Navigation Bar About the Project

First Steps
Cyber Security: A Issue for District Leadership

You’re the Superintendent or School Board Chairperson. You are aware – perhaps painfully – that cyber security is an issue that requires some leadership attention. Here’s a high-level plan of action:

A SUPERINTENDENT’S FIRST STEPS

A. Start with background sources for Understanding the Issues .

B. Review the top ten questions administrators ask about security-- before turning to the CTO.

C. Ask your technology director or CTO eight questions about security.

D. Ask your CTO to do a more detailed self-assessment using the Security Self-Assessment Checklist and the Cyber Security Rubric and Planning Grid.

E. Have another talk with your CTO and immediately deal with any emergency situations that have emerged through the previous analysis.

F. Convene a leadership group to review your district’s status, review the overall process described in the Security Planning Protocol and decide on next steps. Ensure the availability of the funds, staff, time, training, and other support needed for the Security Plan to be properly implements.

G. Send a clear message to faculty, students, parents, and the community that cyber security is a serious issue, that the district is taking action to reduce risk and deal with potential problems, and that you expect all users to play a constructive role in keeping things running smoothly.

H. Set up user education programs – such as participation in Cyber Security Day – to make people aware of how to be personally safe in cyber space and help keep the entire system secure.

Dealing with the Big Picture

The Cyber Security Protocol diagrams the four-phase process needed for a more systematic, long-term approach.

  1. setting up leadership structures to establish the scope and guiding values;
  2. Systemically analyzing potential risks;
  3. Researching, prioritizing, planning, and implementing risk reduction strategies;
  4. planning, practicing, and preparing to deal with problems that slip through all their preventative strategies to ensure operational continuity and crisis management.

Through it all, make sure that you stay personally involved in your district’s security planning and crisis management planning process; keep stakeholders informed of the issues you are dealing with and the steps your are taking. The “Stakeholder Relations” section has some material that might be useful for you.

Phase One: Leadership

Moving forward requires a four-step process, each step of which has multiple components. First, district leaders and other users must be clear about the value they want to gain from their IT investment, and IT leaders must be in regular communication with all users to ensure that the desired value is being realized. Without user support no security system has a chance of success.

Phase Two: Risk Analysis

Second, IT leaders need to inventory their assets to decide what they are trying to protect. Assets might include their network systems as well as any outside extensions such as an ASP or other service vendor, their data, their physical plant and equipment, and their people. Carol Woody, of Carnegie Mellon University, has adapted the industry-focused OCTAVE methodology for school use and made it available to the CoSN project.

You need to analyze how each of your district’s assets might be vulnerable to exposure, distortion, disruption, or theft. Systems can have inherent vulnerabilities, or vulnerabilities may have been inadvertently created during installation, or as a result of the district’s evolving network configuration. Systems can become vulnerable because of delays in maintenance, upgrading, or installation of patches. Vulnerabilities can emerge as an inevitable result of active use. The physical plant also has vulnerabilities in its power supply, susceptibility to floods or temperature, or from vandalism. The IT organization can itself have vulnerabilities due to a thin supply of skills, lack of clear goals, or counter-productive policies.

And then IT leaders need to think about who or what is most likely to exploit those vulnerabilities – and how might this potential threat get played out.

After all this, the potential problems need to be prioritized. What assets are most valuable? What vulnerabilities are most visible? What threats are most likely?

Phase Three: Risk Reduction

Third, the district needs to validate its analysis by probing and testing its IT system – not just the technical components but also gathering user input about their level of satisfaction and their typical behaviors.

Once priorities are clear, then IT leaders have to plan and implement a risk reduction strategy. Each district’s plan will be unique. But every district will have to be clear about assigning responsibilities, setting a schedule, and supervising progress. Once the high priority problems are addressed, a longer-term plan should be put in place to ensure that regular “stress tests” occur, that the IT staff has the needed skills, that the system is kept in good shape, and that sufficient back-ups or redundant parts are available.

For the long term, we have to remember that our biggest vulnerability does not come from technology but people, and not always from strangers. Security, ultimately, is a social process that depends on building trust and community. Central to any security strategy must be a process of examining our policies, procedures, decision-making methods, and educational programs so that we involve all key stakeholders in affirming a common set of values and purpose. Cyber ethics are the gravity that keeps the other components of a security program from flying off in different directions. People, despite their ability to cause problems, are also central to our ability to prevent problems.

Phase Four: Crisis Management and Operational Continuity Planning

Fourth, since risk can be reduced, but not eliminated, at some point a crisis will occur. It’s impossible to know what it will be or when it will happen – but it will. And its best to be open about it and prepared with a “crisis management” or “business continuity” plan. How can damage be minimized and contained? What should be done to inform stakeholders about what’s happened and keep them informed of unfolding developments? What are the best ways to rebuild? The core of a crisis management plan is a clear set of responsibilities, endless communication with everyone, and lots of redundancy.

 

  
A Leadership Initiative of CoSN
Home Project Overview About the Project Executive Summary Conference Handouts & Slides Press Releases For Superintendents & Policy Makers For Technology Leaders Share Your Story Free Newsletter Contact Us Join CoSN