With the understanding that many school districts lack the resources to realistically meet every single cybersecurity best practice, the ISAC group K12 SIX has released its own set of pragmatic infosec standards for the education sector — with each security measure divided into four distinct levels of implementation.
The scale ranges from at-risk to baseline to good to better. Districts are encouraged to at least reach baseline levels of implementation for each standard, but would improve their cyber posture even further by graduating to good or better.
Originally released in August, the K12 SIX Essential Cybersecurity Protections from 2021-2022 are comprised of 12 cybersecurity controls that have been grouped into four categories. The dozen measures are: filter out malware; reduce risk of email scams; block malicious documents; limit exposed services such as RDP; restrict admin access; apply endpoint protection; protect user logins; improve password management; prevent virtual class invasions; install security updates; back up critical systems and manage sensitive data.
On Thursday, Sept. 2, K12 SIX released additional details on these controls, including how the four-scale rubric of implementation applies to them.
For instance, in regards to preventing email scams, school districts would be considered at risk if their web and spam filtering was suppressed or enabled, and they would reach baseline level by enabling it. But they can advance further to a “good” level if the IT team takes action to purge phishes and send notices when phishing attacks are discovered, and they can reach “better” if SPF, DKIM and DMARC are configured and if staff members receive anti-phishing training and testing on a recurring basis.
For each security measure, the K12 standards document also reveals whether taking such an action would have a low-, medium- or high impact on the user, and a low-, medium- or high cost of implementation. The document also indicates which actions align with the both the NIST Cyber Security Framework (v1.1) and Center for Internet Security Controls (v8).
K12 SIX on Thursday held a webcast detailing the latest advancements in its standards initiative. Future developments are expected to include a free online cybersecurity self-assessment tool that will be aligned to the organization’s standards of practice, as well as communication templates that school district IT leaders can use to help convey their security needs to the school board and superintendent.
“School districts face an enormous challenge right now. They have undergone a digital transformation on shoestring budgets,” said K12 SIX National Director Doug Levin, in a press release. “In response to the increased cybersecurity risks this has introduced, K12 SIX has developed guidance to help K12 leadership and IT teams determine where they need to spend their limited time, technology, and financial resources.”
“What if every school district IT leader could be handed a simple, actionable, and vendor neutral checklist to help improve their cybersecurity defenses?” said Seattle Public Schools CISO April Mardock, also in the release. “It's here. Help spread the word,” she added.