+ All Categories
Home > Documents > Cyber Security Planning Rubric 006 - CoSN Cybersecurity rubric.pdflaw enforcement and community...

Cyber Security Planning Rubric 006 - CoSN Cybersecurity rubric.pdflaw enforcement and community...

Date post: 08-May-2020
Category:

Documents
Upload: others
View: 2 times
Download: 0 times
Download Report this document
Share this document with a friend
12
Security Planning Rubric The grid below describes the status of issues that districts can examine to determine current degree of security preparedness. Management Basic Developing Adequate Advanced District Administrative Leadership Security Goals Provides minimal direction and oversight on IT related security issues to stakeholders and district leadership. Acknowledges efforts made by CTO to meet governing security and confidentiality requirements. Develops a basic mission statement on security that is shared and acted upon by IT department. Authorizes CTO to ensure compliance with governing security and confidentiality regulations. Articulates a clear mission statement on security with stakeholders and district leadership. Authorizes CTO and security team to ensure compliance with governing security and confidentiality regulations. Articulates a clear mission statement on security that is integrated with District policy and overall mission. Authorizes CTO and security team to ensure compliance with governing security and confidentiality regulations. Regularly provides oversight of high level security planning. Is periodically involved in high level security planning. Legal Compliance Initial effort has been made to bring IT installations into compliance with security-related laws (FERPA, CIPA, HIPPA, etc.), but actual level of compliance is not clear. IT unit manages compliance with governing security-related laws (FERPA, CIPA, HIPPA, etc), as far as major vulnerably are concerned: (content, filtering, confidential databases.) Security team assists with identifying potential concerns for compliance with all State and Federal Laws (FERPA, CIPA, HIPPA, electronic discovery, etc.). IT unit makes such compliance part of its protocol for new installations and periodic security reviews. Security team or external auditor verifies full compliance with all State and Federal Laws (FERPA, CIPA. HIPPA, electronic discovery, etc.) Compliance review is routine component of new installations and periodic review. Policy Implementation District policy governing security efforts is limited to general statements that may be challenging to translate into specific security measures. District policy governing security efforts provides a basic sense of direction for implementing security. District policy governing security efforts provides adequate direction for implementing security measures. District policy governing security efforts provides effective direction with sufficient clarity to ensure appropriate implementation. Some policy areas may be missing (e.g. enforcement procedures for security violations.) Some policy area out of date or lack clarity. District leaders specifically authorize the IT unit to enforce policy. District leaders specifically authorize IT unit to enforce policy. Security Team provides additional oversight. Budget, Human Resources No support specifically earmarked for security. "Security" is not a budget line item, but some purchasing reflects security needs. Key security-related items including personnel, hardware, software, etc included in budget planning. Key security-related items including personnel, hardware, software, etc included in budget planning. Communications Little or no leadership communication on security issues to district leaders, board members, etc (stakeholders). Leadership occasionally delivers security message to stakeholders. Leadership regularly delivers clear message to stakeholders. Is periodically involved in high level security planning. Leadership effectively and frequently incorporates security message into stake holder communication when appropriate.
Transcript
Page 1: Cyber Security Planning Rubric 006 - CoSN Cybersecurity rubric.pdflaw enforcement and community representative. ... Security Plan Security practices exist without a formal security

SecurityPlanningRubric

Thegridbelowdescribesthestatusofissuesthatdistrictscanexaminetodeterminecurrentdegreeofsecuritypreparedness.

Management

Basic Developing Adequate Advanced

DistrictAdministrativeLeadership SecurityGoals Providesminimaldirectionand

oversightonITrelatedsecurityissuestostakeholdersanddistrictleadership.

AcknowledgeseffortsmadebyCTOtomeetgoverningsecurityandconfidentialityrequirements.

DevelopsabasicmissionstatementonsecuritythatissharedandacteduponbyITdepartment.

AuthorizesCTOtoensure compliancewithgoverningsecurityandconfidentialityregulations.

Articulatesaclearmissionstatementonsecuritywithstakeholdersanddistrictleadership.

AuthorizesCTOandsecurityteam toensurecompliancewithgoverningsecurityandconfidentialityregulations.

ArticulatesaclearmissionstatementonsecuritythatisintegratedwithDistrictpolicyandoverallmission.

AuthorizesCTOandsecurityteam toensurecompliancewithgoverningsecurityandconfidentialityregulations.Regularlyprovidesoversightofhighlevelsecurityplanning.

Isperiodicallyinvolvedinhighlevelsecurityplanning.

LegalCompliance InitialefforthasbeenmadetobringITinstallationsintocompliancewithsecurity-relatedlaws(FERPA,CIPA,HIPPA,etc.),butactuallevelofcomplianceisnotclear.

ITunitmanagescompliancewithgoverningsecurity-relatedlaws(FERPA,CIPA,HIPPA,etc),asfarasmajorvulnerablyareconcerned:(content,filtering,confidentialdatabases.)

SecurityteamassistswithidentifyingpotentialconcernsforcompliancewithallStateandFederalLaws(FERPA,CIPA,HIPPA,electronicdiscovery,etc.).ITunitmakessuchcompliancepartofitsprotocolfornewinstallationsandperiodicsecurityreviews.

SecurityteamorexternalauditorverifiesfullcompliancewithallStateandFederalLaws(FERPA,CIPA.HIPPA,electronicdiscovery,etc.)Compliancereviewisroutinecomponentofnewinstallationsandperiodicreview.

PolicyImplementation Districtpolicygoverningsecurityeffortsislimitedtogeneralstatementsthatmaybechallengingtotranslateintospecificsecuritymeasures.

Districtpolicygoverningsecurityeffortsprovidesabasicsenseofdirectionforimplementingsecurity.

Districtpolicygoverningsecurityeffortsprovidesadequatedirectionforimplementingsecuritymeasures.

District policy governingsecurityeffortsprovideseffectivedirectionwithsufficientclaritytoensureappropriateimplementation.

Somepolicyareasmaybemissing(e.g.enforcementproceduresforsecurityviolations.)

