The following is the first in a series of blogs where 9ine explore how schools can implement technical and organisational changes in order to further protect the confidentiality, integrity and availability of your information and information systems. We will be building upon each stage of the UK’s National Cyber Security Centre (NCSC) 10 Steps to Cyber Security, and in turn, provide our independent recommendations, examples and guidance.
In our previous blog, “How secure is your school from cyber attacks?” we outlined that schools need to move from defensive to offensive measures against cyber attacks and to further protect against data breaches. The first step listed was to identify all your vulnerabilities; how to do this was captured in, “How To Assess Your School's Vulnerability To Cyber Attacks." Once your vulnerabilities have been identified and assessed against the likelihood and impact of a threat, you will have determined your risks. These risks need to be captured, prioritised and proactively managed through school policies, processes and a central risk log.
In this first blog following the NCSC guidance, we look at risk management and how effective risk management will help your school prioritise the actions required to further protect your data and network from identified vulnerabilities. By following recommended codes of conduct, you will be demonstrating a level of compliance with data protection law and the associated cyber frameworks.
What are the key benefits of maintaining and managing a risk log?
- A risk log allows your individual departments to capture their issues and risks
- A central repository of all risks enables prioritisation and identification of common issues
- Rationalisation will lead projects and mitigating actions based on a risk assessment and can be managed across the school as a whole
- Risk management will help forecast both financial and resource planning
- The risk register provides a mechanism for evidencing to your school board/governors and regulatory authorities that you are actively identifying and managing risks
What are the main stages involved in risk management?
There are many risk management frameworks available, it is our interpretation that they broadly follow the below cycle.
Identify - the school should assess organisational and technical systems and services for vulnerabilities to data and cyber breaches
Analyse - the vulnerabilities should be assessed against their likelihood, impact and severity if realised to determine their overall risk to the school
Action - all identified risks should have a risk owner, mitigating action, timescale to implement and an appropriate action owner assigned
Monitor - organisations need to put in place ways of monitoring and assessing the ongoing effectiveness of their risk response. Are your current technological actions still sufficient? Are the organisational measures you put in place being implemented and followed?
Control - controls are put in place to modify the risk and they generally fall under one of the following measures: preventative, detective or reactive
The above is a cyclic process and only through following a defined and documented policy, process and procedure, can you demonstrate an effective risk management regime within your school.
What should we be looking for in our risk management regime?
Firstly, identify if your school has an up-to-date and active risk policy, process, procedure and risk log.
This may be something that has not been disseminated throughout the school and may only currently be held at board level. Equally, some schools may have isolated risk registers that are used in isolation and do not feed into a central repository.
Secondly, in order to implement and embed, or to check that you have an appropriate risk management regime across your school, you should ensure that you have:
- A risk management policy
- A risk management process and procedure
- Individual department risk logs
- A centrally managed risk register
- Identified risk and action owners
- Regular meetings
- The support of the school's board/governors
These policies, processes and procedures need to be supported by an empowered school governance structure, which itself is actively supported by the board of directors or governors. Once agreed by senior leaders and the board of directors or governors, the risk management regime should be clearly communicated to all employees, contractors and suppliers to ensure all are aware of the approach, how decisions are made, and any applicable risk boundaries.
All risks and issues should be tracked. Schools should have a mechanism in place for raising awareness to the board/governors, and all identified risks should be prioritised against a supporting action plan. Identification, classification and the use of a risk-based methodology are key in the active management of risks. Effective risk management is identified as a key stage in cyber security frameworks and guides such as the EU NIS Directive (A2), NIST Risk Management Framework (RMF) and the NCSC 10 Steps to Cyber Security.
By identifying and logging your risks, you will be able to provide evidence to any regulatory authorities that there were plans in place to resolve the risk, should that vulnerability ever be exploited prior to your planned resolution.
Vulnerability identification, assessment, actions plans based on risk assessment and management, are all key elements in all of 9ine’s services. Contact our team if you would like to hear more about the setup and management of risk within your school.
For more information about our Cyber Defence Essentials Services or other Security initiatives such as Data Loss Prevention, Advanced Threat Protection, End User Email Digest Solutions and our recommendations on configuring Office 365, please contact firstname.lastname@example.org.