stateanddistrictrequirementsaremet.Redundantsystemsareinplace;emergencyproceduresforservicerestorationareestablished.Ifrequired,allcodeisescrowed.
Encryption Encryptionisimplementedsporadicallyonthenetwork,ornotatall.
Passwordsareencryptedintransitandinstorageoncentralizedserversandapplications.Wirelessnetworksareencryptedwithsharedkeys.
Allinterfaces(web,filetransfer,etc.)toapplicationscontainingstudent,employeeandfinancialdataareencrypted.Passwordsareencryptedintransitandinstorageoncentralizedserversandapplications.Wirelessnetworksareencryptedwithsharedkeys.
Allstudent,employeeandfinancialdatasubjecttoregulatorycompliancerequirementsisencryptedinstorageandintransit.Passwordstoallcentralizedapplicationsareencryptedinstorageandintransit.Wirelessnetworksareencryptedwithindividualkeysthataretiedtonamedusers.
Basic Developing Adequate Advanced
WANSecurity Segmentation Splittinganetworkintosubnetworks,forimprovedperformance,increasedsecurityandcontainingnetworkproblems.
Segmentation:nonetworksegmentationbeyondbuilding-level.
Segmentation:nonetworksegmentationbeyondbuilding-level.
Segmentation:networkappropriatelysegmented.
Segmentation:centrally-managedbuildingLANs,switches,servers.
Authentication/Authorization Authentication/Authorization:notavailable.
Authentication/Authorization:notmanagedviatheWAN,ifatall.EndusershavenoaccessbeyondlocalLANstoWANresources(excepttospecificsystems).
Authentication/Authorization:system-wideimplementationmaybeincomplete.
Authentication/Authorization:deployedthroughoutthedistrict.
Multipath Nomultipathinternetaccess. Nomultipathinternetaccess. Multipathinternetaccessavailableforcriticalfunctions.
Multipathinternetaccessavailable
Standardization BuildingLANsnotstandardized,requirelocalmaintenance.
BuildingLANsnotstandardized,requirelocalmaintenance.
MostbutnotallbuildingLANs,switches,serverssupportremotemanagement.
Standardizedhardwareandnetworkconfigurationthroughoutdistrict.
RemoteLANManagement WANlacksremotemonitoringandmanagementofrouters,switchedand LANservers.
ExistingWANdevicesmaynotsupportremotemonitoringandmanagement.AsWANexpands,newdeviceswillsupportremotemanagement;legacydevicesmayremaininservicepast“retirement”age.
ITplanincludeseliminationoflegacydevicesthatcannotberemotelymanaged.
Allrouters,switchesandLANserversareremotelymonitoredandmanaged.
RemoteLANManagement WANlacksremotemonitoringandmanagementofrouters,switchedandLANservers.
ExistingWANdevicesmaynotsupportremotemonitoringandmanagement.AsWANexpands,newdeviceswillsupport remotemanagement;legacydevicesmay remaininservicepast“retirement”age.
ITplanincludeseliminationoflegacydevicesthatcannotberemotelymanaged.
Allrouters,switchesandLANserversare remotelymonitoredandmanaged.
PatchManagement Servers,othernetworksdevices:sporadic.EndPointDevices:virusdataandsystem updates(patchmanagement)arethe responsibilityoftheenduser.Classroomorlabcomputers:desktopmanagementsoftwaremaybeinuse forupdatesinafewlocations.
Servers,othernetworkdevices:routineupdates.EndPointDevices:ITunitprovidesinstructions andremindersforvirusdatafileand systemupdates(patchmanagement)to enduserswhosecomputersarenot automaticallyupdated.Classroomorlab computers:centralITstaffusedesktopmanagementsoftwareforupdatesin somelocations.
Servers,othernetworkdevices:automated updates.EndPointDevices: mostvirusdataandsystemupdates (patchmanagement)aremanaged remotelyformostcomputers.Classroomandlabcomputers:centralITstaffhaveestablishedefficientprotocolstorefreshoperatingsystemsanddeploysoftwareinmanylocations.
Server,othernetworkdevices:automatedupdates.EndPointDevices:all virusdataandsystemupdates(patchmanagement)aremanagedremotely. Classroomandlabcomputers:centralIT staffhaveestablishedefficientprotocols torefreshoperatingsystemsanddeploy softwareinalllocations.