Somepolicyareaoutofdateorlackclarity. DistrictleadersspecificallyauthorizetheITunittoenforcepolicy.

DistrictleadersspecificallyauthorizeITunittoenforcepolicy.SecurityTeamprovidesadditionaloversight.

Budget,HumanResources Nosupportspecificallyearmarkedforsecurity.

"Security"isnotabudgetlineitem,butsomepurchasingreflectssecurityneeds.

Keysecurity-relateditemsincludingpersonnel,hardware,software,etcincludedinbudgetplanning.

Keysecurity-relateditemsincludingpersonnel,hardware,software,etcincludedinbudgetplanning.

Communications Littleornoleadershipcommunicationonsecurityissuestodistrictleaders,boardmembers,etc(stakeholders).

Leadershipoccasionallydeliverssecuritymessagetostakeholders.

Leadershipregularlydeliversclearmessagetostakeholders.Isperiodicallyinvolvedinhighlevelsecurityplanning.

Leadershipeffectivelyandfrequentlyincorporatessecuritymessageintostakeholdercommunicationwhenappropriate.

Page 2: Cyber Security Planning Rubric 006 - CoSN Cybersecurity rubric.pdflaw enforcement and community representative. ... Security Plan Security practices exist without a formal security

Basic Developing Adequate AdvancedSecurityTeam

CharterResponsibilities Noformalteamexists. Adhocsecurityteamlacksformalauthorization.

Securityteamisauthorizedbythedistrictadministratorstodevelopasecurityplanandoverseeitsimplementation.

Securityteamisauthorizedbytheschoolboard/committeetodevelopasecurityplanandoverseeitsimplementation.

Membership Noformalsecurityteamexists.ITStaffanddistrictleadershipconferonsecurityrequirementsonanadhocbasis.

AdhocSecurityteammembersincluderepresentativesfrom:Teacheroradministrator.ITstaff

Securityteammembersincluderepresentativesfrom:DistrictAdministration,SchoolBoard,orcommunityTeachingstaff,ITstaff,LegalStaff andHR.

Securityteammembersinclude:Superintendent,SchoolBoardmember,Teachingstaff,ITstaff,Legalstaff,HR,lawenforcementand communityrepresentative.

GeneralIncidenceResponse Noclearlydefinedproceduresinplaceforincidenceresponse.

Haveprocedureinplaceforreportingsecurityissues.

Clearproceduresinplacethatincludehowtoreportasecurity breachandstepsforresponse.

Clearlydocumentedproceduresinplacethatincludehowtoreportanddocumentsecurityissues, andstepsforresponseandfollowup.

RansomwareIncidenceResponse Noclearlydefinedproceduresinplaceforransomwarepreparationorresponse.

Haveprocedureinplaceforransomwarepreparation.

Clearproceduresinplacethatincludehowtoprepareforaransomwareincidentand stepsforresponse.

Clearproceduresinplacethatincludehowtoprepareforaransomwareincidentand stepsforresponse.

Page 3: Cyber Security Planning Rubric 006 - CoSN Cybersecurity rubric.pdflaw enforcement and community representative. ... Security Plan Security practices exist without a formal security

Basic Developing Adequate Advanced SecurityPlanning ITPlanninginGeneral Littleornoplanning. ITplanningincludessomeconsideration

ofsecurity.ITplanningincludessecurityasacomponent.

Securityprovisionsincludedincontractswithvendors,consultant,andoutsourcedservicesarereviewedforcompliancewithDistrictsecurityrequirements.

ITplanningfullyintegratessecurityrequirements.

Securityprovisionsincludedincontractswithvendors,consultants,andoutsourcesservicesarereviewedforcompliancewithDistrictsecurityrequirements.DistrictgeneralsecurityplanningisfullycoordinatedwithITsecurityplanning.

SecurityPlan Securitypracticesexistwithoutaformalsecurityplan.

SecurityplanexistsasaninternalITdepartmentdocument.

Securityplanwrittenorreviewedinpast24months.

Securityplanrevisedorreviewedinpast12monthsanddiscussedandapprovedbydistrictleadershipandschoolboard.

SecurityplandoesnotaddresscommunicationwithstakeholdersorcommunityincaseofanincidentSecurityplanincludesoccasionaltestingandmonitoring.

Securityplanincludeslimitedcommunicationwithstakeholdersincaseofanincident.SecurityPlanincludesoccasionaltestingand monitoring.

Securityplanincludescommunicationwithstakeholdersincaseofanincident.SecurityPlanisderivedfromasset-basedrisk assessmentprocessandincludesend- usertrainingandcommunicationandperiodictestingandmonitoring.

Thesecurityplanincludescommunicationwithstakeholdersandcommunityincaseofanincident.Securityplanisderivedfromasset-basedriskassessmentprocess,iscomprehensive:planlinksdistrictgoalsandpolicies,end-usertrainingandcommunicationandincludesperiodictestingandmonitoring.

SecurityAudit Nosecurityauditfortechnicalvulnerabilities,assessmentforsystemsholdingsensitivedata;reviewofsecuritypoliciescompletedwithinthepast36months

Internalsecurityauditcompletedwithinthepast36months.Scopeofauditlinkedtosecurityplan.

Internalsecurityauditcompletedwithinthepast18months.Scopeofauditlinkedtosecurityplan.Districtprovidesbudgetsupportforsecuritymeasures.

Securityplanisderivedfromasset-basedriskassessmentprocess,iscomprehensive:planlinksdistrictgoalsandpolicies,end-usertrainingandcommunicationandincludesperiodictestingandmonitoring.

SecurityPenetrationTesting Nopenetrationtesting Penetrationtestingcompletedwithinthepast36months.

Penetrationtestingcompletedwithinthepast18months

Securityplanisderivedfromasset-basedrisk assessmentprocess,iscomprehensive: planlinksdistrictgoalsandpolicies,end- usertrainingandcommunicationandincludesperiodictestingandmonitoring.

