The following is the first in a series of blogs where 9ine explores how schools can implement technical and organisational changes to protect the confidentiality, integrity and availability of your information and information systems. We will be building upon each stage of the UK’s National Cyber Security Centre (NCSC) 10 Steps to Cyber Security, and in turn, provide our independent recommendations, examples and guidance.
In this first blog following the NCSC guidance, we look at risk management and how effective risk management will help your school prioritise the actions required to protect your data and network from exploitable vulnerabilities. By following an organisation defined process or using an available risk management framework and conducting regular risk assessments, you will be demonstrating compliance with data protection laws.
Why is Risk Management important?
Risk reduction or where possible elimination is the ultimate aim of risk management programs. Without a risk management process or the use of a framework, organisations will mis-prioritise risks, and assign funds and other resources based on gut feelings or other arbitrary means. A defined risk management framework will use time-proven (and consistent) methods to identify risks, assess their probability of occurrence and understand their impact on the organisation. The outcome of an effective risk management programme is a lower probability of security events happening and the knowledge and awareness of where your residual risks lie. This knowledge and understanding allow for proactive planning. Meaning you can have a response ready for when an event does occur, reducing the impact of that event on your organisation. Ultimately reducing the probability of a data compromise or breach.
What are the key benefits of maintaining and managing a risk log?
- Risk logs allow individual departments to capture and manage their risks.
- A central risk register of all risks enables identification and prioritisation of common issues.
- Prioritisation will lead to effective resource allocation managed across the whole school.
- Risk management will reduce your attack surface.
- Risk identification and management will feed into business continuity planning.
- Risk management will help forecast both financial and staff resource planning.
The risk register will provide a mechanism for evidencing to your school board/governors and regulatory authorities that you are actively identifying, managing and mitigating risks.
Register for a free 30-day trial of the 9ine App and transform the way you manage data privacy and protection, cyber security and safeguarding.
What are the main stages involved in risk management?
There are many risk management methodologies and frameworks available; it is our interpretation that they broadly follow the below cycle. Only through following a defined and documented policy, process and procedure, can you demonstrate an effective risk management regime within your school.
- Identify - assess technical and operational systems and services for vulnerabilities to data and cyber breaches.
- Analyse & categorise - assess each risk against its likelihood, impact and severity, determining both the individual risk and combined risk to the school. Prioritise the vulnerabilities.
- Select controls - identify the appropriate security controls required to reduce the risk to an acceptable level. Security controls generally fall under one of the following measures: directive, deterrent, preventative, detective, compensating and corrective actions.
- Implement controls - assign a risk owner, actions owner(s), mitigating action(s), timescales to implement and review date.
- Monitor controls - monitor and assess the ongoing effectiveness of the security controls, ensuring that current technological and operational measures put in place are sufficient.
What should we be looking for in our risk management regime?
Firstly, identify if your school has an up-to-date and active risk policy, process, procedure and risk log.
This process may be something that has not been disseminated throughout the school and may only currently exist at board level. Some schools may have localised risk registers that are used in isolation and do not feed into a central repository. Secondly, to implement and embed, or to check that you have an appropriate risk management regime across your school, you should ensure that you have:
- A risk management policy
- A risk management process and procedure
- Individual department risk logs
- A centrally managed risk register
- Identified risk and action owners
- A defined escalation route
- Regular meetings
- The support of the school's board/governors
These policies, processes and procedures need to be supported by an empowered school governance structure, which itself is supported by the board of directors or governors. Once agreed by senior leaders and the board of directors or governors, the risk management regime should be clearly communicated to all employees, contractors and suppliers to ensure all are aware of the approach, how decisions are made, and any applicable risk boundaries.
All risks and issues should be tracked. Schools should have a mechanism in place for raising the risk to the board/governors, and all identified risks should be prioritised against a supporting action plan. Identification, classification and the use of a risk-based methodology are key in the active management of risks. Effective risk management is identified as a key stage in cyber security frameworks and guides such as the EU NIS Directive (A2), NIST Risk Management Framework (RMF) and the NCSC 10 Steps to Cyber Security.Should a vulnerability be exploited, you will be able to provide evidence to any regulatory authorities that there were mitigating actions in place, or about to be put in place to minimise the risk.
Risk identification and management are at the heart of all 9ine's services. Our risk-based approach ensures that our clients understand their vulnerabilities and strengths, and have a clear action plan to improve their security posture year on year.
ABOUT THE AUTHOR:
Dan Cleworth has worked in education for over 20 years. He is a Senior Technical Consultant and certified GDPR practitioner. Dan heads up 9ine's cyber security team and currently works with schools in the UK, Europe and the Middle East to evaluate and secure systems and services to meet data protection and cyber security compliance.