Cybersecurity and Master Planning
By Bob Olsen, Compass Cyber Security
RISK & COMPLIANCE
Cybersecurity and Master Planning One of the best times to address cybersecurity risks is before building or remodeling. Do not rely solely on your IT team.
H
undreds of schools have reported data breaches in recent months. How can your school avoid being next? An ideal time to
shore up cybersecurity efforts is when building new or remodeling. Not only does construction provide a clean slate on which to implement solutions, but even relatively simple renovations can involve industrial control systems that
Bob Olsen is CEO of Compass Cyber Security, which provides a variety of services to protect the data of independent schools and other organizations. compasscyber.com
invite cybersecurity risks. A new automated HVAC system, for example, ties into a school’s IT infrastructure. And every new vendor to your campus presents a potential threat. Thinking through cybersecurity challenges during the planning process will save costs and headaches in the long run. It’s especially important to consider cybersecurity implications when beginning larger capital improvement projects, which usually roll around only every 20 or 25 years. One of our clients took this opportunity when "tech enabling" older classrooms — that is, updating with Wi-Fi, LED screens, laptop docking, etc. In this case, starting from scratch and implementing entirely new systems proved less
important threats. A planning committee, for
costly than patching up older ones. On the other
instance, might use it to identify the pros and
hand, schools must sometimes integrate legacy systems with brand new ones, such as when connecting building controls in a new facility with those in a nearby older building. Asking these questions will help you assess cyberthreats and prevention when developing a master plan:
• How will we use technology in the future
cons of different security options and the effect of changes on end users. Cyberthreats affect the entire range of functions within an organization, and cybersecurity is a team sport. Do not rely solely on your IT department when evaluating cybersecurity risks. A more effective, integrated
and what does that mean to our security
approach includes the head of school, trustees,
Mandated Reporting Laws
program? Are we moving to a cloud application
business officer and facilities director along with
environment? Will we outsource more of our
the IT director. We often offer schools up to four
Be aware of new and changing regulations that impact data security. Legislators regularly debate changes to FERPA and the Child Internet Protection Act. Less well-known to schools are state security breach notification laws, which require organizations with a threshold of records, usually around 500, to notify affected parties in regulated ways if they experience a data breach. Forty-eight states and three territories have these laws.
information technology needs to a third-party
solutions to a problem, none of them black and
service provider?
white. Whoever is evaluating these options must
10
JULY/AUGUST 2017
• How do we keep our staff up-to-date on the latest cyberthreats, and on trends that are unique to our environment?
• Who has organizational responsibility for managing our cyber risk?
A risk management and strategic planning
understand the end users. Moreover, those end users must understand any changes to existing processes and systems to avoid help desk tickets, headaches and especially data breaches — all outcomes with direct costs.
model can help you develop robust and useful answers to these and other questions. One
MORE ON NETASSETS.ORG
that I recommend for its user-friendliness is
Case Study: a School’s Last Phishing Trip go.nboa.org/2pkLyYW
ISACA’s Business Model for Information Security (go.nboa.org/2qSwa66). This model helps organizations prioritize data protection activities and ensure that their plan focuses on the most
Your Money or Your Data go.nboa.org/2pzGzQp Greetings from Kazakhstan go.nboa.org/2q3yx4N
NETASSETS.ORG
RISK & COMPLIANCE
Cybersecurity and Master Planning One of the best times to address cybersecurity risks is before building or remodeling. Do not rely solely on your IT team.
H
undreds of schools have reported data breaches in recent months. How can your school avoid being next? An ideal time to
shore up cybersecurity efforts is when building new or remodeling. Not only does construction provide a clean slate on which to implement solutions, but even relatively simple renovations can involve industrial control systems that
Bob Olsen is CEO of Compass Cyber Security, which provides a variety of services to protect the data of independent schools and other organizations. compasscyber.com
invite cybersecurity risks. A new automated HVAC system, for example, ties into a school’s IT infrastructure. And every new vendor to your campus presents a potential threat. Thinking through cybersecurity challenges during the planning process will save costs and headaches in the long run. It’s especially important to consider cybersecurity implications when beginning larger capital improvement projects, which usually roll around only every 20 or 25 years. One of our clients took this opportunity when "tech enabling" older classrooms — that is, updating with Wi-Fi, LED screens, laptop docking, etc. In this case, starting from scratch and implementing entirely new systems proved less
important threats. A planning committee, for
costly than patching up older ones. On the other
instance, might use it to identify the pros and
hand, schools must sometimes integrate legacy systems with brand new ones, such as when connecting building controls in a new facility with those in a nearby older building. Asking these questions will help you assess cyberthreats and prevention when developing a master plan:
• How will we use technology in the future
cons of different security options and the effect of changes on end users. Cyberthreats affect the entire range of functions within an organization, and cybersecurity is a team sport. Do not rely solely on your IT department when evaluating cybersecurity risks. A more effective, integrated
and what does that mean to our security
approach includes the head of school, trustees,
Mandated Reporting Laws
program? Are we moving to a cloud application
business officer and facilities director along with
environment? Will we outsource more of our
the IT director. We often offer schools up to four
Be aware of new and changing regulations that impact data security. Legislators regularly debate changes to FERPA and the Child Internet Protection Act. Less well-known to schools are state security breach notification laws, which require organizations with a threshold of records, usually around 500, to notify affected parties in regulated ways if they experience a data breach. Forty-eight states and three territories have these laws.
information technology needs to a third-party
solutions to a problem, none of them black and
service provider?
white. Whoever is evaluating these options must
10
JULY/AUGUST 2017
• How do we keep our staff up-to-date on the latest cyberthreats, and on trends that are unique to our environment?
• Who has organizational responsibility for managing our cyber risk?
A risk management and strategic planning
understand the end users. Moreover, those end users must understand any changes to existing processes and systems to avoid help desk tickets, headaches and especially data breaches — all outcomes with direct costs.
model can help you develop robust and useful answers to these and other questions. One
MORE ON NETASSETS.ORG
that I recommend for its user-friendliness is
Case Study: a School’s Last Phishing Trip go.nboa.org/2pkLyYW
ISACA’s Business Model for Information Security (go.nboa.org/2qSwa66). This model helps organizations prioritize data protection activities and ensure that their plan focuses on the most
Your Money or Your Data go.nboa.org/2pzGzQp Greetings from Kazakhstan go.nboa.org/2q3yx4N
NETASSETS.ORG