Page 4: Cyber Security Planning Rubric 006 - CoSN Cybersecurity rubric.pdflaw enforcement and community representative. ... Security Plan Security practices exist without a formal security

Basic Developing Adequate Advanced

SecurityImplementation StaffCompetency ITstaffinsufficientlytrainedindesktop

supportornetworkmanagement.Jobdescriptionindicatesmixednetworkanddesktopsupportroleswithoutspecificmentionofsecurity-relatedtasks.

Cleardivisionofresponsibilitybetweennetworkanddesktopsupport,withclearassignmentofresponsibilityforsecuritytasksandroles.

Cleardivisionofresponsibilities,includingsecurity-relatedtasks.Additionally,ITstaffiscross-trainedtoprovidebackupsupport.

StaffingLevels TechnologystaffingisinsufficienttoprovidebasicITsupportservices.Criticalserviceinterruptionsaffectingtheentiredistrictorindividualschoolslastdaysorweeks.

DedicatedITstaffexists,butininsufficientnumberstoprovidebasicITsupportservices.Staffrespondsandresolvestechnologyserviceinterruptionsaffectingtheentiredistrictoranentireschoolwithintwoworkingdays.

DedicatedITstaffexists andprovidesfunctionalITsupportservices.Staffrespondsandresolvestechnologyserviceinterruptionsaffectingtheentiredistrictoranentireschoolwithinthesameworkingday.Problemsaffectingasingleclassroomareresolvedwithintwoworkingdays.

Fulltimededicated ITstaff.Respondsandresolvescriticaltechnologyincidentsonthesamedaytheyarereported.Minorincidentsareresolvedbythenextbusinessday. ITsystems operateatahighlevelofreliabilityduetoeffectiveorganizationalpractices.

SecurityStaffing Noonespecificallyassignedtoattendtosecurity.

CTOorothermanagementstaffalsodealswithsecurity.

Astaffpersonisassignedtomanagesecurity.ThesecurityofficerreportstotheCTO

AChiefSecurityOfficerexists.ThesecurityofficerreportsoutsideITdepartment

Page 5: Cyber Security Planning Rubric 006 - CoSN Cybersecurity rubric.pdflaw enforcement and community representative. ... Security Plan Security practices exist without a formal security

Technology Basic Developing Adequate Advanced PerimeterDefense

Overview Architectureatbasicstage;shortcomingsexistinallareas.

Architecturelackscapacityforgrowthorimplementationofstrongersecuritymeasures;shortcomingsexistintwoormoreareas.

Architecturelackscapacityforgrowthorimplementationofstrongersecuritymeasures;shortcomingsexistintwoormoreareas.

AppropriateArchitecturewithroomtogrow.

DMZ Computerhostorsmallnetworkinsertedasa'neutralzone'betweenadistrict'sprivatenetworkandtheoutsidepublicnetwork.

DMZ:buildingserversdoubleasfirewalls(noDMZ).

FirewallinplacebutnoDMZtoprotectemailandwebservers.

DMZ,firewall,VPNservicesexistbutmaybeinadequateforfuturegrowth.

DMZ,firewall,VPNconfiguredforappropriateexternalaccess,emailandwebservices.

Firewall Firewallsoftwarenotpresentatallnetworkentrypoints.

Perimeter/intrusiondefense:installed,firewallconfiguredandmonitored.

Perimeter/intrusiondefense:fullyconfigured,firewallconfiguredandmonitored.

Perimeter/intrusiondefense:alayeredstrategyfromdesktoptofirewallprovidesfullyintegratedprotection.

VPN-Networkaccessforremoteusers NoVPNconfigured. NoVPNorinsufficientVPNcontrols.

VPNpermitsalimitednumberofuserstoaccessthenetworkremotely.

VPNconfiguredtoprovidesecureaccesstoallauthorizedremoterusers.

VirusProtection Virusprotectionisnotinstalledonallnetwork-connecteddevices.Virusdefinitionupdatesareperformedsporadically.

Virusprotectioninstalledonalldevices;centrally–managedupdatesforatleasthalfofclientcomputers;allothercomputersreceiveregular,manualupdates.

Centrallymanaged,integratedvirusprotection.Firewall,intrusiondetectionisdeployedtomostendpoints.

Centrallymanaged,integratedvirusprotection,firewall,intrusiondetectionforallendpoints.

WirelessAccessControl WirelessAccess:Relianceonend-usercautionorlight,localizedusagetolimitrisk.

Wirelessaccessmaybespreadingfasterthanitcanbeproperlycontrolled.Notallaccesspointsareproperlyconfigured.

Wirelessaccessisproperlyconfigured.Secondarystrategiesmayincludenon-technicaltactics(e.g.poweringoffaccesspointsoverweekends).Intrusionrisksarebalancedagainst

Wirelessaccessproperlyconfigured;secondarystrategies(VPN,segmentation)providerisksareminimizedbymonitoringandstrongauthenticationcontrol.

IPS-IntrusionPreventionSystem NoIPSconfigured IPSisconfiguredsporadically.IPSisnot fullyfunctioning.

IPSisconfiguredandmonitoringcritical IPSisproperlyconfiguredandfully facilitiessuchasnetworksegments

ContentFiltering Webfilteringhasbeenimplementedtomeettherequirementsoflocalpolicy,statelaws,andfederallaws.

Webfilterlogsarereviewedregularlyto noteuseanddetermineadjustmentsincategories.

Userscanrequestmodificationstowebfilterblockingforschooluse;requestsarereviewedandactiontakenwithin48 hoursofrequest.

Schoolemployeeshaveoverridestowebfilterforschoolpurposes.

Page 6: Cyber Security Planning Rubric 006 - CoSN Cybersecurity rubric.pdflaw enforcement and community representative. ... Security Plan Security practices exist without a formal security

Basic Developing Adequate AdvancedLANManagement

Backups Backupsmaynotincludeallmissioncriticalservers.

Dailyandweeklybackups.Off-sitestoragenotestablished.

Consistentbackupsincludingoff-sitestorage;periodicallytested.

