Dimond Student Information Systems (SIS) understand that in an increasingly digital age, it is critical that schools factor in and establish comprehensive cybersecurity practices. The U.S. Department of Education passed a new set of requirements in its Title IV Regulation 34 C.F.R. § 668.23(a) calling for Title IV schools to incorporate comprehensive data protection and management strategies into their annual budgets, otherwise risking the loss of title and funding. Dimond MSS Managed Cyber Security Services by Dimond SIS keep their security systems up to date and their clients informed about all possible threats and updates to there Cyber Security Services.
There are a variety of ways schools can not only comply with these requirements, but have a proactive—rather than reactive, approach to cybersecurity, primarily through IT security assessments. The Privacy Technical Assistance Center (PTAC) recently released a comprehensive overview of an IT security assessments (and other protocols) that not only covers the overall process and benefits of an IT security assessment but provides concrete examples of what an assessment response plan looks like.
What is an IT security assessment?
Generally performed by third-party organizations or government agencies, an IT security assessment is a review of an organization’s information system to detect potential vulnerabilities that could be exploited. This includes system processes, data management procedures and policies, and overall security architectures.
Depending on the needs of an organization and its system, in terms of data sensitivity and prioritization, there may need to be routine IT systems assessments. Creating a comprehensive assessment response plan can streamline the assessment process, and a proactive approach to cybersecurity.
Why do schools need one?
Educational data systems are full of mission critical information regarding the personal information for educators and students and the institution, which may include financial and medical information, too. The use of mobile devices such as laptops, workstations, scanners, printers, mobile phones, tablets, etc. have created additional data access points or “nodes”, making educational institutions more vulnerable than ever.
IT systems assessments help educational institutions better identify potential gaps in data security, significantly decreasing the likelihood of an event. It is important to not only cooperate with assessors during an open assessment, but to create a resilient plan to prepare and—should the need arise, deal with events as they occur.
The Diamond Managed Security Services (DMSS) Approach
Diamond SIS provides seamless and comprehensive managed security services and assessments for educational organizations, successfully taking up the burden of compliance and establishes network-wide security through Diamond MSS. Leveraging over 15 years of experience, Diamond SIS is the first student information system provider to additionally offer an infrastructure security layer for its customers. With its security-first mindset, DIamond MSS offers unparalleled customer support, issue resolution, along with server and node monitoring services for optimized performance.
The DIamond MSS IT Security Assessment
A core aspect to the DMSS approach is its comprehensive IT security assessment, wherein Diamond SIS cybersecurity experts will not only identify potential risks, but provide best practices and establish proactive policies moving forward.
- Threat Assessment—we use the DREAD threat rating system to accurately identify and evaluate each potential threat. This system focuses on Damage, Reproducibility, Exploitability, Affected Users, and Discoverability of a threat in order to improve the strength and resilience of client networks.
- Security Assessment—We test existing client network security by taking an inventory of authorized and unauthorized devices and software; secure necessary configurations for hardware and software, maintenance, monitoring, and analysis of audit logs; and establish a variety of malware and boundary defenses across networks and devices.
- Remediation—We set up critical security controls to establish baselines, policies, discovered vulnerabilities, secure configurations for hardware and software systems, and provide continuous vulnerability assessment and remediation should an issue arise.
- Vigilance – Remediation is the beginning, not the end, of a strong cybersecurity program. We believe continuous monitoring, training, and authorized access to network nodes are key components. Many of these functions can be accomplished through trained onsite staff.
- Auditing –The Title IV Regulation 34 C.F.R. § 668.23(a)(2) includes, “An institution that participates in any Title IV, HEA program must at least annually have an independent auditor conduct a compliance audit of its administration of that program.” Each audit includes a cybersecurity assessment. Diamond MSS recommends semi-annual confidential cybersecurity assessments so when its audit time you know you are on course. Title IV funding can be at risk if an audit is not included the FY2018 report.