|
District Security Self-Assessment Checklist
What is your district’s state of security readiness? Use this questionnaire to gain a quick sense of your overall security profile. Then get a more in-depth analysis by using the District Security Planning Grid to clarify your current status, pinpoint areas of concern, and identify next steps. Maximum score is 100 points. Give partial credit for solid progress toward completion of any item.
You can fill out this checklist on line and have your score automatically computed for you. Or you can print it and do it manually – in which case, please help us develop a national database of school security status by sending a photocopy back to us at Cyber Security, c/o MNEP, 280 Lincoln St, Allston, MA 02139. Thanks!
District Demographics
My District is: __ Urban __ Suburban __Rural __ Other
Our student population is:
__<1,000 __1,000-2,000 __2,000-5,000 __ 5,000–10,000 __ >10,000
Our percentage of students eligible for free or reduced lunch is:
__ < 20% __ 20%-40% __ 40%-60% __ 60%-80% __ > 80% |
A. Security Management (30 points)
Rubric
Ref No. |
District Goals, Policy, and Support (4 pts) |
Max Pts |
Your Score |
A.11 |
Does your district have clearly stated educational goals and values that guide security decisions and connect security practices to teaching & learning priorities? |
1 |
|
A.12 |
Do district policies address data confidentiality and personal privacy in compliance with laws, regulations, and community expectations? |
1 |
|
A.13 |
Does the district budget allocate funds to support security? |
2 |
|
Rubric Ref No. |
Security Management (5 pts) |
Max Pts |
Your Score |
A.21 |
Is there a Security Team authorized by the school board that meets on a scheduled basis to discuss security planning and oversight? |
3 |
|
A.22 |
Does the Security Team include:
- The superintendent (or a representative of the school board or school committee) to ensure community standards are met?
|
1 |
|
- Teacher representatives committed to ensuring security requirements do not interfere with the district’s educational mission?
|
1 |
|
Rubric
Ref No. |
Security Planning and Preparedness (21 pts) |
Max Pts |
Your Score |
A.32 |
Security Plan: Does the district have a security plan that has been significantly reviewed and updated in the past 18 months? |
4 |
|
A.32 |
Scope of Plan: Does the scope of the Security Plan include
- Benchmarks for the immediate and long-term improvement of both perimeter and internal defenses?
- Needed improvements in operations e.g., maintenance, backup, and system monitoring?
- User involvement in setting policies and methods for regular user feedback about security and other operational issues?
- User training and communication, as well as regular communications with other stakeholders?
|
1 |
|
1 |
|
1 |
|
1 |
|
A.33 |
Security Audit: Have the district’s security operations been reviewed or audited by an outside group within the past two years?
- If an audit was completed in the past two years, have the recommendations been fully implemented?
|
3 |
|
2 |
|
A.34 |
Crisis Management: Has a crisis management/operational continuity plan been written or updated within the past 2 years? |
3 |
|
A.42 |
Training and Testing : Have staff members practiced implementing the crisis management plan in the past year, and then revised the plan based on that experience? |
1 |
|
A.41 |
Staffing: Are staffing levels sufficient to…
|
|
|
- Complete routine network management tasks?
|
2 |
|
- Complete all security-related tasks regularly?
|
2 |
|
- Provide customer service at appropriate levels?
|
1 |
|
B. Technology (50 points)
Rubric
Ref No. |
Perimeter Defenses (16 pts) |
Max Pts |
Your Score |
B.12 |
Are ALL Internet and modem connections protected by a firewall or multifunction security appliance? |
2 |
|
B.13 |
Is the network perimeter protected by a spam/content filter? |
1 |
|
B.13 |
Do the firewall/multifunction devices include virus protection? |
2 |
|
B.14 |
Is spam, content, and virus protection enabled on email and web servers? |
2 |
|
B.61 |
Are all network devices that host spam, content, and virus protection regularly monitored, patched, and updated? |
6 |
|
B.16 |
Are all wireless access points fully encrypted (WEP enabled)? |
2 |
|
| B.52 |
Are perimeter defenses regularly tested for vulnerability to penetration? |
1 |
|
Rubric
Ref No. |
Network Architecture and WAN Security (8 pts) |
Max Pts |
Your Score |
B.11 |
DMZ : Does your network design isolate web and email servers in a semi-isolated area commonly referred to as a DMZ? |
3 |
|
B.21 |
Segmentation : Are computer connections on your network logically organized by building, department or other hierarchical structure? |
2 |
|
B.24 |
Standardization and Redundancy : Do you have the capacity to swap out defective equipment? |
2 |
|
B.55 |
External Partners and Vendors: Have you validated the effectiveness of the data privacy and intrusion security capabilities of all outside parties with whom you share data or from whom you receive services (e.g. payroll, email, webhost, ISP, etc)? |
1 |
|
Rubric
Ref No. |
IT Management and Internal Defenses (26 pts) |
Max Pts |
Your Score |
B.51 |
Are backups
|
2 |
|
|
1 |
|
|
3 |
|
- Stored off-site on a weekly basis?