PatchManagement Servers,othernetworksdevices:sporadic.EndPointDevices:virusdataandsystem updates(patchmanagement)arethe responsibilityoftheenduser.Classroomorlabcomputers:desktopmanagementsoftwaremaybeinuseforupdatesinafewlocations.
Servers,othernetworkdevices:routineupdates.EndPointDevices:ITunitprovidesinstructions andremindersforvirusdatafileand systemupdates(patchmanagement)to enduserswhosecomputersarenot automaticallyupdated.Classroomorlab computers:centralITstaffusedesktopmanagementsoftwareforupdatesinsomelocations.
Servers,othernetworkdevices:automated updates.EndPointDevices: mostvirusdataandsystemupdates (patchmanagement)aremanagedremotelyformostcomputers.Classroomandlabcomputers:centralITstaffhaveestablishedefficientprotocolstorefreshoperatingsystemsanddeploysoftwareinmanylocations.
Server,othernetworkdevices:automatedupdates.EndPointDevices:all virusdataandsystemupdates(patchmanagement)aremanagedremotely. Classroomandlabcomputers:centralIT staffhaveestablishedefficientprotocols torefreshoperatingsystemsanddeploysoftwareinalllocations.
SoftwareLicensing Softwarelicensingmanagedatthebuildinglevel
Softwarelicensingforoperatingsystems,virusprotectionandofficeproductivitysoftwareissite-licensedbycentralITgroup;othersoftware,purchasedwithoutcentralguidanceorcontrollingpolicyiscontrolledatthebuildinglevel.
Softwarelicensingforoperatingsystems,virusprotectionandoffice productivitysoftwareissite-licensedby ITgroup;othersoftwareispurchasedwithcentralguidance
Softwarelicensingforoperatingsystems, virusprotectionandofficeproductivity softwareissitelicensedbycentralIT group;othersoftwareispurchasedwith centralguidanceorcontrollingpolicytocoordinatetrainingandencourage shareableknowledgeandincreasedcostsavings. There isaproceduretoself- auditlicensesatdistrictlocations
SoftwareLicensing Softwarelicensingmanagedatthebuildinglevel
Softwarelicensingforoperatingsystems, virusprotectionandofficeproductivity softwareissite-licensedbycentralIT group;othersoftware,purchasedwithout centralguidanceorcontrollingpolicyis controlledatthebuildinglevel.
Softwarelicensingforoperating systems,virusprotectionandofficeproductivitysoftwareissite-licensedby ITgroup;othersoftwareispurchasedwithcentralguidance
Softwarelicensingforoperatingsystems, virusprotectionandofficeproductivity softwareissitelicensedbycentralIT group;othersoftwareispurchasedwithcentralguidanceorcontrollingpolicyto coordinatetrainingandencourage shareableknowledgeandincreasedcost savings.There isaproceduretoself-auditlicensesatdistrictlocations
Basic Developing Adequate Advanced
PointSecurity Installation,Configuration,Repairof
desktopcomputersClientdesktopcomputers:noremotemanagement.Nocapacitytorebuildcomputersusingimagingsoftware.
Clientdesktopcomputers:mixedlocalandcentralresponsibilities.Somecomputerscanberebuiltusingimagingsoftware.
Clientdesktopcomputers:strongcentralpolicy,distributedmanagement.Mostcomputerscanberebuiltusingimagingsoftware.
Clientdesktopcomputers:strongcentralpolicy,distributedmanagement.Maximizedefficientrepairsusingimagingsoftware.
Standardization Nostandardizationplanexists.Anydefactostandardforhardwareandsoftwareresultfromepisodicbulkpurchasingandordonations.Nocycleofhardwarereplacementexists.
Legacysoftwareandhardwarehampersstandardizationefforts.Nocycleofhardwarereplacementexists.TypicallyfourorfivegenerationsofbothPCsandMacsmaybeonline.
Legacysoftwareandhardwareareintheprocessofbeingphasedout.5to6yearreplacementcycleestablished.Numberofoperatingsystemssupportedhasbeenreducedto2,MacandPC.
Standardizationgoalsareachieved.3-4yearreplacementcycleestablished.Themajorityofallcomputersuseoneoperatingsystem.
Passwords Passwordprotectionisendusersresponsibility;periodicpasswordchangesarenotrequired.