Consistentbackupsincludingoff-siteroutinelytested.Filerestorationpracticeincludedincrisismanagementpreparednessandransomwareresponse.

RoutineNetworkMonitoring&Testing

Minimallyschedulednetworkchecks.Nofileintegritytesting.Nocapacityforpasswordtesting.

Dailychecksforvirusprotection,networkserviced,backupstatus.Nofileintegritytesting.NocapacityforDistrict-widepasswordtesting.

Dailychecksfornetworkintrusion,virusprotection,networkseries,backupstatus.Monthlyfileintegritytesting.Passwordtestingevery60-90days.

Livemonitoringfornetworkintrusion,virus protection.Dailychecksonnetworkservices,backupstatus.Maintenancelogskept.Monthlyfileintegritytesting..Passwordtestingevery60-90days.Twice-yearlywirelessnetworkintrusiondetection.

MajorSystemsMaintenance Majorservices(email,internetaccess)occasionallyunavailablefor8hoursormore.

Majorservices(email,internetaccess)rarelyunavailablefor8hoursormore.

Majorservices(email,internetaccess)rarelyunavailableformorethan4hours.

Majorservices(email,internetaccess)rarelyunavailableformorethan2hours.

Redundancy ServersmaylackRAID(computerdatastorageschemesthatcandivideandreplicatedataamongmultiplediskdrives)reliability;nosparepartsonhandforcriticalnetworkdevices.

SomecriticaldistrictservershaveRAIDreliability;somesparepartsonhand.

Mostcriticalserversareprotectedbyredundantunits.Sparecomponentsmaynotbeavailableforallcriticalnetworkdevices.

Allcriticalserversareprotectedbyredundantunits.Sparecomponentsareavailableforallcriticalnetworkdevices.

Documentation Nodailymaintenanceandmonitoringlogs.Systemdocumentationislargelyabsent.Equipmentinventorymanagedatthebuildinglevel.

Maintenancelogskept.Systemdocumentationisminimal;knowledgeofsystemconfigurationishighlydependentonindividuals.Clientendpointinventorymanagedatbuildinglevel;allnetworkcomponentsmanagedbycentralITgroup.

Maintenancelogskept.Systemdocumentationismaintainedforcriticalservicesandnetworkmanagement.Clientendpointinventorymanagedatdistrictlevel.

Maintenancelogskept.Systemdocumentationismaintainedforallservicesandnetworkmanagement.Clientendpointinventorymanagedatdistrictlevel.

ExternalPartnersandVendors Externalpartners’orvendors’securitypracticesarenotknownorverified.

Externalpartners’orvendors’securitypractices:documentationexistsbutpracticesarenotverified.

Externalpartners’orvendors’securitypractices:vendorsassertthatfederal,state,anddistrictrequirementsaremet.Vendorcredentialsarechecked.Emergencyproceduresforservicerestorationareestablished.

Externalpartners’orvendors’securitypractices:externalauditreportsverifythatfederal,stateanddistrictrequirementsaremet.Redundantsystemsareinplace;emergencyproceduresforservicerestorationareestablished.Ifrequired,allcodeisescrowed.

Encryption Encryptionisimplementedsporadicallyonthenetwork,ornotatall.

Passwordsareencryptedintransitandinstorageoncentralizedserversandapplications.Wirelessnetworksareencryptedwithsharedkeys.

Allinterfaces(web,filetransfer,etc.)toapplicationscontainingstudent,employeeandfinancialdataareencrypted.Passwordsareencryptedintransitandinstorageoncentralizedserversandapplications.Wirelessnetworksareencryptedwithsharedkeys.

Allstudent,employeeandfinancialdatasubjecttoregulatorycompliancerequirementsisencryptedinstorageandintransit.Passwordstoallcentralizedapplicationsareencryptedinstorageandintransit.Wirelessnetworksareencryptedwithindividualkeysthataretiedtonamedusers.

Page 7: Cyber Security Planning Rubric 006 - CoSN Cybersecurity rubric.pdflaw enforcement and community representative. ... Security Plan Security practices exist without a formal security

Basic Developing Adequate Advanced

WANSecurity Segmentation Splittinganetworkintosubnetworks,forimprovedperformance,increasedsecurityandcontainingnetworkproblems.

Segmentation:nonetworksegmentationbeyondbuilding-level.

Segmentation:nonetworksegmentationbeyondbuilding-level.

Segmentation:networkappropriatelysegmented.

Segmentation:centrally-managedbuildingLANs,switches,servers.

Authentication/Authorization Authentication/Authorization:notavailable.

Authentication/Authorization:notmanagedviatheWAN,ifatall.EndusershavenoaccessbeyondlocalLANstoWANresources(excepttospecificsystems).

Authentication/Authorization:system-wideimplementationmaybeincomplete.

Authentication/Authorization:deployedthroughoutthedistrict.

Multipath Nomultipathinternetaccess. Nomultipathinternetaccess. Multipathinternetaccessavailableforcriticalfunctions.

Multipathinternetaccessavailable

Standardization BuildingLANsnotstandardized,requirelocalmaintenance.

BuildingLANsnotstandardized,requirelocalmaintenance.

MostbutnotallbuildingLANs,switches,serverssupportremotemanagement.

Standardizedhardwareandnetworkconfigurationthroughoutdistrict.

RemoteLANManagement WANlacksremotemonitoringandmanagementofrouters,switchedand LANservers.

ExistingWANdevicesmaynotsupportremotemonitoringandmanagement.AsWANexpands,newdeviceswillsupportremotemanagement;legacydevicesmayremaininservicepast“retirement”age.

ITplanincludeseliminationoflegacydevicesthatcannotberemotelymanaged.

Allrouters,switchesandLANserversareremotelymonitoredandmanaged.

RemoteLANManagement WANlacksremotemonitoringandmanagementofrouters,switchedandLANservers.

ExistingWANdevicesmaynotsupportremotemonitoringandmanagement.AsWANexpands,newdeviceswillsupport remotemanagement;legacydevicesmay remaininservicepast“retirement”age.

ITplanincludeseliminationoflegacydevicesthatcannotberemotelymanaged.

