Discussions

 View Only
  • 1.  Definition of Data that Requires Special Attention/Additional Protection

    Posted 07-27-2022 03:40 PM
    Hi all,

    I'm in the process of defining the scope for an internal cybersecurity audit that will include systems that are self-hosted and cloud-hosted services. Specifically, I want to be sure that MFA is available and turned on as much as possible across all systems. But, as we all know, there are many apps out that our teachers use that contain some student and possibly parent data.

    Of course, ideally, all data is secure and everything has MFA. But, I'm trying to prioritize my work and target the apps that are most critical. 

    My question is - What would make your top 10 list of data that it's critical to keep secure? Why? 

    Do you have a policy or definition for the types of apps that are required to have MFA? Or data that is required to be stored in a system that is locked down with additional security beyond a username and password?
    #CybersafetyandDataSecurity

    ------------------------------
    Liz Beck
    Director of Technology
    Laurence School
    ------------------------------


  • 2.  RE: Definition of Data that Requires Special Attention/Additional Protection

    Posted 07-29-2022 09:01 AM
    Liz,
    This is an important question.  Thank you for starting the conversation.  To prioritize the most critical data, we have approached it by prioritizing level of risk and those users accessing operationally significant data.  The data that would most negatively impact the school in the case of a breach or loss. The risk assessment/prioritization was determined as a collaboration with the School's risk team (CFO, Head, Tech Leader, HR & finally the school's attorney).

    With that in mind, we made a list of all employees and ranked them 1- 5 (1 was the highest access to the most critical data).  At that point, we evaluated those systems that users ranked as 1 or 2 used, working most diligently to enable MFA and other measures, including security training, to clarify and improve those data areas first.    

    I hope this helps continue the conversation.

    ------------------------------
    Denise Musselwhite
    Chief Information Officer & ATLIS Board Member
    Trinity Preparatory School
    ------------------------------



  • 3.  RE: Definition of Data that Requires Special Attention/Additional Protection

    Posted 07-29-2022 09:18 AM
    Edited by Bill Campbell 07-29-2022 09:21 AM
    My general opinion on your first question would be any system that has student or parent full names, personal email address, and home address or birthdate.  If you have to pick and choose, I'd be less concerned with systems that just have student name and only the SCHOOL email address.

    With regard to your second question on policy, all employee accounts for all services require MFA. That's not as difficult as it might sound since we have all services use SSO that authenticates against Microsoft Azure Active Directory.

    One thing making that easier is that Google is one of those services that we have set to SSO with Azure. Most online services support a Google login so even if Microsoft login is not supported, students/staff just choose the Google login, which ends up redirecting them to our Azure SSO.

    We have Azure set to require MFA for all employee accounts. Therefore, if a service supports Google login or after we configure an online service to use Azure SSO, which makes things easier for end users anyway (one username and password for everything), the MFA for employees is automatically enabled. Azure can recognize whether an account belongs to a student or staff, and we do not currently require MFA for student accounts. 

    Much of our decision to enable MFA was dictated by our insurance company, which made it easy to explain to people why they had a new inconvenience if they didn't already get it by just looking at what's been happening cybersecurity-related in the world during the past few years.

    ------------------------------
    Bill Campbell
    Dwight-Englewood School
    ------------------------------



  • 4.  RE: Definition of Data that Requires Special Attention/Additional Protection

    Posted 07-29-2022 03:03 PM

    Thank you, both! Very helpful.

    @Bill - we're a Google school with MFA for all faculty and staff, which authenticates against Azure. There are many apps that allow our users to sign in using Google but they don't require it. For example, our K-2 teachers use Seesaw. There is a log in with Google button and we ask our teacher to always use it for signing in, but there is no way for me to require that they sign in this way. Some teachers have also created a separate email/password for Seesaw and both logins work. Additionally, there is no way for me to see how a user authenticates, whether there are two logins that were created, and how to remove the email/password login credentials.

    Of course, we will continue to educate and support our teachers with the correct way to log in to these apps, but short of 1:1 meetings, it's very difficult to control.

    Do you have advice on how to manage these types of scenarios?

    Additionally, there are many apps that don't have the "log in with Google" feature and only offer email/username + password authentication. How do you manage these situations? Are they not allowed across the board? Or, do you use other strategies depending on the type of information being stored? 



    ------------------------------
    Liz Beck
    Director of Technology
    Laurence School
    ------------------------------



  • 5.  RE: Definition of Data that Requires Special Attention/Additional Protection

    Posted 08-01-2022 09:11 AM
    Hi Liz,

    I'm not the expert in my department on this, but our experience so far is that we are pretty much able to use SSO for all services we use either via SAML SSO or a Google/Microsoft login.  For SAML, some services have users sign in via choosing the appropriate option at the services normal login screen like the login via Google option while others requires a special link that we generally host on the Resource Board of our Blackbaud LMS.  Sometimes enabling the SSO option requires purchasing the service as opposed to using a free tier.

    With regards to systems where someone can log in using either an email address with independent password (such as the Seesaw example) or an SSO login that goes back to our network accounts, most people naturally choose the SSO option since that is a password they use more often as opposed to having to remember some one-off password.  Plus with the Azure SSO, as you have probably noticed, people often don't have to type in a password at all if they recently logged into any service that uses the Azure SSO as that authenticated Azure session applies to any service that is using SSO. Also, if we are paying for an online service, most services will not provide the extra features that come with the license if they don't login using our SSO.

    Of course, there is no technical way to prevent teachers from using a service that we don't have setup for SSO since there are so many online services in existence and nothing stopping anyone with an email address from creating an account.  The idea @Denise Musselwhite
    ​​ mentioned about identifying users who have access to the most sensitive data and providing security training to them seems good.  That net probably won't capture the majority of your teachers, but it might identify some who have data access for responsibilities beyond teaching and provide some structure to make sure those folks are more careful about using service that aren't officially supported (or at least making sure they've been told the risks).

    ------------------------------
    Bill Campbell
    Dwight-Englewood School
    ------------------------------



  • 6.  RE: Definition of Data that Requires Special Attention/Additional Protection

    Posted 08-02-2022 09:51 AM
    Not all data requires the same level of protection, but all data should be protected (even something as straightforward as a campus map or building directory has security implications). It is helpful to consider how data should be classified as a first step. This table is an excellent first step to thinking about data classification. Of course, there are legal requirements for some data storage, such as medical information, SSN, and credit card/bank account data.

    ------------------------------
    Glenn Hymel
    Strake Jesuit College Prep
    ------------------------------



  • 7.  RE: Definition of Data that Requires Special Attention/Additional Protection

    Posted 08-03-2022 04:51 PM
    Super helpful table, Glenn!

    @Bill - I think part of my struggle is that the SIS I'm using doesn't have MFA. It's a legacy product that eventually will be sunsetted and I need to get off that platform. I was planning on taking this on during the summer of 2020...but as we all know, school tech teams everywhere had bigger fish to fry. Anyhow, you're giving me another reason to consider it as a top priority for the near(ish) future. Thank you for taking the time to respond!​​​

    ------------------------------
    Liz Beck
    Director of Technology
    Laurence School
    ------------------------------