- Do you use MFA for remote access by employees? Yes
- Do you have MFA in place for remote access by third parties? Yes
- Can your users access email through a web application or a non-corporate device? If yes, do you have MFA set up for that? Yes and Yes
- Do you use MFA to secure all cloud provider services that you utilize? Yes
- Do you allow remote access to your network? If yes, do you use MFA to secure all remote access to your network , including any remote desktop protocol connections? Yes and Yes
- Who is your MFA provider, type and does the configuration ensure that the compromise of a single device will only compromise a single authenticator? Microsoft, Push-Based authentication and Yes
- Does the insured require the use of MFA for administrative accounts? Yes
- Identify changes in the entity and its environment that could result in new risks: MFA has been enabled for all FCS employees. A formal software/hardware approval process is under consideration.
- Are regular cybersecurity assessments of your system performed by third parties? Yes 0- yearly at least
- What type of assessments are carried out? Vulnerability scanning, penetration testing or red teaming, external threat risk assessments, asset management risk assessments, process assessments
- Do you currently have cyber liability insurance coverage? Yes, with Hiscox, limit of $1,000,000 and retention of $5,000
- Please provide 2020 cybersecurity accomplishments and any 2021 planned cybersecurity goals: We completed a thorough audit- by department- and began implementing changes to operations manuals, procedure lists, and district policies. We also started applying MFA to all FCS personnel. For 2021, we have formed a Cybersecurity Committee- complete with members of the Superintendent’s Cabinet- to oversee, support, and guide the district’s cybersecurity plan. We will have all FCS staff on MFA by the end of May 2021. We will also complete ?NIST Cyber Security Framework for the district.
- Do you use antivirus software on all computers and networks? Yes
- Do you do regular updating and patching of critical systems and software? Monthly
- Are Firewalls in place that scan both encrypted and unencrypted data to restrict network traffic? Yes, at perimeter
- How often do you back up all your critical data and systems? Depending on the change rate- could be hourly for some, others may be daily but no less frequent than daily. It is disconnected from our systems and rested regularly
- Is network security managed? Yes, in house
- How frequently do you install critical and high severity patches across your enterprise? 1-3 days
- Do you have any end of life or end of support software? If yes, is it segregated from the rest of your network? Yes and Yes
- Do you have a protective DNS service (PDNS)? If yes, provide the name of your DNs provider: Yes, Windows Defender ATP
- Do you utilize a Security Operations Center (SOC)? If yes, is yours SOC monitored 24/7? Is it monitored internally or outsourced? Yes. Not human based but the software in monitoring and alerting 24/7. Internally.
- Do you use a vulnerability management tool? If yes, who is the provider? What is your patching cadence? Yes. Nessus/Tenable. 8-30 days
- please discuss your network segmentation practices: The network is separated into trusted and untrusted zones. Those zones can be further broken down. Our datacenters are on their own zones, with traffic having to pass through the firewall for ingress and egress. New servers have been migrated to a zero-trust model. Guest devices are on an untrusted model, with only filtered access to the internet being available. We also apply different firewall rules to staff and students
- Are you working with 3rd party vendors to conduct internal scanning to maintain accurate inventory or software/hardware/apps on network? Yes
- Are you working with a 3rd party vendor for vulnerability scanning and patching? Yes
- Is dark web monitoring (cyber monitoring) surveillance utilized? Yes, via FortifyData
- How often are penetration tests done? Every other year
- Please discuss your patch management philosophy. Are critical patches installed within 30 days or less? We have a monthly patching routine of servers and clients. Network devices are updated semi-annually, or whenever a critical patch is released- whichever comes first.
- Is there a data classification/data loss prevention program in place? Partially. We have engaged a 3rd party security firm to develop a plan to design a data classification system but have not yet implemented it.
- Please advise to the number of data centers and discuss your data segregation efforts. We have 2 hot business-continuity centers, and a cold tertiary datacenter should the primary centers be unavailable
- Networking hardware: Authentication to Networking hardware is physically secured by locked doors. Logical access is controlled via ACLs and AAA RADIUS against Active Directory Groups. Only IT staff have logical access to the hardware. We have engaged a vendor to undertake both internal and external penetration tests, including social engineering attacks. We have also formed a position that is responsible for evaluating the current security posture of the district and for planning the future IT security roadmap. The IT department has aligned its procurement strategy with the recommendations of the National Institute of Standards in Technology (NIST). Guest users, and district users with personal devices, have access to a logically segmented Wi-Fi network that does not require registration or onboarding, but has no access to internal resources. Trusted Wi-Fi networks are secured with WPA2 and certificate-based processes. The district uses a pair of next-generation Palo Alto 7080 firewalls, nominally examining north-south data flows as well as east-west traffic. The Internet is provided via three, disparate ISPs. Formal penetrations test is conducted bi-annually (most recently in 2021), with ad hoc checks conducted weekly. Guest Wi-Fi is offered and is completely untrusted and isolated from trusted traffic. Employees can only utilize the trusted Wi-Fi network by using FCS-issued and FCS-managed devices. All personal devices must use the untrusted network.
