SBN

ManagedMethods & The CISA Joint Cybersecurity Advisory

ManagedMethods Details for Implementation Considerations Outlined by the Joint Cybersecurity Advisory

On December 1, 2020, the FBI, CISA, and the Multi-State Information Sharing and Analysis Center published a Joint Cybersecurity Advisory for K-12 schools. You can read the full, official Advisory here.

The purpose of the advisory is to warn school districts that these organizations have identified that malicious cyber actors are targeting school districts. The result is the increase in ransomware attacks and other disturbances that many schools have experienced over the past several months, and that we’ve all seen in the news. The advisory states:

“Cyber actors likely view schools as targets of opportunity, and these types of attacks are expected to continue through the 2020/2021 academic year. These issues will be particularly challenging for K-12 schools that face resource limitations; therefore, educational leadership, information technology personnel, and security personnel will need to balance this risk when determining their cybersecurity investments.”

The advisory provides technical details and mitigation recommendations. Mitigation recommendations covered in the report include:

  1. Network Best Practices
  2. User Awareness Best Practices
  3. Ransomware Best Practices
  4. Denial-of-Service Best Practices
  5. Video-Conferencing Best Practices
  6. Edtech Implementation Considerations

Start Controlling Your Third-Party Apps. Schedule A Demo To Learn More >>

ManagedMethods & Edtech Implementation Considerations

Evaluating and implementing new technology can be a difficult process for district IT teams, and student data privacy compliance regulations often make it more complicated.

It’s worth noting here that ManagedMethods is not an EdTech platform from a classroom learning perspective. Students and teachers don’t interact with the platform at all. Rather, ManagedMethods is purpose-built for IT teams that are responsible for the cybersecurity of their information technology infrastructure. More specifically, ManagedMethods only operates within a district’s G Suite for Education and/or Microsoft 365 domain (Zoom coming soon!). The platform uses deep, API integrations to monitor these domains to identify specific security issues such as data loss prevention, phishing and ransomware protection, and account takeover detection.

Further, many of our customers use our Signals features to monitor for student safety signals, including self-harm, cyberbullying, explicit content, threats of violence, and more in both text and image content. Again, this monitoring is limited to the school district’s G Suite for Education and/or Microsoft 365 domain. Individual, personalized information is not collected or stored in the platform and it does not monitor activities such as web browser searches, social media activity, texting, etc.

That being said, it is critical that any type of technology being implemented in a school district complies with high standards of protecting student data from improper exposure or use by individuals or third-parties. In our continued commitment to student data privacy and security, we figured this would be a good opportunity to outline some of ManagedMethods’ implementation details in relation to the considerations outlined in that section of the advisory report:

Cybersecurity, Response, and Remediation Practices

ManagedMethods protects personal information with technical, contractual, administrative, and physical security safeguards to protect against unauthorized access, release, or use. If an unauthorized disclosure of data does occur, ManagedMethods will promptly notify users unless specifically directed not to provide such notification by law enforcement officials. The notification will include the date of the breach, types of information subject to the breach, a general description of what occurred, and the steps ManagedMethods is taking and/or will take to address the breach and mitigate future risk.

We commit to keeping all impacted users fully informed until the incident is resolved.

Data Security Practices (e.g., data encryption in transit and at rest, security audits, security training, audit logs)

The ManagedMethods platform does not collect or store any personally identifiable, educational, or financial information from customer domains. Metadata that is passed between ManagedMethods and customer domains is encrypted both in transit and at rest. Members of our company staff will only log into customers’ service accounts solely to resolve a problem or support issue and in the context of a recorded customer support ticket. In this case, the staff member investigating the problem has the same access and abilities that a customer admin user has when logged in. In all cases, ManagedMethods staff actions will be logged in an audit log.

Maintenance and Storage Practices (e.g., use of company servers, cloud storage, or third-party services)

ManagedMethods uses Google Cloud Platform for storing and maintaining collected data.