Allrouters,switchesandLANserversare remotelymonitoredandmanaged.

PatchManagement Servers,othernetworksdevices:sporadic.EndPointDevices:virusdataandsystem updates(patchmanagement)arethe responsibilityoftheenduser.Classroomorlabcomputers:desktopmanagementsoftwaremaybeinuse forupdatesinafewlocations.

Servers,othernetworkdevices:routineupdates.EndPointDevices:ITunitprovidesinstructions andremindersforvirusdatafileand systemupdates(patchmanagement)to enduserswhosecomputersarenot automaticallyupdated.Classroomorlab computers:centralITstaffusedesktopmanagementsoftwareforupdatesin somelocations.

Servers,othernetworkdevices:automated updates.EndPointDevices: mostvirusdataandsystemupdates (patchmanagement)aremanaged remotelyformostcomputers.Classroomandlabcomputers:centralITstaffhaveestablishedefficientprotocolstorefreshoperatingsystemsanddeploysoftwareinmanylocations.

Server,othernetworkdevices:automatedupdates.EndPointDevices:all virusdataandsystemupdates(patchmanagement)aremanagedremotely. Classroomandlabcomputers:centralIT staffhaveestablishedefficientprotocols torefreshoperatingsystemsanddeploy softwareinalllocations.

PatchManagement Servers,othernetworksdevices:sporadic.EndPointDevices:virusdataandsystem updates(patchmanagement)arethe responsibilityoftheenduser.Classroomorlabcomputers:desktopmanagementsoftwaremaybeinuseforupdatesinafewlocations.

Servers,othernetworkdevices:routineupdates.EndPointDevices:ITunitprovidesinstructions andremindersforvirusdatafileand systemupdates(patchmanagement)to enduserswhosecomputersarenot automaticallyupdated.Classroomorlab computers:centralITstaffusedesktopmanagementsoftwareforupdatesinsomelocations.

Servers,othernetworkdevices:automated updates.EndPointDevices: mostvirusdataandsystemupdates (patchmanagement)aremanagedremotelyformostcomputers.Classroomandlabcomputers:centralITstaffhaveestablishedefficientprotocolstorefreshoperatingsystemsanddeploysoftwareinmanylocations.

Server,othernetworkdevices:automatedupdates.EndPointDevices:all virusdataandsystemupdates(patchmanagement)aremanagedremotely. Classroomandlabcomputers:centralIT staffhaveestablishedefficientprotocols torefreshoperatingsystemsanddeploysoftwareinalllocations.

SoftwareLicensing Softwarelicensingmanagedatthebuildinglevel

Softwarelicensingforoperatingsystems,virusprotectionandofficeproductivitysoftwareissite-licensedbycentralITgroup;othersoftware,purchasedwithoutcentralguidanceorcontrollingpolicyiscontrolledatthebuildinglevel.

Softwarelicensingforoperatingsystems,virusprotectionandoffice productivitysoftwareissite-licensedby ITgroup;othersoftwareispurchasedwithcentralguidance

Softwarelicensingforoperatingsystems, virusprotectionandofficeproductivity softwareissitelicensedbycentralIT group;othersoftwareispurchasedwith centralguidanceorcontrollingpolicytocoordinatetrainingandencourage shareableknowledgeandincreasedcostsavings. There isaproceduretoself- auditlicensesatdistrictlocations

SoftwareLicensing Softwarelicensingmanagedatthebuildinglevel

Softwarelicensingforoperatingsystems, virusprotectionandofficeproductivity softwareissite-licensedbycentralIT group;othersoftware,purchasedwithout centralguidanceorcontrollingpolicyis controlledatthebuildinglevel.

Softwarelicensingforoperating systems,virusprotectionandofficeproductivitysoftwareissite-licensedby ITgroup;othersoftwareispurchasedwithcentralguidance

Softwarelicensingforoperatingsystems, virusprotectionandofficeproductivity softwareissitelicensedbycentralIT group;othersoftwareispurchasedwithcentralguidanceorcontrollingpolicyto coordinatetrainingandencourage shareableknowledgeandincreasedcost savings.There isaproceduretoself-auditlicensesatdistrictlocations

Page 8: Cyber Security Planning Rubric 006 - CoSN Cybersecurity rubric.pdflaw enforcement and community representative. ... Security Plan Security practices exist without a formal security

Basic Developing Adequate Advanced

PointSecurity Installation,Configuration,Repairof

desktopcomputersClientdesktopcomputers:noremotemanagement.Nocapacitytorebuildcomputersusingimagingsoftware.

Clientdesktopcomputers:mixedlocalandcentralresponsibilities.Somecomputerscanberebuiltusingimagingsoftware.

Clientdesktopcomputers:strongcentralpolicy,distributedmanagement.Mostcomputerscanberebuiltusingimagingsoftware.

Clientdesktopcomputers:strongcentralpolicy,distributedmanagement.Maximizedefficientrepairsusingimagingsoftware.

Standardization Nostandardizationplanexists.Anydefactostandardforhardwareandsoftwareresultfromepisodicbulkpurchasingandordonations.Nocycleofhardwarereplacementexists.

Legacysoftwareandhardwarehampersstandardizationefforts.Nocycleofhardwarereplacementexists.TypicallyfourorfivegenerationsofbothPCsandMacsmaybeonline.

Legacysoftwareandhardwareareintheprocessofbeingphasedout.5to6yearreplacementcycleestablished.Numberofoperatingsystemssupportedhasbeenreducedto2,MacandPC.

Standardizationgoalsareachieved.3-4yearreplacementcycleestablished.Themajorityofallcomputersuseoneoperatingsystem.

Passwords Passwordprotectionisendusersresponsibility;periodicpasswordchangesarenotrequired.

Passwordpoliciesexistbyarenotcentrallyenforcednorroutinelyusedinall locations.

PasswordpolicyismonitoredbyLANorWANmanagers.

Centralpasswordpolicyincludingperiodicpasswordchanges,ismonitored andenforcedbyWANmanagers.

