According to research, education is the single most vulnerable sector when it comes to cybersecurity threats. Under-resourcing and lack of cybersecurity-preparedness means that schools and other educational institutions accounted for nearly 7 million (63%) of all reported encounters in 2022. Policymakers and leaders are focusing their attention on the sector and how to defend schools against cyber threats, including implementing recommended cybersecurity frameworks.
Cybersecurity frameworks are valuable tools that guide organizations in navigating the complex landscape of threats and vulnerabilities. These frameworks are essentially sets of standards, guidelines, and best practices that help organizations build and maintain effective security postures.
Think of them as roadmaps outlining essential steps to identify, protect, detect, respond to, and recover from cyber incidents, designed by cybersecurity experts. Frameworks provide a structured approach to managing cybersecurity, ensuring no crucial aspects are overlooked. They promote risk assessment and mitigation, helping organizations prioritize their efforts based on potential threats.
Today, there are many frameworks that have been designed for various different stakeholder groups. Some frameworks are general, others are sector-specific. There are three frameworks that have proven popular – and really effective – in the US public school sector:
Here’s a quick rundown of the most common frameworks schools can use to prevent attacks.
The NIST Cybersecurity Framework, announced in February 2013, was prompted by President Obama’s Executive Order to create a voluntary cybersecurity standard.
The NIST CSF is a comprehensive and broad framework that applies to public and private entities in several areas. The framework has three primary components and covers five high-level functions: identify, protect, detect, respond, and recover.
Its core identifies and records 108 suggested cybersecurity best practices, while Implementation Tiers assess the rigor of an organization’s NIST CSF implementation, including the integration of cyber risk policies and procedures into overall decision-making and governance. Profiles help businesses tailor the Framework to their specific needs, objectives, risk appetite, and resources.
While this is a thorough and beneficial approach, it’s very complex and understanding and implementing the framework effectively can be daunting for resource-constrained school districts. The latest Nationwide Cybersecurity Review found K-12 schools lagging behind other government agencies in NIST CSF implementation.
Developed by the Center for Internet Security, the CIS Controls offer a more focused approach. Its 153 recommended practices, organized into 18 categories and grouped into three Implementation Groups (IGs), target specific cyber-attack tactics. The three implementation groups include:
Schools might find IG1 and IG2 particularly relevant. IG1 addresses essential cyber hygiene suitable for limited staff environments, aligning with the majority of smaller schools. IG2 caters to organizations with dedicated IT staff and regulatory compliance requirements, reflecting the needs of larger districts or those facing heightened risks.
Will it work for your school? On the one hand, this framework helps schools prioritize critical security measures based on their size, resource and risk profile, provides specific, easily understood best practices and targets known attack vectors relevant to the educational sector. On the downside, it doesn’t offer the comprehensive guidance of the NIST CSF. There are regular updates, and keeping up with new versions can be resource-intensive.
Unlike broader frameworks like NIST CSF or CIS Controls, K12 SIX stands out for its specificity. Designed specifically for school districts, the K12 SIX Essential Protections offer a highly relevant and practical framework. Its 12 actionable defenses address common cyber threats faced by schools and align with insurance requirements and government guidance. Categorized and presented with a four-level implementation rubric across four categories, it helps schools prioritize and measure progress.
These categories represent the key areas of focus for the framework:
Each category consists of four levels of implementation:
Using this rubric, schools can assess their current cybersecurity posture within each category, identifying areas where they are “at risk” and need improvement. It also provides a roadmap for progress, highlighting areas where they can move from “baseline” to “good” or even “better” by implementing additional recommended practices.
Compared to NIST CSF or CIS Controls, and designed for beginners, it offers fewer best practices, but seamlessly integrates with CIS Controls and NIST CSF for further growth.
Feature | NIST CSF | CIS Controls | K12 SIX Essential Protections |
Publisher | National Institute of Standards and Technology (NIST) | Center for Internet Security (CIS) | K12 Security Information eXchange (K12 SIX) |
Current Version | 1.1 (April 2018) | 8 (May 2021) | 2022-23 School Year (October 2022) |
Developed by | Government & industry collaboration | International, grassroots consortium | K-12 IT security professionals |
Target Audience | All organizations (federal, critical infrastructure, public/private) | All organizations (including government) | K-12 schools |
Number of Recommendations | 108 (23 categories across 5 functions) | 18 (153 safeguards across 3 groups) | 12 (across 4-level implementation rubric) |
Suitability for K-12 Schools | Requires dedicated cybersecurity staff | Requires trained cybersecurity staff | Aspiring to better cybersecurity |
Description | Voluntary, risk-based approach with customizable “profiles” | Prescriptive, prioritized security safeguards | Tailored to K-12 needs with practical implementation guidance |
Think of K12 SIX as the launchpad on your cybersecurity journey. Start here, implement its recommendations, and gradually progress towards more comprehensive frameworks like NIST CSF or CIS Controls as your resources and expertise evolve. Here are three recommendations to bear in mind:
Frameworks are closely aligned and often interrelated to one another, which means choosing a specific framework isn’t all important – committing to a framework and to cybersecurity risk management is all that really matters.
Even with enough resources, developing a mature cybersecurity risk management program can take years. Investing in stronger frameworks may drain resources away from actions that can strengthen defenses in the short run. If your resources and expertise is limited, focus your attention where it can have the biggest impact.
Cybersecurity frameworks develop to address vulnerabilities and threats, and not all best practices are applicable to all K-12 organizations due to variances in technology, IT systems, risk tolerance, cybersecurity capacity, and budgets. Avoid using checklist-based techniques to framework implementation.
Remember, frameworks are just tools. Ultimately, achieving robust cybersecurity requires a multi-layered approach, including ongoing training and risk awareness, collaboration and monitoring.
*** This is a Security Bloggers Network syndicated blog from Blog – Coro Cybersecurity authored by Kevin Smith. Read the original post at: https://www.coro.net/blog/three-cybersecurity-frameworks-for-school-systems