Passwordpoliciesexistbyarenotcentrallyenforcednorroutinelyusedinall locations.
PasswordpolicyismonitoredbyLANorWANmanagers.
Centralpasswordpolicyincludingperiodicpasswordchanges,ismonitored andenforcedbyWANmanagers.
AdvancedUserSecurity Simplepasswordloginisallthatrequiredtoaccessmostareasofthenetwork
Passwordloginisrequiredandtherearesomeareasofnetworknotaccessibleforallusers
Strongpasswordrequirementsareinplaceforat-risklocations,databases,orsystems
Twofactorauthenticationareinplaceonallcomputersandotherendpoints.
Basic Developing Adequate AdvancedCloudSecurity
SecurityResponsibilities ContractdoesnotdelineatedivisionofresponsibilitybetweendistrictandCSP
ContractdoesnotdelineatedivisionofresponsibilitybetweendistrictandCSP
ContractdelineatessomeofthedivisionofresponsibilitybetweendistrictandCSPbuttheremaybegaps
ContractdelineatesfulldivisionofresponsibilitybetweendistrictandCSP
Contract ContractandSLAdonotincludeEventloggingandnotificationDDOSprotectionAvailabilityrequirementsIntrusiondetectionandpreventionDataownership
ContractorSLAincludessomeofEventloggingandnotificationDDOSprotectionAvailabilityrequirementsIntrusiondetectionandpreventionDataownership
ContractorSLAincludesEventloggingandnotificationDDOSprotectionAvailabilityrequirementsIntrusiondetectionandpreventionDataownership
ContractorSLAincludesEventloggingandnotificationDDOSprotectionAvailabilityrequirementsIntrusiondetectionandpreventionDataownership
• Datasecurity
• Compliancewithlegalandpolicyrequirementsofthedistrict
Egress Contractdoesnotspecifywhathappenswithdatawhenthedistrictconcludestheircontract
Contractspecifiesthatdataisreturnedtothedistrictwhenthedistrictconcludestheircontract.
Contractspecifiesthatdataisreturnedtothedistrictandwipedeverywherewhenthedistrictconcludestheircontract.
Contractspecifiesthatdataisreturnedtothedistrictandwipedeverywherewhenthedistrictconcludestheircontract.
BusinessContinuity Basic Developing Adequate Advanced
CrisisManagementPlan DisasterRecoveryPlanningisthe
processthatrequiresdetailedplanningandpreparationpriortoanevent–whethermanmadeornatural,andthensettingthegroundworkforunderstandingtheprocessofrespondingandrecovery.ITCrisisManagementplanidentifyingMitigation/Prevention, Preparedness,Response,andRecoverydoesnotyetexist.StaffhasnotbeentrainedspecificallyforITcrisismanagement.District CrisisManagementplanincludesfewifanyreferencestotechnologyorITsecurity.
ITCrisisManagementplanhasbeenoutlined;itmayhavebeencompletedmorethanayearearlierandhasnotbeenupdated.Stafftrainingforcriseshasbeenminimal.
DistrictCrisisManagementPlanincludesbriefreferencestoITandsecurityissues.
ITCrisisManagementplanusessameasset-basedmodelasthesecurityplan;itincludesdetailsofmajorsystems.Theplanmayhavebeencompletedmorethanayearearlierandhasnotbeenupdated.Theplanincludesaninventoryofrequiredequipment.
ITCrisisManagementplanusesthesameasset-basedmodelasthesecurityplan;itincludesdetailsofallsystemsfromISPtodesktop.Planisreviewedandupdatedevery12months.Theplanincludesaninventoryofrequiredequipmentredundancyandfacilitiesforhotsiterequirements.
CrisisManagementTraining Noplaninplacetotrainpersonnelforcrisissituations.
Personneltrainedforcrisissituations,nosimulationsconducted.
Personneltrainedforcrisissituations,simulationsconductedtotestBusinessContinuityPlanwhendeveloped.
Personneltrainedforcrisissituations,simulationsconductedfromshutdowntostartuptoassessBusinessContinuityPlanonanannualbasis.
TechnologyAssetInventory Noplanexistsforcriticalcomponentstomaintainorrestoreservicesintheeventofanaturalorman-madecrisis.
Acceptablelevelsofserviceneedsduringtherecoveryperiodofacrisishavebeendeterminedtoidentifywhatprocessesneedtobemaintainedorrestoredfirsttokeeptheschoolrunning.
