My general opinion on your first question would be any system that has student or parent full names, personal email address, and home address or birthdate. If you have to pick and choose, I'd be less concerned with systems that just have student name and only the SCHOOL email address.
With regard to your second question on policy, all employee accounts for all services require MFA. That's not as difficult as it might sound since we have all services use SSO that authenticates against Microsoft Azure Active Directory.
One thing making that easier is that Google is one of those services that we have set to SSO with Azure. Most online services support a Google login so even if Microsoft login is not supported, students/staff just choose the Google login, which ends up redirecting them to our Azure SSO.
We have Azure set to require MFA for all employee accounts. Therefore, if a service supports Google login or after we configure an online service to use Azure SSO, which makes things easier for end users anyway (one username and password for everything), the MFA for employees is automatically enabled. Azure can recognize whether an account belongs to a student or staff, and we do not currently require MFA for student accounts.
Much of our decision to enable MFA was dictated by our insurance company, which made it easy to explain to people why they had a new inconvenience if they didn't already get it by just looking at what's been happening cybersecurity-related in the world during the past few years.
------------------------------
Bill Campbell
Dwight-Englewood School
------------------------------
Original Message:
Sent: 07-27-2022 03:39 PM
From: Liz Beck
Subject: Definition of Data that Requires Special Attention/Additional Protection
Hi all,
I'm in the process of defining the scope for an internal cybersecurity audit that will include systems that are self-hosted and cloud-hosted services. Specifically, I want to be sure that MFA is available and turned on as much as possible across all systems. But, as we all know, there are many apps out that our teachers use that contain some student and possibly parent data.
Of course, ideally, all data is secure and everything has MFA. But, I'm trying to prioritize my work and target the apps that are most critical.
My question is - What would make your top 10 list of data that it's critical to keep secure? Why?
Do you have a policy or definition for the types of apps that are required to have MFA? Or data that is required to be stored in a system that is locked down with additional security beyond a username and password?
#CybersafetyandDataSecurity
------------------------------
Liz Beck
Director of Technology
Laurence School
------------------------------