K-12 school districts put various security measures in place—from anti-malware to documentation—to protect their networks and applications from outside attacks. But what many don’t know is how effective these measures are, particularly as cyber attacks and vulnerabilities are constantly evolving.
To address this crucial point, districts should conduct cybersecurity audits, which measure and document the value of their security controls and processes. The audit process looks at the performance of the controls, the accuracy of documentation, and cyber attack event reports.
The rigor and complexity of an audit is based on the size of the district and their cybersecurity program, while helping them demonstrate compliance with cybersecurity regulations, standards, and frameworks. Audit reports can showcase a school district's commitment to cybersecurity and compliance.
But before getting to an audit, an organization needs to properly prepare for it. So, let’s dive into the crucial steps to take before a cybersecurity audit.
Determine the scope and type of audit
The scope of the audit refers to the areas of the school that will be examined during the audit. For example, the audit may focus on the school’s network security, security policies and procedures, or compliance with industry standards. Then the subsequent goals of the audit will depend on what the organization hopes to achieve. Some organizations conduct audits to identify vulnerabilities in their systems (76% according to a recent Deloitte study) while others may also want to assess the effectiveness of their cybersecurity policies, compliance, and procedures (83 percent).
There are two key audit types. A first-party audit is one that is conducted by the IT department of a school, using standards set out by ISACA or a similar organization. Management should consider the degree of independence the IT department can have while performing the audit.
The decision to hire a third-party auditor or conduct the audit internally will depend on several factors, including the school's resources and expertise. Internal audits may save money but require significant expertise, time, and resources. Hiring a third-party auditor ensures that professionals with cybersecurity expertise conduct the audit and objectively evaluate the organization's cybersecurity posture. When using an outside auditor, it is vital to check that the firm has the proper credentials and expertise in IT auditing, particularly as it relates to cybersecurity.
Organize your security policy
A robust information security policy is essential for any school, particularly regarding audit preparation. It outlines security controls that are put in place to keep data secure, and lays out the responsibilities of each employee regarding the handling of sensitive data. It should be made clear to all staff members so that they are aware of their ethical and legal obligations when managing data.
Generally, the policy should focus on three key aspects: confidentiality, integrity and availability. It defines who is authorized to access data, how to keep it complete and accurate, and under what conditions it can be accessed. Additionally, the policy should classify data into categories such as high risk, confidential and public.
A knowledgeable auditor may also want to review the information security policy, and ask questions about cybersecurity threats. To ensure that everyone is prepared, ongoing education should be provided to employees on threat management and data privacy.
Consult compliance standards
Most organizations must adhere to one or more compliance standards such as PCI DSS, HIPAA, and GDPR. To ensure an effective cybersecurity compliance audit, it is essential to review the requirements of the applicable standards and communicate them to the audit and compliance team.
This allows the auditor to adjust the assessment criteria to best suit the business needs. Without this information, the auditor may have to guess the standards, or make generalized suggestions without regards to regulatory compliance. By educating yourself on the requirements, you can work collaboratively with the audit team and ensure the recommendations are sensible.
Communicate to all necessary stakeholders
Stakeholder involvement is critical to the success of a cybersecurity audit. A report by the Information Systems Audit and Control Association (ISACA) recommends involving senior management, business process owners, and IT staff in the audit process to ensure a comprehensive evaluation of the school's cybersecurity posture.
It's essential to communicate with necessary stakeholders, such as district leadership and the business office, about the upcoming audit. An audit might disrupt normal operations, so stakeholders should be made aware of the potential disruptions. Additionally, involving stakeholders at relevant points of the audit can provide buy-in for the results and any action items that may arise. Stakeholders can help prioritize fixes and provide input on how to implement changes to strengthen cybersecurity measures.
Prepare for the upcoming responses
Finally, when conducting a cybersecurity audit of your school, it's important to ask the auditor to alert you to any significant issues as soon as possible. This will allow you to start remediating any flaws before the end of the audit instead of being surprised by them. Be sure to take any alerts from the auditor seriously and ask for suggestions on how to fix them. The auditor may have experience with various cybersecurity tools and quick fixes that can be implemented quickly. However, they may want to finish their full audit before making any suggestions, to ensure they are recommending the most comprehensive solution.
About the author
Charlie Sander is CEO of ManagedMethods, a Boulder, Colorado-based data security and student safety platform for K-12 schools. With more than three decades of experience in the IT industry, Charlie has been an executive at some of the fastest-growing companies in business. He holds 10 patents and graduated from the Cockrell School of Engineering at the University of Texas at Austin with a BSEE degree.