AdvancedUserSecurity Simplepasswordloginisallthatrequiredtoaccessmostareasofthenetwork

Passwordloginisrequiredandtherearesomeareasofnetworknotaccessibleforallusers

Strongpasswordrequirementsareinplaceforat-risklocations,databases,orsystems

Twofactorauthenticationareinplaceonallcomputersandotherendpoints.

Basic Developing Adequate AdvancedCloudSecurity

SecurityResponsibilities ContractdoesnotdelineatedivisionofresponsibilitybetweendistrictandCSP

ContractdoesnotdelineatedivisionofresponsibilitybetweendistrictandCSP

ContractdelineatessomeofthedivisionofresponsibilitybetweendistrictandCSPbuttheremaybegaps

ContractdelineatesfulldivisionofresponsibilitybetweendistrictandCSP

Contract ContractandSLAdonotincludeEventloggingandnotificationDDOSprotectionAvailabilityrequirementsIntrusiondetectionandpreventionDataownership

ContractorSLAincludessomeofEventloggingandnotificationDDOSprotectionAvailabilityrequirementsIntrusiondetectionandpreventionDataownership

ContractorSLAincludesEventloggingandnotificationDDOSprotectionAvailabilityrequirementsIntrusiondetectionandpreventionDataownership

ContractorSLAincludesEventloggingandnotificationDDOSprotectionAvailabilityrequirementsIntrusiondetectionandpreventionDataownership

• Datasecurity

• Compliancewithlegalandpolicyrequirementsofthedistrict

Egress Contractdoesnotspecifywhathappenswithdatawhenthedistrictconcludestheircontract

Contractspecifiesthatdataisreturnedtothedistrictwhenthedistrictconcludestheircontract.

Contractspecifiesthatdataisreturnedtothedistrictandwipedeverywherewhenthedistrictconcludestheircontract.

Contractspecifiesthatdataisreturnedtothedistrictandwipedeverywherewhenthedistrictconcludestheircontract.

Page 9: Cyber Security Planning Rubric 006 - CoSN Cybersecurity rubric.pdflaw enforcement and community representative. ... Security Plan Security practices exist without a formal security

BusinessContinuity Basic Developing Adequate Advanced

CrisisManagementPlan DisasterRecoveryPlanningisthe

processthatrequiresdetailedplanningandpreparationpriortoanevent–whethermanmadeornatural,andthensettingthegroundworkforunderstandingtheprocessofrespondingandrecovery.ITCrisisManagementplanidentifyingMitigation/Prevention, Preparedness,Response,andRecoverydoesnotyetexist.StaffhasnotbeentrainedspecificallyforITcrisismanagement.District CrisisManagementplanincludesfewifanyreferencestotechnologyorITsecurity.

ITCrisisManagementplanhasbeenoutlined;itmayhavebeencompletedmorethanayearearlierandhasnotbeenupdated.Stafftrainingforcriseshasbeenminimal.

DistrictCrisisManagementPlanincludesbriefreferencestoITandsecurityissues.

ITCrisisManagementplanusessameasset-basedmodelasthesecurityplan;itincludesdetailsofmajorsystems.Theplanmayhavebeencompletedmorethanayearearlierandhasnotbeenupdated.Theplanincludesaninventoryofrequiredequipment.

ITCrisisManagementplanusesthesameasset-basedmodelasthesecurityplan;itincludesdetailsofallsystemsfromISPtodesktop.Planisreviewedandupdatedevery12months.Theplanincludesaninventoryofrequiredequipmentredundancyandfacilitiesforhotsiterequirements.

CrisisManagementTraining Noplaninplacetotrainpersonnelforcrisissituations.

Personneltrainedforcrisissituations,nosimulationsconducted.

Personneltrainedforcrisissituations,simulationsconductedtotestBusinessContinuityPlanwhendeveloped.

Personneltrainedforcrisissituations,simulationsconductedfromshutdowntostartuptoassessBusinessContinuityPlanonanannualbasis.

TechnologyAssetInventory Noplanexistsforcriticalcomponentstomaintainorrestoreservicesintheeventofanaturalorman-madecrisis.

Acceptablelevelsofserviceneedsduringtherecoveryperiodofacrisishavebeendeterminedtoidentifywhatprocessesneedtobemaintainedorrestoredfirsttokeeptheschoolrunning.

Atechnologyassetinventoryhasbeencompletedtodetermineanddocumentthemission-criticaltechnology

Atechnologyassetinventoryhasbeencompletedtodetermineanddocumentthemission-criticaltechnologycomponents,theirlocation,howthey’reconfigured,andwhoisresponsibleformanagement.Essentialemployeesandothercriticalpartners(vendors,sub-contractors,services,logistics,etc.)requiredtomaintainbusinessoperationsbylocationandfunctionduringtheeventhavebeenidentified.Criticalbackupareinplaceforbothequipmentandstaff.

Page 10: Cyber Security Planning Rubric 006 - CoSN Cybersecurity rubric.pdflaw enforcement and community representative. ... Security Plan Security practices exist without a formal security

EnvironmentalSafety

PhysicalSecurity

Basic Developing Adequate Advanced AnticipationofNaturalDisasters Floodorwaterdamage:network

devicesmaybeinbasementsorsittingonfloors.

Floodorwaterdamage:networkdevicesmaybeinbasementsorsittingonfloors.

Floodorwaterdamage:criticalinfrastructurenotatrisk.

Floodorwaterdamage:criticalinfrastructurenotatrisk.Redundantequipmentandwarningsystemsareinplacetoguardagainstotherdisasters.

FireProtection Fire:Nodedicatedalarms.Networkequipmentmaybelocatedinunlocked,multi-usespaces(offices,classrooms,etc.Nofiresuppressionsysteminplace.

Fire:Nodedicatedalarms.Networkequipmentmaybelocatedinspacealsousedforstorageorcustodialpurposes.Nocoolingorfiresuppressionsystemsinplace.

Fire:Alarmsinstalled,Networkequipmentinclean,dedicatedspace.Coolingsystemsandfiresuppressionsystemsinplace.

