Do You Need A Cybersecurity Assessment?
If you’re a small to medium-sized higher ed institution with limited resources to address cybersecurity, Bestul & Associates LLC can help by providing a cost-effective service to identify key areas for improvement.
We start with a campus-led security “self-assessment” based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) that investigates the following areas.
Access Control – examine how access to information systems and data is granted, monitored, and revoked.
Asset Management & Monitoring – do you know where all your information assets are, who manages them, and how they are tracked? Are patches on critical systems up to date, and is there a procedure in place for ensuring currency?
Awareness & Training – the human factor remains the single most dangerous point of vulnerability in an information ecosystem. What are you doing to train your employees and students about cybersecurity, phishing, and maintaining good cybersecurity hygiene in daily operations?
Identification & Authentication – do you have solid policies and procedures in place for passwords, privileged access, and removal of access when employees leave?
Incident Management – how well prepared is your institution for a cybersecurity incident? Is there a plan in place and are key personnel identified who will be integral to managing the incident? Does your institution have a disaster recovery/business continuity plan, and is this plan tested with regular exercises?
Incident Response – how will your institution respond to a cybersecurity incident? Are there policies and procedures for reporting security (physical & cybersecurity) incidents? Is there a communications team and plan in place for response to various types of incidents?
Operations Security/Acceptable Use – does your institution have a policy in place for acceptable use of technology resources? How are you protecting confidentiality, intellectual property, and data privacy?
Personnel Security – does your institution have policies in place for managing security incidents caused by employees or students? Are you requiring your third-party providers (e.g., building system vendors, software vendors, network vendors, insurance providers, auxiliary services/vending machines) to comply with your security policies?
Physical Protection – are you adequately protecting your physical IT assets? Are visitors and vendors required to sign-in and provided with an escort when entering secure areas of the campus? Are your technology air conditioning and fire alarm & suppression systems operational and tested?
Risk Assessment – does your institution have a formal risk assessment process? Is there an individual assigned to provide oversight to risk assessment? What procedures are in place to mitigate or remediate risk?
Software Development – does your institution develop its own software? What type of policies and procedures are in place to ensure that systems are compliant with basic audit controls, separation of test and production environments, and granting of limited access / separation of duties to production data for the software development team?
System & Communications – does your institution have an up-to-date network map? Are you properly using firewalls to limit access between the public Internet and mission critical systems? Are patches updated & maintained on all information systems, and is anti-virus software in place for all endpoints and servers on campus? Do you know where all your wireless access points are, and are rogue wireless systems identified and shut down?
After the self-assessment is completed and reviewed with Bestul & Associates LLC, we identify with you the top priorities for improvement where the greatest gain can be attained for the least investment. Often these improvements take the form of creation of new policies and procedures for managing third-party access, improving data privacy, and enhancing employee cybersecurity awareness.
For more information, or to schedule a free initial consultation, please contact Bestul & Associates LLC at mike@mikebestul.com.