- Do you use a data backup solution? Yes
- Describe your data backup solution: Backups are typically kept locally but separate from the network
- Are backs up encrypted? Yes
- Immutable backups? Yes
- Backups secured with different access credentials from other administrator credentials? Yes
- Do you utilize MFA for both internal and external access to your backup? Yes
- Have you tested the successful restoration and recovery of key server configurations and data from backups in the last 6 months? Yes
- Can you test the integrity of backups prior to restoration to ensure that they are free of malware? Yes
- How frequently are backups run? Daily
- What is the estimated amount of time it will take to restore essential functions using backups in the event of a widespread malware or ransomware attack within your network? 0-24 hours
- Multiple/offsite backups: “As part of your data back-up strategy, do you maintain at least 3 separate copies of your data stored in different geographic locations? (Production, Local Copies, and offsite storage).”: Yes- the two hot datacenters have copies of each other, with the tertiary center having a full copy of both.
- If you have a back-up of all your critical data and systems, does that include an offline copy? If yes, how old is the back up? FCS Classified Information
- Do you utilize cloud back-ups? If yes, are the cloud back-ups secured via two-factor authentication or other similar means? FCS Classified Information
- Please detail any other controls you have in place to protect your back-ups from a ransomware attack. FCS Classified Information
- Please detail any other controls you have in place to protect your back-ups from a ransomware attack. FCS Classified Information
- Do you tag external emails to alert employees that the message originated from outside the organization? Yes
- Do you pre-screen emails for potentially malicious attachments and links? Yes
- Who is your email security provider? Office 365
- Do you have the capability to automatically detonate and evaluate attachments in a sandbox to determine if they are malicious prior to delivery to the end-user? Yes
- Have you implemented anything to protect against phishing? Send Policy Framework
- Do any employees at your company compete social engineering training? And does that training include phishing simulation? Employees with financial or accounting responsibilities, employees without financial or account responsibilities. Yes
- Are you working with a 3rd party vendor for simulated phishing campaigns? Yes
- Is phishing awareness training disseminated to all employees? How frequently is this training offered? Training is currently ad hoc but will be integrated into all beginning-of-the-year training regimes
- Please describe any controls related to email transmissions: Are external emails encrypted (By policy or automatically)? No- not encrypted
- Are emails marked “External” when coming from an outside course? Yes they are marked
- Website, email, etc.: The primary website is authenticated against Active Directory. The roles for changes to the website are maintained by Schoolwires and managed by the Communications and Community Engagement department. Email is hosted on cloud-based Office 365 and protected by Advanced Threat Protection.
- If you use Office 365 do you have the Office 365 Advanced Threat protection add-on? Yes
- What sensitive client information do you hold? Social Security numbers, driver’s license numbers, birth dates
- Is your sensitive information encrypted? Yes
- Who is responsible for the privacy and information security within your organization? Head of IT: Curt Godwin 770-887-2461 ext. 205561 Cgodwin@forsyth.k12.ga.us
- What kind of training do you provide in privacy and security? Privacy training, cyber awareness training and phishing attack training
- Do you screen potential employees? (Background, drug, criminal, credit, etc.)? Yes
- Password policy: Requires strong passwords
- Employee access to systems and data: Limited to only what they need to do their job and is cut when employees leave the organization
- Do you have a Business Continuity or Disaster Recovery Place in place that covers cyber event scenarios? Yes and it is tested regularly
- Do you have a written incident response plan if Personally Identifiable Information is/may be compromised? FCS classified information
- Do you currently have technology liability insurance coverage? No
- Have any insurance claims been made against you? No
- Aware of any release, loss or disclosure of PII in your care, custody, or control during the last 3 years? No
- Are you aware of any known network intrusion or denial of service attack during the last 3 years? DDos attack last year was broadly directed at K-12 entities and not FCS in particular
- Have you or any of your predecessors in business, subsidiaries, affiliates or any of your principals, directors, officers, partners, professional employees or independent contractors ever been the subject of a regulatory action as a result of the handling sensitive date? No
- During the last 5 years have any claims been made or legal action brought against you or your executives, employees or contractors or any related entities for which coverage is desired or any predecessors in business, subsidiaries, affiliates or any principal, director, officer or employee? No
