How One School District Enhances Cyber Hygiene with the CIS Controls
School districts face the unique challenge of protecting their students’ data privacy from cyber threats like ransomware and phishing. In New Hampshire, multiple regulations protect students’ cybersecurity, yet it can be challenging for technical administrators to build a compliance plan. The Hillsboro-Deering School District found a way to comply with regulations and enhance its cyber defense program by leveraging the CIS Controls Implementation Groups (IGs) – prescriptive guidance for cyber hygiene.
The challenge of prioritizing compliance
The State of New Hampshire Chief Information Security Officer indicated that the standard school districts must comply with would be a subset of NIST’s Special Publication 800-171. This framework does not provide a prescribed format or specific level of detail for system security plans. It can be hard for an organization, especially a small one with limited resources, to know how to proceed.
Fortunately for the Hillsboro-Deering School District Neal Richardson joined as the Director of Technology in July 2018. Richardson brought years of experience applying the CIS Controls cybersecurity best practices. “Cybersecurity can be an overwhelming undertaking for organizations that lack the staff or knowledge. The CIS Controls take the guesswork out of what steps to implement,” Richardson says.
Richardson quickly realized that NIST’s Special Publication 800-171 mapped to the CIS Controls, so that’s where the journey began. The IGs take a horizontal look at the CIS Controls, at the Sub-Control level, to help organizations prioritize their implementation based on resources and the sensitivity of the data they are responsible for protecting. Richardson says, “The IGs take an overwhelming list of controls and essentially turns them into a checklist that is very easy to understand.”
IG1 for basic cyber hygiene
Hillsboro-Deering School District has been working diligently to implement the CIS Controls IG1. In addition to being a strong starting point for building a security program, IG1 made sense for Richardson’s team as a fairly small district with about 300 total staff and 1,300 students. He also determined that they were working with limited documentation, transfer of knowledge, and staff resources – a perfect candidate for IG1. Richardson says, “I have found the CIS IGs to be very helpful when explaining to school officials and municipal leaders the steps or controls that need to be implemented to raise their security posture.”
By leveraging the 43 safeguards that comprise IG1, Richardson was able to take action in improving the school district’s basic cyber hygiene during 2019. Examples of those security actions include maintaining asset inventories, controlling administrative privileges, and implementing data protections.
Maturing security with IG2 and IG3
The Hillsboro-Deering School District achieved a strong cybersecurity foundation with IG1’s 43 safeguards. Richardson can now tailor more sophisticated actions for the New Hampshire School District as warranted by extending to IG2 and IG3. The IGs build upon one another, so organizations can mature and grow their cyber hygiene with each.
“Organizations that are just starting to implement cybersecurity can use IG1 as the baseline,” Richardson explains. “It is a very achievable set of controls for anyone to implement. As the organization matures or is looking to ramp up their posture, IG2 and IG3 facilitate those next steps.”
On December 16, 2019, Richardson was recognized for his achievement, dedication, and professionalism with the SANS Difference Maker Award for successfully implementing the CIS Controls IG1, or basic cyber hygiene, across the school’s network and bringing the district into compliance with New Hampshire’s student privacy law. Richardson plans to continuously leverage IG1 and identify the next set of CIS Sub-Controls for implementation with the school district to heighten their cyber hygiene.
About Neal Richardson
Neal Richardson is the Director of Technology for the New Hampshire Hillsboro-Deering School District. He has earned a number of certifications – CISSP, GCCC, GMOB, GCIH, GCIA, and GSEC – and has over 15 years of experience in cybersecurity and emergency management volunteering.