Key points:
School cybersecurity audits don't have to be stressful. By knowing what to expect, you can be well prepared and set yourself up for future success. The effort put into the first audit will also pay off in the future: once the first audit is completed, subsequent audits will be much easier. You'll be able to recycle information and make small adjustments to any systems or processes that have changed in the last year. Most importantly, successful cybersecurity audits allow a school to obtain cybersecurity insurance, a growing need and one that could be mandatory in the future.
So what exactly are auditors looking for? There are usually a few general things they look at: multi-factor authentication (MFA), secure backups, vulnerability/endpoint protection, and cybersecurity awareness training.
The auditor will provide a list of related questions and subquestions, and will likely include these queries:
New school safety resources
- Does your school use antivirus on its computers and provide advanced vulnerability detection and protection? Are there similar protections on your email server?
- Are your backups isolated? Do they exist separate from your production environment or in the cloud? This is essential for protection against ransomware.
- Is MFA enabled everywhere it makes sense? MFA can stop most hackers, especially in the case of compromised passwords.
- Are you training your faculty and employees in good cyber hygiene? The human element is the weakest link in the security chain, so keeping people aware of threats and what they look like is essential for good security.
Expanding on these core questions will likely include additional technology-specific questions. For example, what type of Wi-Fi authentication is used? Do you use an identity management platform or a RADIUS server? How secure is your VPN setup? Does the VPN use MFA? What type of MFA is used for VPN? who has physical Access to servers and backups? Do you have a data backup and recovery plan? How often do you test your backups?
When the auditor evaluates your school's cybersecurity awareness training, they will often ask the cadence or frequency of these training sessions, even if they are required for all employees or staff. Typically, the expectation is that trainings take place at least once a year with all employees attending, but more frequent trainings are always better. Sometimes schools schedule these cybersecurity trainings alongside bullying training. Depending on your school's culture, it may be best to conduct training via webinar to allow all school staff to comfortably participate and ask questions to help reinforce the material.
Almost all of these cybersecurity audit questions can be addressed with a simple explanation along with a photo, screenshot, or official document showing the procedures, policy, or proof of training. Additionally, responses may include logs from your backup device detailing successful backups and/or recoveries. You can also attach your backup continuity or recovery plan along with the audit. If you have additional evidence to prove an audit question, add it.
However, keep in mind that every auditor is different and each audit sheet will ask questions differently. In some cases, questions may be worded strangely or open to interpretation. In these situations, don't worry – simply respond and provide evidence to the best of your ability, and the auditors will let you know if further clarity or detail is required.
An audit can be quite difficult if your current IT staff is less technically inclined or simply lacks documentation and knowledge to explain how current systems work. It's not unusual for things to be lost along the way, especially if your IT department has changed hands several times. If you know this is the case, you may want to start preparing your IT team before an audit. You can even use this article as a practice test: talk to your team, ask these questions, and discuss where there may be blind spots. If you can get ahead of these issues, you'll have a much easier time when the actual audit comes around.
Once your school's IT team has successfully completed the first cybersecurity audit, they will provide you with a template for the next one. Keep it as a “live” document and ask your IT staff to update it accordingly if anything changes. Did you change your MFA for VPN? Perhaps you would implement stronger identity management for Wi-Fi access? Whatever the case, update your audit document to show it and when the next audit comes around, you (or your IT team) can relax and send it to the auditors. Most importantly, a cybersecurity audit can help ensure that your school's IT environment is secure and understood by your IT staff, and if the worst happens, your cybersecurity insurance can help take care of the rest. .
!function(f,b,e,v,n,t,s)
{if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};
if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version=’2.0′;
n.queue=();t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)(0);
s.parentNode.insertBefore(t,s)}(window, document,’script’,
‘https://connect.facebook.net/en_US/fbevents.js’);
fbq(‘init’, ‘6079750752134785’);
fbq(‘track’, ‘PageView’);
