Search      


Eight Assessment Questions A Superintendent Should Ask The Chief Technology Officer

Question 1:

How are we doing so far?

Incidents. Over the past year:
  • Was confidential data compromised?
  • Was data lost or corrupted?
  • Was equipment stolen or misused?
  • Was email or Internet service interrupted?
  • Did virus or spam attacks cause shutdowns?
Causes. Were problems caused by:
  • Inadequate technical safeguards?
  • Insufficient staff training?
  • Unauthorized access to or use of systems by insiders?
  • Intrusion by outsiders?
Impact. Did security problems result in:
  • Loss of efficiency, productivity, or other costs?
  • Failure to meet district educational objectives?
  • Damage to reputation?
  • Harm to students or staff?

Question 2:

Do we have a security plan?

Security plan status.
  • When was our security plan last updated?
  • When was our security plan most recently reviewed by outside experts?
  • What steps does the plan require us to do?
  • What are the major risks we are still exposed to?

Question 3:

Do we have adequate security and privacy policies in place?

District security rules.

  • Do we have a clear policy about data privacy?
  • When were our staff and student AUPs last reviewed and updated?
  • Have rules been effectively communicated to staff and students?

Legal review.

  • Has the policy been reviewed by legal counsel to ensure alignment with local, state, and federal laws and regulations – including FERPA and HIPAA?

External controls.

  • Are we confident that the data and communication systems of our outside service providers (payroll, email, data warehouse)?
  • How have we verified those assurances?

Question 4:

Are our network security procedures and tools up to date?

Hardware.

  • Can our network equipment support current security standards?
  • Are all desktop and laptop computers individually protected from internal viruses?

Software.

  • Do all our computers receive security patches or virus definition updates automatically?
  • If not, how long does it take to fully install patches/updates from the time they are released?

Monitoring.

  • Do we have the capacity to centrally monitor the status of all our equipment to know which machines are not secure, and to remotely perform other troubleshooting?
  • Are our systems set up to enforce all our network security, system access, and data privacy policies?

Question 5:

Is our network perimeter secured against intrusion?

Design.

  • Is our network designed to prevent unwanted intrusion?
  • Do we have external and internal firewalls?

Laptop and Other Moblie Devices problems.

  • Are we able to deal with viruses and other problems brought in through home-used laptops and other mobile devices?

Wireless security.

  • Have we secured wireless networks against intruders?

Passwords.

  • Do we enforce regular updates of secure passwords by all users?

Question 6:

Is our network physically secure?

Environmental hazards.

  • Is all network equipment located in facilities protected against flooding, burst pipes, freezing, overheating, or fire?

Physical security.

  • Do we regularly check to ensure that only authorized people can physically access key equipment?
  • Is all network equipment located in locked rooms dedicated solely for that purpose (no secondary custodial or secretarial use)?
  • Is all end user equipment cabled down and labeled?

Question 7:

Have we made our users part of the solution?

Awareness.

  • How well do all users understand their own self-interest in keeping our IT systems operational, and know what they need to do to maintain system security?
  • How do we encourage user involvement in setting, enforcing, and reviewing security policies?
Training. Is there a sufficient program of user training, and does that training include security issues?
Communication. Is there a regular flow of communication with and feedback from all users? What happens to user complaints and suggestions?

Question 8:

Are we prepared to survive a security crisis?

Backups. Is all our data regularly backed up to both a secure internal and a secure external location?
Redundant systems. Do we have redundant network connections (with at least minimal capacity among our buildings and from our network to our key external vendors) so that we can continue operations if our communication networks are compromised?
Communication plan. If a crisis were to occur, are we prepared to stay in touch with families, staff, municipal leaders, the media, and other stakeholders about the extent of the problem and our progress in dealing with it?

Preparedness.

  • Are crisis response staff identified and trained?
  • Have we done a “dry run” test of our crisis management plan recently?
  • Have we improved our crisis management plan as a result of that test?
Would you know what to do if you became a cybercrime victim?
Learn how to protect yourself & your family.
Protect all devices that connect to Internet.
Keep passwords stored in a safe place
different password for every account
Consortium for School Networking (CoSN)
1025 Vermont Avenue NW, Suite 1010
 Washington, DC 20005-3599
 Toll Free 866.267.8747
 Telephone 202.861.2676
 Fax 202.393.2011
  

 

  		 
Attribution-Noncommercial