Key points:
School cybersecurity audits don’t have to be stressful. If you know what to expect, you can be well prepared and set yourself up for future success. The effort put into the first audit will also pay dividends in the future–once the first audit has been completed, subsequent audits are much easier. You’ll be able to recycle information and make slight adjustments for any systems or processes that have changed in the last year. Most importantly, successful cybersecurity audits allow a school to obtain cybersecurity insurance–a growing need, and one that could be mandatory in the future.
So, what exactly are auditors looking for? There are usually a few overarching things they scrutinize: multi-factor authentication (MFA), secure backups, vulnerability/endpoint protection, and cybersecurity awareness training.
The auditor will provide a list of questions and related sub-questions, and will likely include these inquiries:
New School Safety Resources
- Is your school running anti-virus on your computers, and does it provide advanced vulnerability protection and detection? Are similar protections on your email server?
- Are your backups ‘air-gapped’–do they exist separate from your production environment or in the cloud? This is critical for ransomware protection.
- Is MFA turned on everywhere it makes sense to? MFA can stop most hackers, especially in the event of compromised passwords.
- Are you training your teaching staff and employees in good cyber hygiene? The human element is the weakest link in the security chain, so keeping folks aware of the threats and what they look like is paramount to good security.
Expanding on these core questions, likely additional questions include those about specific technology. For example, what kind of Wi-Fi authentication is used? Do you use an identity management platform or RADIUS server? How secure is your VPN setup? Does VPN use MFA? What kind of MFA is used for VPN? Who has physical access to servers and backups? Do you have a backup and data recovery plan? How often do you test your backups?
When the auditor evaluates your school’s cybersecurity awareness training, they will often ask both for the cadence or frequency of these training sessions, including if they are mandatory for all employees or staff. Usually, the expectation is that trainings are held at least once a year with all employees required to attend, but more frequent trainings are always better. Sometimes schools schedule these cybersecurity trainings alongside harassment training. Depending on your school’s culture, it may be better to conduct the training via webinars to enable the full school staff to conveniently participate and ask questions to help reinforce the material.
Almost all these cybersecurity audit questions can be addressed with a simple explanation alongside a photograph, screenshot, or an official document showing procedures, policy, or proof of training. In addition, responses can include logs from your backup device detailing successful backups and/or recovery. You can attach your backup recovery or continuity plan alongside the audit as well. If you have additional evidence to prove a question on the audit, add it in.
Be advised, however–every auditor is different, and every audit sheet will ask questions differently. In some instances, questions may be worded strangely or open to some interpretation. In these situations, don’t fret–simply answer and provide evidence the best you can, and the auditors will let you know if more clarity or detail is required.
An audit can become quite difficult if your current IT staff is less technically inclined, or if they simply lack documentation and knowledge to explain how current systems work. It’s not unusual for things to get lost along the way, especially if your IT department has changed hands a few times. If you know this is the case, then you may want to start preparing your IT team ahead of an audit. You can even use this article as a practice test–talk to your team, ask these questions, and discuss where there may be blind spots. If you can get out ahead of these issues, you’ll have a much easier time when the real audit comes.
After the first cybersecurity audit has been completed successfully by your school IT team, it provides a template for your next one. Keep this as a ‘living’ document and ask your IT staff to update it accordingly if anything changes. Changed your MFA for VPN? Maybe you put in more robust identity management for Wi-Fi access? Whatever the case, update your audit document to show this, and when the next audit comes around, you (or your IT team) can kick back, relax, and send it off to the auditors. Most importantly, a cybersecurity audit can help provide assurance that your school IT environment is secure and understood by your IT staff–and should the absolute worst happen, your cybersecurity insurance can help take care of the rest.