Atechnologyassetinventoryhasbeencompletedtodetermineanddocumentthemission-criticaltechnology
Atechnologyassetinventoryhasbeencompletedtodetermineanddocumentthemission-criticaltechnologycomponents,theirlocation,howthey’reconfigured,andwhoisresponsibleformanagement.Essentialemployeesandothercriticalpartners(vendors,sub-contractors,services,logistics,etc.)requiredtomaintainbusinessoperationsbylocationandfunctionduringtheeventhavebeenidentified.Criticalbackupareinplaceforbothequipmentandstaff.
EnvironmentalSafety
PhysicalSecurity
Basic Developing Adequate Advanced AnticipationofNaturalDisasters Floodorwaterdamage:network
devicesmaybeinbasementsorsittingonfloors.
Floodorwaterdamage:networkdevicesmaybeinbasementsorsittingonfloors.
Floodorwaterdamage:criticalinfrastructurenotatrisk.
Floodorwaterdamage:criticalinfrastructurenotatrisk.Redundantequipmentandwarningsystemsareinplacetoguardagainstotherdisasters.
FireProtection Fire:Nodedicatedalarms.Networkequipmentmaybelocatedinunlocked,multi-usespaces(offices,classrooms,etc.Nofiresuppressionsysteminplace.
Fire:Nodedicatedalarms.Networkequipmentmaybelocatedinspacealsousedforstorageorcustodialpurposes.Nocoolingorfiresuppressionsystemsinplace.
Fire:Alarmsinstalled,Networkequipmentinclean,dedicatedspace.Coolingsystemsandfiresuppressionsystemsinplace.
Fire:Alarmsandsuppressionequipmentinstalled.Networkequipmentinclean,dedicatedspace.
ClimateControl Temperatureandhumidity:nodedicatedHVACfornetworkservices.
Temperatureandhumidity:networkdevicesmaylackprotectionfromextremeheat,dampness.
Temperatureandhumidity:networkdevicesproperlyventilated.
Temperatureandhumidity:networkdevicesproperlyventilated.
PowerSupply Power:minimalUPSsupportforservers.
Power:mostservers&networkdevicesonUPS.
Power:allservers&networkdevicesprotected by uninterruptable powersupplyunits.
Power:allservers&networkdevicesprotectedbyUPSunitswithbackuppoweravailable.
InspectionReview Nospecialenvironmentalinspectionsaremade.
Facilitiesareinspectedoccasionallyforhazards.
Facilitiesareinspectedoccasionallyforhazards.
Facilitiesandemergencyequipmentareinspectedonregularbasisbyexternalexperts.
Basic Developing Adequate Advanced Facilities Manynetworkdevicesareinsharedor
uncontrolledlocations,e.g.bookcupboards,custodialclosets.Networkcablingmaybeexposed,withinreach,orsubjecttodamageduringroutinebuildingcleaningandmaintenance.
Mostnetworkdevicesindedicated,securelocations.Networkcablingmaybeexposed,withinreach,orsubjecttodamageduringroutinebuildingcleaningandmaintenance.
Allnetworkdevicesareindedicated,securelocations.Mostnetworkcablingissecure.
Allnetworkdevicesareindedicatedsecurespaces.Allnetworkcablingissecure.
EndUserEquipment Notallequipmentisphysicallysecuredwhererequired.
Notallequipmentisphysicallysecuredwhererequired.
Mostequipmentisphysicallysecured(locks,cables)whererequired.
Allequipmentisphysicallysecured(locks,cables)whererequired.Equipmentselectioncriteriaincludephysicaldurability.
EndUsers Basic Developing Adequate Advanced Awareness Stakeholdersgenerallylackexpertise
on,andawarenessofsecurityissues.Expertise:Leadersmaylackexperienceonstrategictechnologyplanning,includingsecurityissues.Awareness: Usersaregenerallyawareoforganizationalsecurityconcernsbut lackspecificknowledgeonwhattodo.
Expertise:ThosechargedwithoversightofITattendsometrainingsonstrategicandmanagerialtopics.Awareness:Usersaregenerallyawareofessentialsecurityguidelinesandfollowsomesecurityprocedures.
Expertise:Districtleadersdemonstratecompetency andknowledgeofstrategicandmanagerialITtopics,includingsecurity.Awareness:Usersintegrateessentialsecuritypracticesintoeverydayuseoftechnology.