Fire:Alarmsandsuppressionequipmentinstalled.Networkequipmentinclean,dedicatedspace.

ClimateControl Temperatureandhumidity:nodedicatedHVACfornetworkservices.

Temperatureandhumidity:networkdevicesmaylackprotectionfromextremeheat,dampness.

Temperatureandhumidity:networkdevicesproperlyventilated.

Temperatureandhumidity:networkdevicesproperlyventilated.

PowerSupply Power:minimalUPSsupportforservers.

Power:mostservers&networkdevicesonUPS.

Power:allservers&networkdevicesprotected by uninterruptable powersupplyunits.

Power:allservers&networkdevicesprotectedbyUPSunitswithbackuppoweravailable.

InspectionReview Nospecialenvironmentalinspectionsaremade.

Facilitiesareinspectedoccasionallyforhazards.

Facilitiesareinspectedoccasionallyforhazards.

Facilitiesandemergencyequipmentareinspectedonregularbasisbyexternalexperts.

Basic Developing Adequate Advanced Facilities Manynetworkdevicesareinsharedor

uncontrolledlocations,e.g.bookcupboards,custodialclosets.Networkcablingmaybeexposed,withinreach,orsubjecttodamageduringroutinebuildingcleaningandmaintenance.

Mostnetworkdevicesindedicated,securelocations.Networkcablingmaybeexposed,withinreach,orsubjecttodamageduringroutinebuildingcleaningandmaintenance.

Allnetworkdevicesareindedicated,securelocations.Mostnetworkcablingissecure.

Allnetworkdevicesareindedicatedsecurespaces.Allnetworkcablingissecure.

EndUserEquipment Notallequipmentisphysicallysecuredwhererequired.

Notallequipmentisphysicallysecuredwhererequired.

Mostequipmentisphysicallysecured(locks,cables)whererequired.

Allequipmentisphysicallysecured(locks,cables)whererequired.Equipmentselectioncriteriaincludephysicaldurability.

Page 11: Cyber Security Planning Rubric 006 - CoSN Cybersecurity rubric.pdflaw enforcement and community representative. ... Security Plan Security practices exist without a formal security

EndUsers Basic Developing Adequate Advanced Awareness Stakeholdersgenerallylackexpertise

on,andawarenessofsecurityissues.Expertise:Leadersmaylackexperienceonstrategictechnologyplanning,includingsecurityissues.Awareness: Usersaregenerallyawareoforganizationalsecurityconcernsbut lackspecificknowledgeonwhattodo.

Expertise:ThosechargedwithoversightofITattendsometrainingsonstrategicandmanagerialtopics.Awareness:Usersaregenerallyawareofessentialsecurityguidelinesandfollowsomesecurityprocedures.

Expertise:Districtleadersdemonstratecompetency andknowledgeofstrategicandmanagerialITtopics,includingsecurity.Awareness:Usersintegrateessentialsecuritypracticesintoeverydayuseoftechnology.

Training Limitedtrainingopportunitiesdonotincludesecuritytopics.

SecurityismentionedinITtrainingandprofessionaldevelopmentbuttrainingisnotconsistentlytiedtosecuritypolicy.

SecurityintegratedintoITtrainingandprofessionaldevelopment.

SecurityintegratedinITtrainingandprofessionaldevelopment.

Districtleaders:OftenchoosenottoparticipateinITtraining.

Districtleaders:OccasionallyparticipateinITtraining.

Districtleaders:ReceivesameITtrainingasallusers.

Districtleaders:Receiveregularusertraining,plustrainingonstrategicITtopics.

EndUsers:Trainingnotrequired. EndUsers:Notallaretrained. Endusers:Mostaretrained. EndUsers:Professionaldevelopment,includingsecuritytraining,istiedtodistrictmissionandsecurityrequirements.

Community: Littleornotrainingavailable.

Community:Occasionalawarenessandoutreachsessionsareofferedtothecommunity.

Community:Periodicsecurityawarenessworkshopsareofferedtothecommunity.

Community:Securityisintegratedintooutreachprograms.

AccessControl Controlofstudentaccesstocomputersdependsondirectsupervision.

Studentaccesstocomputersisappropriatelycontrolledinsomelocations.

Studentaccess to computers isappropriatelymonitoredwhererequired.

Studentaccesstocomputersisappropriatelycontrolledandremotelymonitoredwhererequired.

Staffaccesstonetworkdevicesisnotrestricted.

Staffaccesstonetworkdevicesisrestrictedinsomelocations.

Staffaccesstonetworkdevicesisrestrictedwhereappropriate.

Staffaccesstonetworkdevicesisrestrictedwhereappropriate.

Communication ITunitcommunicatestostakeholdersonlysporadically.

ITunitcommunicatestostakeholdersafewtimesperyear.

ITunitupdatesstakeholdersonorganizationalsecurityconcernsonamonthlybasis,ormorefrequentlyifsignificantvulnerabilitiesarise.

ITunitupdatesstakeholdersonorganizationalsecurityconcernsonamonthlybasis,ormorefrequentlyifsignificantvulnerabilitiesarise.

Leadership:ReceivedregularupdatesonITandsecurityissues.

Leadership:ReceivesregularupdatesonITandsecurityissues.

Leadership:ReceivesregularupdatesonITandsecurityissues.

EndUsers:Receiveoccasionalmessageissuedonsecurityconcerns.

End Users: Messages issued onsecurity concerns are disseminatedusing avarietyofmediaatappropriateintervalstoengageusers.

EndUsers:Messagesissuedon securityconcernsaredisseminatedusingavarietyof media at appropriate intervals toengageusers.

Community:ReceivedoccasionalpublicityonITorsecurityissues.

Community:ReceivesregularpublicityonITorsecurityissues.

Community:RecurringoutreachtothecommunityincludesITadvice,securityawareness.

Feedback Noorganizedfeedbackmechanismsexist.

Limitedeffortmadetotrackstakeholderopinionandsatisfaction.

Helpdesktracksproblemsandsuggestions.

