School Business Affairs February 2020 SCHOOL BUSINESS AFFAIRS | FEBRUARY 2020 23 and increase the chances of security breaches. Those bad habits include (1) using the same password for every log- on, (2) downloading applications from less-than-credible websites, and (3) clicking links in emails before analyz- ing their legitimacy. If employees are accustomed to those practices at home, chances are they will continue them at work. High-performing districts have established programs to train a highly aware staff. It’s important to assess employees’ security know-how. An assessment will allow the district to tailor training to address common weaknesses and to develop learning opportunities to show employees why data security is important to them personally and critical to their role in protecting student and district information. Formal Policies and Procedures for All Departments Policies and procedures of high-performing districts make sense to their staffs who are required to follow them. Without effective policies and procedures and an employee commitment, the danger of employees finding ways to skirt the rules not only threatens the district’s security but also their own. School districts that experience minimal security inci- dents have developed a culture of security in everyday practices across the district. Policies are consistent dis- trict-wide, and all departments are treated the same. When all staff members agree on security standards that minimize risk without drastically affecting their day-to-day functions, the district is less likely to encoun- ter major security problems. Ongoing Checkpoints for Policies and Procedures Establishing policies and procedures on which all depart- ments agree is a good start, but it’s not enough. Districts must ensure not only that their policies and procedures are practiced, but also that they succeed. Determining the effectiveness of a district’s data secu- rity program begins by establishing a baseline. Districts must understand their security program before they can improve it. Districts that experience fewer incidents typi- cally have an information security risk assessment con- ducted annually by a third-party security expert. This assessment—which should consider adminis- trative, physical, and technical controls—provides an objective look at how the security program is perform- ing at that time. The assessment also provides a baseline against which to measure and track progress. When dis- tricts know where their greatest exposures are, they can take steps to strengthen their security. When leaders know where a school district is most vulnerable, understand how the policies and procedures increase their security landscape, and use employees’ strengths and weaknesses to constantly improve security, the district will be significantly less likely to experience a major security breach. In addition, should a security breach occur, the district will be better prepared to manage it. Strategic Spending With an ongoing risk assessment in place, the district can guide important security decisions going forward. A useful risk assessment looks at all four controls that make up an information security program: administra- tive, physical, external technical, and internal technical. Assessing all four areas provides a full scope of what a security program looks like now and what it should look like in the future. Districts should focus on improvement strategies that align with their security risk assessment. If the decision incurs a cost, it’s important to be able to justify that cost by demonstrating that it can make a dramatic impact on the overall risk profile and assessment score. If it doesn’t make an impact, the district probably won’t get buy- in, and it’s likely that the strategy did not significantly improve the district’s security anyway. Recognition of Assets You can’t secure what you don’t know you have, and districts’ security measures should directly affect their most valuable assets as well as the risks associated with them. The practical application of protecting those assets, called asset management, is not only an important part of a good data security program, but also an impor- tant part of district operations. School districts that experience minimal security incidents have developed a culture of security in everyday practices across the district.