|
2 |
|
B.52 |
Is the network fully documented, and is the equipment inventory up to date? |
2 |
|
B.52 |
Maintenance and Monitoring Protocols :
- network monitoring of bandwidth, connections, and file types
|
1 |
|
- routine preventive maintenance of desktops, LAN servers, network appliances
|
2 |
|
- scheduled testing of network performance
|
1 |
|
B.61 |
Remote Management : Do you have the capacity to remotely rebuild desktops, and monitor, update or reset LAN servers/routers from a central location? Are key staff automatically notified 24/7 by phone and/or email if a problem occurs? |
2 |
|
| B.63 |
Patch and Virus Management: Is virus protection software installed and automatically updated on every workstation?
|
4 |
|
- Are software vulnerabilities patched routinely on all workstations?
|
1 |
|
- Add an additional point if patched automatically.
|
1 |
|
| B.65 |
Passwords : Is there a district-wide authentication and authorization policy in place and actively enforced?
- If all computers are password protected, give yourself 1 point.
- If passwords must be changed periodically, give yourself another 2 points.
|
4 |
|
C. Environmental and Physical Security(5 points)
Rubric
Ref No. |
Environmental Security (2 pts) |
Max Pts |
Your Score |
C.11
C.12
|
Environmental Disasters: Is your network infrastructure located and installed in an area protected from floods, hurricanes, tornadoes, or other regionally-relevant natural threats?
Fire Protection: Are network servers protected by appropriate alarms and fire suppression equipment? |
1 |
|
C.13
C.14 |
Temperature and Humidity Control : Is network equipment properly ventilated?
Power: Are all servers and network devices protected by uninterruptible power supply (UPS) devices? |
1 |
|
Rubric
Ref No. |
Physical Security (3 pts) |
Max Pts |
Your Score |
C.21 |
Secure Locations: Are all network devices located in secure facilities exclusively dedicated to network operations?
Secure Infrastructure: Are all switches, hubs, and wiring closets located in spaces not also used by custodians, librarians, etc.? |
1 |
|
C.22 |
Equipment Security: Is all equipment located in high-use areas secured to prevent theft? |
1 |
|
C.23 |
Access Control : Are computer facilities accessible to students and staff only under controlled circumstances (ID cards, entry logs)? |
1 |
|
D. Stakeholder Role (15 points)
Rubric
Ref No. |
User Engagement and Stakeholder Communication (15 pts) |
Max Pts |
Your Score |
D.11
|
Training : Is training done in a manner most convenient to users to increase user skill and understanding about passwords, security procedures, etc?
- Have a majority of users participated in these sessions?
|
4 |
|
D.12 |
Communication: Are updates on technology and security regularly sent to stakeholders using email, newsletters, posters, and public media?
|
4 |
|
| D.13 |
Feedback: Are there regular electronic and face-to-face forums for user feedback, suggestions, and complaints? Is feedback respectfully listened to and acted upon? |
4 |
|
| D.14 |
Summary: Have you created a “community of trust” in which users take responsibility for their role in security and also feel that their rights are respected and needs addressed? |
3 |
|
If your district scores :
Below 20: |
Either your district doesn’t use IT to any significant degree, or your system is a disaster waiting to happen. |
20 to 39: |
Your district’s IT system is probably barely meeting the minimal basic security, but serious shortcomings remain and problems are likely to occur. |
40 to 59: |
Your district’s IT system is beginning to deal with the wide range of security requirements, but continued attention and effort will be needed to bring things up to a more defendable state. |
60 to 79: |
Your district’s IT system is grappling with the wide range of security requirements, and while that does not guarantee no problems will occur, you are exercising appropriate due diligence; however, some shortcomings remain and continued attention and effort will be helpful. |
80 to 100: |
Your district’s IT system is a model of good cyber security practice. Maintaining this status will require continuing attention and action. |
|
|
|