- How many IT personnel are on your team? 10 including the coordinator
- How many dedicated IT security personnel are on your team? 2
- Do you use a cloud provider to store data or host applications? Yes- Tyler Technology, Infinite Campus, Microsoft
- Do you encrypt all sensitive and confidential information stored on your organization’s systems and networks? Yes
- Do you use a next-generation antivirus product to protect all endpoints across your enterprise? If yes who is the provider? Yes- Microsoft
- Do you use an endpoint detection and response (EDR) tool that includes centralized monitoring and logging of all endpoint activity across your enterprise? Who is the provider? Yes- Windows Defender Endpoint
- Do you enforce application whitelisting/ blacklisting? No
- Is EDR deployed on 100% endpoints? Yes
- Can users access the network with their own devices? No
- Do you manage privileged accounts using privileged account management software (PAM)? If yes who is the provider and is it protected by MFA? Yes. Idenitity Automation. Yes
- Do you actively monitor all administrator access for unusual behavior patterns? If yes who is the provider? Yes. Cloud App Security
- Do you roll out a hardened baseline configuration across servers, laptops, desktops and managed mobile devices? Yes
- Do you record and track all software and hardware assets deployed across your organization? If yes, what’s the name of the tool used for this purpose? Yes. Stratusphere
- Do non-IT users have local administration rights on their laptop/ desktop? No
- Can users run Microsoft Office Macro enabled documents on their system by default? No
- Do you implement PowerShell best practices as outlined in the Environment Recommendations by Microsoft? FCS Classified Information
- Do you utilize a security Information and event Management system? Yes
- Does your organization send and/or receive wire transfers? If yes then is it in documentation form, a protocol for obtaining proper written authorization for wire transfers, a separation of authority protocol, a protocol for confirming all payment or funds transfer instructions/ requests from a new vendor, client or customer using only the telephone number provided was received? No
- In the last 3 years has the applicant or any other person or organization offered this insurance? FCS Classified Information
- Do you or any other person/ organization proposed for this insurance have knowledge of any security breach, privacy breach, privacy-related event or incident or allegations of breach of privacy that may give rise to a claim? FCS Classified Information
- In the past 3 years, has any service provider with access to the applicant’s network or computer systems sustained an unscheduled network outage or interruption lasting longer than 4 hours? FCS Classified Information
- Please provide your unique record count by type: Billions
- Please discuss your cloud strategy: Cloud service providers must sign privacy agreements with FCS. All student data must stay housed in US-based datacenters and may not be mined for information. We utilize cloud services if/when it proves to be higher-performing, less-expensive, more resilient, more secure, or any combination thereof, as compared to on-premises services
- Are you working with 3rd party vendors to conduct audits/assessments? Yes
- Do you have encryption at rest, in transit, and on portable media? All Cloud traffic is encrypted in-transit and at-rest. All internal traffic is encrypted in-transit as their protocol allows. Critical repositories are encrypted in-transit and at-rest.
- Is there a comprehensive access control program in place? Provide details (please also address Mandatory Access Control vs. Discretionary Access Control; Role Base vs Rule Based): Access is granted by role and is addressed by an automated account lifecycle management system, triggered by events in the HR (Human Resources) system
- What is in place to analyze patterns, trends relating to human behavior, specifically a user’s activity compared to his/her historic activity and the activity of the others in the same role? User behavior analysis is implemented within our Office 365 tenant. Off-nominal events trigger alerts, are kept in logs, and are investigated.
- What is the process for managing unstructured data? Unstructured data is stored in personal OneDrive shares or in on-perm SMB (Server Message Block) shares. Both are secured by access control lists (ACLs) that are automatically controlled by role, governed by the HR personnel system.
- Please discuss your Business Continuity Plan, Disaster Recovery Plan and Incident Response Plan. Have these plans been audited and tested within the past 12 months? Please discuss your RTOs. With two hot datacenters, we have real-time business continuity of both services and data transmission. We test datacenter failover once per year. The current plan focuses on restoration of core district services, with ancillary services following. In the event both hot datacenters are disabled, we have a tertiary data vault that can run core district services. Response time on the tertiary center is within two days.
