Password policies are critical to prevent unauthorized logins to your systems and prevent cyber incidents. We ask that members have a password rotation policy of one year.

Exceptions can be made for members that employ the higher-level password policies listed on the application.

RESOURCES

• CISA: https://www.cisa.gov/secure-our-world/require-strong-passwords

Administrative rights on computers refers to a computer user's ability to make fundamental changes to a computer's operating system or download and install software that could change critical settings on the computer. When a profile is installed on a computer, there will be a point where that user can be designated as an 'administrator'. We ask that members only allow select individuals whose duties might include maintaining the member's information infrastructure to be allowed administrative access to member computers. This will help 'normal' users from accidentally clicking a bad link and inadvertently allowing malware to be automatically installed.

RESOURCES

Member data should be backed up to an off-site server. This will allow the member to restore systems, data and settings in the event of a malware or ransomware attack. These backups should be tested on a regular basis to ensure the member's ability to get back to some semblance of normalcy after an incident.

RESOURCES

• CISA: https://www.cisa.gov/sites/default/files/publications/data_backup_options.pdf

Your district should have a written cyber incident response plan, so employees have a guide to help them respond to and recover from a cyber incident. Templates can be found on the SDAO website 

RESOURCES

• CISA: https://www.cisa.gov/sites/default/files/publications/Incident-Response-Plan-Basics_508c.pdf

Your district should implement multi-factor authentication (MFA) on logins. MFA refers to a login requirement where the user enters a password and is then required to enter a code provided to them through text, email, security fob or an authenticator app such as Microsoft Authenticator. MFA may also refer to biometric identification such as a fingerprint or facial recognition.

RESOURCES

• MFA Mitigation Minute: https://www.youtube.com/watch?v=_tcJ-lieG50
• CISA: https://www.cisa.gov/topics/cybersecurity-best-practices/multifactor-authentication

End point protection software refers to software that continually monitors all computers and terminal servers for potential malware and security breaches and alerts the organization. This is not the same as anti-virus software. Providers of end point protection (also referred to as EDR or XDR) include, but are not limited to Carbon Black, CrowdStrike, and Cisco.

RESOURCES

• CrowdStrike: https://www.crowdstrike.com/en-us/cybersecurity-101/endpoint-security/endpoint-detection-and-response-edr/?srsltid=AfmBOoqUU_EtgKaOKPqBqA3fXpSANZ4upk7H9q5hK8wziLLTkKwVaIJl

Organizations often overlook installing critical security patches for their operating systems and business applications. These patches are issued when the developer identifies a weakness that could easily be exploited by hackers. It is important to stay up to date with these patches. We are asking members to include in their policies and procedures to identify when these patches are made available and install them accordingly.

RESOURCES

• CISA: https://www.cisa.gov/news-events/news/understanding-patches-and-software-updates

Now that your district is completing daily data backups, it’s time to start testing their recovery. During several claims, we have found that even though a district had been backing up their data, they had never tested their ability to restore those backups or if those backups were still recoverable. When their systems were encrypted by ransomware, they discovered that they couldn’t get to their backups. This makes the claim much more costly and extends the downtime experienced by those districts. So, with this requirement, we’re asking that your district to test the recovery of your backups to ensure you are able to restore to those backups should your data become encrypted. This should be done at least annually.

RESOURCES

Cybersecurity for vendors is a critical aspect of securing supply chains and minimizing the risk of breach caused by third-party access.  Vendors often have access to sensitive data, systems or networks making them a potential vulnerability.

RESOURCES

• Federal Trade Commission - https://www.ftc.gov/business-guidance/small-businesses/cybersecurity/vendor-security