Types of Student Data Collected

ManagedMethods does not collect or store any student, faculty, or staff PII, academic, disciplinary, medical, biometric, financial, etc. data.

The platform does collect and store information to monitor and maintain the ManagedMethods service to our customers. Such information includes system health and availability, CPU and disk utilization over time, IP addresses for audit logs, etc. The sole purpose of collecting this data is to monitor your service availability and respond to failures to restore the service.

ManagedMethods also aggregates anonymized user data, including document and user metadata, usage and volume statistical information, and other statistics (but not contact information) and may provide such anonymous aggregated data to third parties.

Entities (third-party vendors) to Whom ManagedMethods Will Grant Access to the Student Data

Again, ManagedMethods does not collect or store any student, faculty, or staff PII, academic, disciplinary, medical, biometric, financial, etc. data.

To help us provide, maintain, protect and improve our services, ManagedMethods shares information such as metadata and aggregated, anonymized data with other partners, vendors, and trusted organizations to process it on our behalf per our instructions, Privacy Policy, and any other appropriate confidentiality, security, or other requirements we deem applicable. These companies will only have access to the information they need to provide the ManagedMethods service. We are happy to provide a full list of vendors at a customer’s or prospective customer’s request.

How ManagedMethods Uses Student Data

ManagedMethods DOES NOT sell or share student PII, academic, disciplinary, medical, biometric, financial, etc. data with third parties for purposes of new product development, studies, marketing, advertising, etc. under any circumstances.

Data De-Identification, Retention, and Deletion Practices

The ManagedMethods platform does not collect or store any student, faculty, or staff PII, academic, disciplinary, medical, biometric, financial, etc. data. The platform does collect and store information to monitor and maintain the ManagedMethods service to our customers. Such information includes system health and availability, CPU and disk utilization over time, IP addresses for audit logs, etc. The sole purpose of collecting this data is to monitor the availability of your service and to respond to failures to restore the service.

ManagedMethods also aggregates anonymized user data, including document and user metadata, usage and volume statistical information, and other statistics (but not contact information). Any data collected is deleted or de-identified when it is no longer needed, upon expiration or termination of a customer agreement according to the terms of our agreement, or at the direction or request of the educational institution. Customers may withdraw consent to our processing of personal information at any time. However, withdrawing consent may result in the inability to use some or all of the services.

Start Controlling Your Third-Party Apps. Schedule A Demo To Learn More >>

We’re more than happy to discuss our data privacy and security protections and processes in further detail!

How ManagedMethods Helps Schools With Student Data Privacy Compliance

ManagedMethods can help your district with your student data privacy compliance monitoring and reporting. In fact, thousands of schools are already using the platform to secure their cloud applications.

Among the many ways we can help, including automated data loss prevention, phishing and ransomware threat protection, and account takeover detection, ManagedMethods is also used to detect risky OAuth apps connected to district domains.

The past year has been a challenge for schools on just about every front imaginable. Among the challenges for IT teams is the sudden explosion of “free” apps being used by students, teachers, and staff. Many are struggling to get a sense of what is connected to their domain, what cyber risks they may be exposed to as a result, and how to manage it all.

ManagedMethods is designed to make managing 3-rd party apps in your domain easy. The platform can give you a quick view of everything that is connected via OAuth and the level of permission and risk associated with each app. IT admins can also see who has connected specific apps, if they’re using them, and more. Sanctioning and unsanctioning apps can be done individually and on a manual or automatic basis.

We’d love to show you how our Apps tool works, and offer you a no-obligation 30-day free trial so you can manage your own risky third-party apps. Just let us know when you’re ready to start taking control of the third-party apps in your district’s domain!

control 3rd party apps product demo

The post ManagedMethods & The CISA Joint Cybersecurity Advisory appeared first on ManagedMethods.

*** This is a Security Bloggers Network syndicated blog from ManagedMethods authored by Katie Fritchen. Read the original post at: https://managedmethods.com/blog/cisa-joint-cybersecurity-advisory/