Training Limitedtrainingopportunitiesdonotincludesecuritytopics.
SecurityismentionedinITtrainingandprofessionaldevelopmentbuttrainingisnotconsistentlytiedtosecuritypolicy.
SecurityintegratedintoITtrainingandprofessionaldevelopment.
SecurityintegratedinITtrainingandprofessionaldevelopment.
Districtleaders:OftenchoosenottoparticipateinITtraining.
Districtleaders:OccasionallyparticipateinITtraining.
Districtleaders:ReceivesameITtrainingasallusers.
Districtleaders:Receiveregularusertraining,plustrainingonstrategicITtopics.
EndUsers:Trainingnotrequired. EndUsers:Notallaretrained. Endusers:Mostaretrained. EndUsers:Professionaldevelopment,includingsecuritytraining,istiedtodistrictmissionandsecurityrequirements.
Community: Littleornotrainingavailable.
Community:Occasionalawarenessandoutreachsessionsareofferedtothecommunity.
Community:Periodicsecurityawarenessworkshopsareofferedtothecommunity.
Community:Securityisintegratedintooutreachprograms.
AccessControl Controlofstudentaccesstocomputersdependsondirectsupervision.
Studentaccesstocomputersisappropriatelycontrolledinsomelocations.
Studentaccess to computers isappropriatelymonitoredwhererequired.
Studentaccesstocomputersisappropriatelycontrolledandremotelymonitoredwhererequired.
Staffaccesstonetworkdevicesisnotrestricted.
Staffaccesstonetworkdevicesisrestrictedinsomelocations.
Staffaccesstonetworkdevicesisrestrictedwhereappropriate.
Staffaccesstonetworkdevicesisrestrictedwhereappropriate.
Communication ITunitcommunicatestostakeholdersonlysporadically.
ITunitcommunicatestostakeholdersafewtimesperyear.
ITunitupdatesstakeholdersonorganizationalsecurityconcernsonamonthlybasis,ormorefrequentlyifsignificantvulnerabilitiesarise.
ITunitupdatesstakeholdersonorganizationalsecurityconcernsonamonthlybasis,ormorefrequentlyifsignificantvulnerabilitiesarise.
Leadership:ReceivedregularupdatesonITandsecurityissues.
Leadership:ReceivesregularupdatesonITandsecurityissues.
Leadership:ReceivesregularupdatesonITandsecurityissues.
EndUsers:Receiveoccasionalmessageissuedonsecurityconcerns.
End Users: Messages issued onsecurity concerns are disseminatedusing avarietyofmediaatappropriateintervalstoengageusers.
EndUsers:Messagesissuedon securityconcernsaredisseminatedusingavarietyof media at appropriate intervals toengageusers.
Community:ReceivedoccasionalpublicityonITorsecurityissues.
Community:ReceivesregularpublicityonITorsecurityissues.
Community:RecurringoutreachtothecommunityincludesITadvice,securityawareness.
Feedback Noorganizedfeedbackmechanismsexist.
Limitedeffortmadetotrackstakeholderopinionandsatisfaction.
Helpdesktracksproblemsandsuggestions.
Helpdesktracksproblemsandsuggestions.
ITunitreliesonstakeholderstobringcomplaintsandsuggestionsforward.
Surveyofuseropinionsmaybeperformedeveryotheryear.
Surveyofuseropinionsperformedyearly.
AllnewITinitiativesincludingchangesinsecuritypolicyarereviewedbyusergroups.
UsersprovideinputtoITinitiativesthroughorganizedmeanssuchasspecialinterestgroupsorregularlyscheduledmeetings.
Summary:CommunityofTrust ITunitalmostnocapacitytomonitorsecurity.ITsystemsareextremelyvulnerabletointernaldamage.
Increasinglikelihoodforsecurityfailures-withoutclearpolicyorsecureinfrastructure–mayresultinaclimateofsuspicionorconfusion.
Decreasinglikelihoodforsecurityfailures–theresultofclearpolicyandsignificantlyimproved infrastructure–reduceslingeringsuspicionandconfusion.
Asecurenetworkwithreliableinfrastructureandtransparentsecuritypolicies,provideseffective,mission-drivenlearningopportunitieswithouttheweightofsurveillance.