Helpdesktracksproblemsandsuggestions.

Page 12: Cyber Security Planning Rubric 006 - CoSN Cybersecurity rubric.pdflaw enforcement and community representative. ... Security Plan Security practices exist without a formal security

ITunitreliesonstakeholderstobringcomplaintsandsuggestionsforward.

Surveyofuseropinionsmaybeperformedeveryotheryear.

Surveyofuseropinionsperformedyearly.

AllnewITinitiativesincludingchangesinsecuritypolicyarereviewedbyusergroups.

UsersprovideinputtoITinitiativesthroughorganizedmeanssuchasspecialinterestgroupsorregularlyscheduledmeetings.

Summary:CommunityofTrust ITunitalmostnocapacitytomonitorsecurity.ITsystemsareextremelyvulnerabletointernaldamage.

Increasinglikelihoodforsecurityfailures-withoutclearpolicyorsecureinfrastructure–mayresultinaclimateofsuspicionorconfusion.

Decreasinglikelihoodforsecurityfailures–theresultofclearpolicyandsignificantlyimproved infrastructure–reduceslingeringsuspicionandconfusion.

Asecurenetworkwithreliableinfrastructureandtransparentsecuritypolicies,provideseffective,mission-drivenlearningopportunitieswithouttheweightofsurveillance.


Recommended
SEC.FAIL Information Security Defense Project Based Learning Rubric my.sec.fail/1SWqE6F.

SEC.FAIL Information Security Defense Project Based Learning Rubric my.sec.fail/1SWqE6F.

Documents

AF Essentials Observation Rubric: 2012-2013 - TNTP · 1 AF Essentials Observation Rubric: 2012-2013 Overview of the Essentials Rubric The Essentials Rubric is designed to measure

AF Essentials Observation Rubric: 2012-2013 - TNTP · 1 AF Essentials Observation Rubric: 2012-2013 Overview of the Essentials Rubric The Essentials Rubric is designed to measure

Documents

DRIVING K–12 INNOVATION - CoSN · Driving K–12 Innovation / 2019 TOOLKIT 1 2 3 Driving K–12 Innovation is an initiative of CoSN (Consortium for School Networking). This initiative

DRIVING K–12 INNOVATION - CoSN · Driving K–12 Innovation / 2019 TOOLKIT 1 2 3 Driving K–12 Innovation is an initiative of CoSN (Consortium for School Networking). This initiative

Documents

CoSN/METAA CTO Clinic

CoSN/METAA CTO Clinic

Documents

Cyber Security Planning Rubric 006 - K-12 Blueprint · Security Planning Rubric ... District Administration, School Board, or community Teaching staff, IT staff, Legal Staff and ...

Cyber Security Planning Rubric 006 - K-12 Blueprint · Security Planning Rubric ... District Administration, School Board, or community Teaching staff, IT staff, Legal Staff and ...

Documents

CoSN 2010 - All A Twit About Twitter

CoSN 2010 - All A Twit About Twitter

Education

Putting the NMC/CoSN Horizon Report to Work

Putting the NMC/CoSN Horizon Report to Work

Education

CoSn Conferentie 2010

CoSn Conferentie 2010

Education

Cyber Security & Privacy Broadband & Network Capacity...TECH INITIATIVES PRIORITIES & CHALLENGES Top Priorities: Tied 6th Annual CoSN K-12 IT Leadership Survey 90% of IT Leaders identify

Cyber Security & Privacy Broadband & Network Capacity...TECH INITIATIVES PRIORITIES & CHALLENGES Top Priorities: Tied 6th Annual CoSN K-12 IT Leadership Survey 90% of IT Leaders identify

Documents

A CoSN Leadership Initiative In Partnership with Mass Networks Education Partnership (MNEP)

A CoSN Leadership Initiative In Partnership with Mass Networks Education Partnership (MNEP)

Documents

Bachelor of Arts in Christian Ministry Curriculum Map ... · Course ID Course Name Rubric Mini-Justification Rubric Mini-Justification Rubric Mini-Justification Rubric Mini-Justification

Bachelor of Arts in Christian Ministry Curriculum Map ... · Course ID Course Name Rubric Mini-Justification Rubric Mini-Justification Rubric Mini-Justification Rubric Mini-Justification

Documents

Consortium of School Networking (CoSN) National Conference ...€¦ · Marie Bjerede, Principal, Mobile Learning and Infrastructure, CoSN Keith Bockwoldt, Director of Technology Services,

Consortium of School Networking (CoSN) National Conference ...€¦ · Marie Bjerede, Principal, Mobile Learning and Infrastructure, CoSN Keith Bockwoldt, Director of Technology Services,

Documents

HORIZON REPOTR - Universidad Icesieduteka.icesi.edu.co/pdfdir/reporte-horizonte-2016-toolkit.pdf · School Networking (CoSN) jointly create the NMC/CoSN Horizon Report: K–12 Edition.

HORIZON REPOTR - Universidad Icesieduteka.icesi.edu.co/pdfdir/reporte-horizonte-2016-toolkit.pdf · School Networking (CoSN) jointly create the NMC/CoSN Horizon Report: K–12 Edition.

Documents

Supplement C - Rochester City School District...Psychologist Rubric: pp. 3-6 Social Worker Rubric: pp.7-11 Librarian Rubric: pp.12-15 Counselor Rubric: pp.16-19 Lead Teacher Rubric:

Supplement C - Rochester City School District...Psychologist Rubric: pp. 3-6 Social Worker Rubric: pp.7-11 Librarian Rubric: pp.12-15 Counselor Rubric: pp.16-19 Lead Teacher Rubric:

Documents

J. J. Cosn J. 6. Dslens

J. J. Cosn J. 6. Dslens

Documents

CoSn 11 November 2009

CoSn 11 November 2009

Education

CoSN Digital Equitty Toolkit 2016

CoSN Digital Equitty Toolkit 2016

Documents

Pictures of my Set Up Rubric and Rubric Samples

Pictures of my Set Up Rubric and Rubric Samples

Documents