In March the COVID-19 novel coronavirus changed the way we all work, play, shop and interact. It also changed drastically the cybersecurity environment as our network perimeter moved from being mostly inside our school’s LAN and WAN to now existing everywhere at staff and students’ homes. ECNO will continue to pursue and collaborate on solutions to keep you and your board’s security effective and efficient.
ECNO’s Security Corner – with Steve Payne, RISA for Eastern Ontario
Identity is the New Security Perimeter
Apart from doing full tunnelling over VPN, districts are not able to control what comes in and goes out of our staff and students’ networks. So if employees are fooled by a well-crafted Phishing email and click on the link where typically our security controls would prohibit access to the malicious website users are able to load the pages and possibly give away their board user credentials or other sensitive information.
To add to this staff and students are storing more sensitive data in Cloud storage such as OneDrive or Google Drive so these documents are accessible outside of the confines of the network convenient to work on during work and learn from home.
That is why protecting the user identity and credentials need to be an immediate focus for board IT security staff. Making sure we are checking on and following up with accounts that exhibit any suspicious activity. Being diligent to use the tools our SaaS providers have given us in Office 365 and GSuite Security to check for user accounts that are logging in from outside of Canada or are flagged for impossible travel. Also, we should be working towards the implementation of Multi Factor Authentication (MFA) on user accounts that could do the most damage to our board. IT technical administrative accounts should always require MFA. School Board Officials, Principals, Vice Principals and Secretaries should all be given guidance on how to enable MFA on their board accounts and why keeping their username and password protected is important.
By having our users be diligent to protect their own board accounts we are helping to protect the entire organization. As the saying goes: Hackers don’t typically have to break-in anymore, they login.
The VASP (Vetting for Application Security and Privacy) Project
The OASBO Joint ICT-PIM Working Group has established and tested a process for conducting security and privacy risk assessments on educational web applications. In collaboration with ECNO, we are moving forward with our plans to conduct security and privacy risk assessments centrally for the benefit of all boards. The outcome of each assessment includes a list of risk mitigation strategies that boards and schools can implement in order to use the application safely.
Please consult with your board’s Program and Special Education leads as well as Procurement to identify the top priorities for review in your board. We will collate data from all boards and create one list of prioritized apps to work through the review process.
Please note, we are also looking for volunteers to assist in the review of applications! Shadow the experts as you gain skills during the review process. This is a great opportunity to build expertise in your board. Scheduling is flexible; your commitment can be as little as a couple of hours per week. We need people with Privacy, Security, or Risk Management expertise. If you are interested or want to learn more, leave your contact information at the bottom of the survey form, or submit your name, school board name, email address and area of expertise to Wayne Toms via email . We will be following up with further details in June regarding expanding this as an ECNO Shared Service for the 2020/21 school year.