School Business Affairs February 2020

24 FEBRUARY 2020 | SCHOOL BUSINESS AFFAIRS Valuable assets extend far beyond the computers employees and students use. Assets also include hard- ware and data; therefore, their creation, indexing, work- flow, version storage, and access become hypercritical components of asset management for the district. Districts are more likely to avoid a major compro- mise when they create, implement, and improve mature plans for asset management; know the different types of district assets; and understand how the assets should be treated. When districts know where their greatest exposures are, they can take steps to strengthen their security. Proper Data Classification In managing information as an asset, districts must understand the kinds of data they possess and who should have access to them. This idea of data classifica- tion is a practice that, even at a basic level, can have a strong impact on the overall security of the organization. Most organizations have three types of data: public, internal, and private. Who should have access to that information depends on where it fits into one of those three categories. Public. Everyone has access to public information—it is meant to be seen by the outside world and does not require access or management restrictions. Examples include a district calendar and such school information as schedules, staff, and events. Internal. Internal information is not meant to be seen by the outside world. If someone outside the district were to access the information, it could be an issue; however, if those data were viewed by district staff mem- bers, it would not raise concern. Private. Private data should only be accessed with special permission. These data include student individu- alized education programs, medical records, and grades. Private data should have strict access controls. Simply stated, if the district understands the kinds of data in its ecosystem and can effectively control their access, it’s unlikely the data will be shared with anyone that shouldn’t have access. It’s up to each district to define the categories and their criteria. Districts with strong data classification procedures experience fewer incidents. Summary Although levels of security and the initiatives taken to get there vary, districts that avoid major compromises share many of the commonalities described in this article. It’s impossible to avoid all security incidents, but adopting a strong combination of these best practices will improve the district’s chances of managing risk. Steve Anderson is business manager for Proctor Public Schools in Proctor, Minnesota. Emai l: sanderson@procter.k12. Jim Westrum is executive director of finance and business for Wayzata Public Schools in Wayzata, Minnesota. Email: jim. John Harmon is president of FRSecure, headquartered in Minnetonka, Minnesota. Email: Brad Nigh is director of professional services and innovation for FRSecure, headquartered in Minnetonka, Minnesota. Email: Amy Diedrich is a risk consultant with the Marsh and McLen- nan Agency in Minneapolis, Minnesota. Email: amy.diedrich@ A t ASBO International’s 2019 Annual Confer- ence & Expo at National Harbor, Maryland, a deep dive session discussed the emerging and significant risks associated with hackers and the unfortunate fact that school districts are major targets. The ASBO Risk Management Content Area members are pleased to share a security assessment as a way for ASBO members to deter- mine where they can best dedicate their efforts to improve their district’s security posture. Take this free assessment and share it with mem- bers of your team ( ; team code: ASBOACE19!). For more about policies versus procedures, see “Build from the Ground Up: Differentiating between Policies, Standards, Procedures, and Guidelines,” iating-between-policies-standards-procedures- and-guidelines. TAKE THE SECURITY ASSESSMENT