- Please provide information regarding your vendor management practices/indemnification agreements with 3rd parties as it relates to cyber security? We require vendors who capture/receive student data to sign a terms of service agreement which focuses on contractual language terms and conditions as well as an entire exhibit (Pgs 5-8) containing the data sharing agreement. This covers data security, compliance with FERPA, COPPA and PPRA, transmission, ownership and use of data. We also require specific levels of insurance (pg 4) for General Commercial, Cyber Liability and Professional Liability. 4.8 Insurance: The following is the minimum insurance and limits that the Company must maintain. If the Company maintains higher limits than the minimums shown below, FCS requires and shall be entitled to the coverage and for the higher limits maintained by the Company. Any available insurance proceeds in excess of the specified minimum limits of insurance and coverage shall be available to FCS. Company shall maintain the following minimum insurance limits during the term of the Agreement: (a) $1 million Commercial General Liability; (b) $1 million Cyber Liability; and (c) $1 million Professional Liability coverage. 4.9 Limitation of Liability: Notwithstanding any other agreement or provision to the contrary in the Company Documents or this Agreement, Company shall remain liable under this Agreement for the greater of the contract amount or the applicable insurance coverage provided by Company under this Agreement.
- Confirmation that the applicant uses an endpoint detection tool: “Do you use an Endpoint Detection and Response (EDR) or a Next-Generation Antivirus (NGAV)?” All Windows and Mac clients are running Microsoft Defender with Advanced Threat Protection. Servers are protected by Cylance.
- Confirmation that the applicant does not use on-premises Microsoft (MSFT) Exchange, OR a vendor to host its email OR an IT managed Service Provider: We use Microsoft Office 365 for all email/collaboration
- Is the applicant a SolarWinds Orion customer / user? If yes, please confirm they are not running one of the following vulnerable versions of the software in their environment: 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1.: Yes, we are a SolarWinds customer. Server was taken offline after the national news information, patched, and then returned to service after collaboration with 3rd-party security firm.
- Do you collect, store, host, process, control, use or share any private or sensitive information? If yes please provide the approximate number of unique records: FCS Classified Information
- Do you collect, store, host, process, control, use or share any biometric information or data, such as fingerprints, voiceprints, facial, hand, iris or retinal scans, DNA, or any other biological, physical or behavioral characteristics that can be used to uniquely identify a person? If Yes have you reviewed your policies relating to the collection, storage and destruction of such information or data with a qualified attorney and confirmed compliance with applicable federal, state, local and foreign laws? FCS Classified Information
- Do you process, store or handle credit card transactions? If yes, are you PCI-DSS Compliant? FCS Classified Information
- Does your business involve gambling or cannabis or adult content? No
- Have you been involved in a merger, acquisition, structural change, or consolidation with another entity in the last 12 months? If yes please provide additional details. FCS Classified Information
- If you are owned by or have any controlling interest in another entity, please provide additional details. FCS Classified Information
- Do you obtain all necessary and proper rights when using content developed by third parties? FCS Classified Information
- Do you have a legal review of all content disseminated by you? FCS Classified Information
- Do you have Notice and Take Down procedures in place for addressing potentially libelous, infringing, or illegal content on the corporate websites? FCS Classified Information
- Do you obtain consent from individuals when collecting Personally Identifiable Information? FCS Classified Information
- Do you have procedures in place to ensure compliance with the Telephone Consumer Protection Act, anti-SPAM statues, and any other consumer protection act? FCS Classified Information
- Describe the principal employees and contractors tasked with overseeing the entity’s systems:
- CTIO: Mike Evans, Director of Technology Services
- Tim Fleming, Director of Student Information Systems
- Kathy Carpenter, Director of Instructional Technology
- Jason Naile, Network Operations Coordinator
- Curt Godwin, Network Operations Security Engineer
- Sean Fowler, Network Operations Cybersecurity Administrator
- Ben Wehunt
- The district also has a Cybersecurity Committee chaired by Mr. Fleming and Mr. Godwin and comprised of leadership from every district department and every school level.
- District staff charged with cyber oversight are expected to maintain industry certifications, participate in local, state and national peer groups
- Regular vulnerability tests are performed by outside vendors and updated weekly
- Describe the principal types of sensitive information created, collected, transmitted, used, or stored by the entity. (Consider: information protection based on law, private 3rd party information, trade secrets, corporate strategy and financial data) We don’t really have trade secrets, trademarks or copyrights. Hower we have student data, HR data and financial data. This also includes all the operation files and student assignments as well.
- Describe how information is made available
- Internally stored data is maintained on a vSAN cluster across two different datacenters. A third data center houses our backup system Cohesity. We host personal share drives on Microsoft OneDrive, which encrypts data both in-transit and at-rest. We utilize large monitors within the suite using vRealize Operation manager, PRTG and Netsight for monitoring servers and network uptimes as well as backup success failures. We have standard backup schedules though not all are used, they do exist.
- Continuous daily backups with a 7-14 day rotation retention
- Continuous daily backups with a 30 day rotation retention
- Continuous daily backups with a 30 day rotation retention
- Monthly backups witha a 12 month rotation retention
- Basic XL: Many during the day and retention
- Continuous backups every 6 hours with a 7-14 day rotation retention
- Standard XL
- Continuous backups every 6 hours with a 30 day rotation retention
- Advanced XL
- Continuous backups every 6 hours with a 30 day rotation retention
- Monthly backups with a 12 month rotation retention
- Describe how information is secured: Access to data is controlled via usernames and passwords and multi-factor authentication (MFA). Most of our systems will in some form (LDAP, Kerberos, SAML) be authenticated back against Active Directory. MUNIS uses its own authentications methodologies. External access to our system is protected using a Next Generation Firewall. We utilize DMZ where external access is required. SAML or LDAP is used for service providers to authenticate users requesting resources. Accounts are disabled immediately upon notification from HR as well as account activity is (logon stamp) is checked every six months. Vendor accounts when created are set with an expiration date that is as short as possible to complete the task. 802.1X NAC authentication is currently in use for authentication to secured wireless and wired networks (Wireless throughout the county, wired is mid deployment). Passwords are expired 180 days and are set for complexity and length of 16 characters. Our BYOT/BYOD implantation operates on a logically secured (ACL) preventing access into internal resources. Exemptions are (DNS, DHCP). Networking equipment (where possible) is in locked rooms. Our datacenters have card access as well as cameras. Our firewall is a Palo Alto 7080.
- Discuss information security risks identified by the entity: Student passwords are changing this school year for grades 6-12 with the implantation of Password Self Service. This will allow students to manage their password credentials and utilize password recovery options. We do have networking equipment contained in shared locations where locking is not easy or practical. In these situations, we are installing gated controlled access to the equipment area. Targeted phishing attempts (spear phishing) represent the current, greatest threat to our system as they exploit the weakest component of our infrastructure – the end user. This year, the district upgraded to the highest level of Microsoft Licensing available (A5) for academic institutions which provided access to a much more robust platform of security applications, including Advanced Threat Protection and Anti-phishing.
- Discuss information security incidents (if any) that have occurred at the entity: Targeted phishing attempts have been moderately successful in harvesting credentials of a small number of uses in the district. Crypto attacks have been successful in encrypting a limited number of files, but the files were easily retrievable from backups
- Describe written policies at the entity related to information security: The Board has approved an updated Policy and Procedure Manual. Info can be found at: https://cyber.forsythk12.org
- Describe active processes and procedures at the entity related to information security: Periodic logical and physical security audits are part of the normal workflow. We have engaged a vendor to undertake both internal and external penetration tests, including social engineering attacks. We have also formed a position that is responsible for evaluating the current security posture of the district and for planning the future IT security roadmap. The IT department has aligned its procurement strategy with the recommendations of the National Institute of Standards in Technology (NIST).
Describe technology systems used at the entity
- Employee Workstations: Staff are normally assigned a dedicated workstation either in the form of a laptop or desktop. Windows 10 is the operating system on most computers, though there is a limited number of MacOS-based computers. Computers are not encrypted as data resides on the servers and are accessed via programmatic interfaces. There are shared stations such as those used in POS locations.
- Accounting Systems: MUNIS is used at the district level and EPES is used at the school level for their local funding account(s)
- Payroll System: MUNIS is used at the district level
- Other databases: MsSQL Databases are secured using groups accounts that are authenticated against Active Directory where possible. Where required by regulation, databases are encrypted. The IT department manages the servers that host other databases but is not responsible for the data contained with those repositories. Additionally, the district may subscribe to cloud-hosted services that have back-end databases that do not fall within the IT department’s area of responsibility.
- Spreadsheets: Spreadsheets are normally maintained within personal shares or department shares that are secured using NTFS permissions based on group membership. The groups are granted Full, Modify, Read Only or Write Only depending on the requirements for the user.
- Shared fileservers: NTFS permissions based on group membership. The groups are granted Full, Modify, Read Only or Write Only depending on the requirements for the user. Requirements for access are determined by the department head. The district has more than 400 virtualized servers, of which one is dedicated for financial use. That information is encrypted in-transit and at-rest.