As the school year winds to a close, preparation begins in earnest for summer projects. Many departments within your district will be planning new additions that might involve your computer network. Will any of those new additions expose your vital computer network to bad actors?
Today, so many different systems are connected to the internet in some way. School networks also have a long list of vendors and vendor devices sharing their network. HVAC, transportation apps, security systems, and camera/media systems just to name a few. Is your transportation department planning on installing new cameras in the buses? Is there a new Energy Management program in the works in your Building and Grounds Department? The question with all these improvements is – While allowing vendors to remotely access their devices via the internet can those vendors ALSO access your internal programs and data? If so, not only is there a risk they could access data that should be confidential, but like an ill person walking into a meeting, their devices and personnel could infect your network with malware and ransomware. You may have made sure your devices are patched and have endpoint protection, but if vendors have access to the same network, that work may be in vain.
This risk was recently highlighted in the May 1st memo from Louise DeCandia and Marlowe Cochran (NYS Chief Privacy Officer and Chief Information Security Officer respectively). They highlight eleven best practices and requirements to reduce your district’s risk. The idea we are discussing this week (keeping your vendors from accessing your internal programs and data – a part of Network segmentation) is number four on the list.
If you haven’t specifically taken steps to isolate your current vendors’ access and assess access that might be required for new summer projects, you could be at risk for exposure. The good news is that there are ways to protect yourself.
- Identify all vendors accessing, or requesting access to, your network and the type of remote access they have
- Make sure remote access tools are logged so you can see who has remotely accessed your network and when
- Require remote access tools utilize multiple-factor authentication (MFA) to authorize access
- Require the use of VPN for remote access where possible
- Segregate vendor systems from internal District network resources
- Avoid authorizing the use of unmonitored remote access tools like LogMeIn or TeamViewer
This week’s suggestion:
- Talk to your Tech Director about what vendors have access to your network and what measures are currently in place to manage access
- Talk to the heads of departments that have upgrades planned for the summer and see if those upgrades require access to your computer network. If they do, make sure they have discussed this access with your Tech Director
- Talk to your Tech Director about the remote access tools used by vendors and employees
- Continue (or start) the process of coming into line with the NIST Cybersecurity Framework guidelines
If you would like more information on help with Vendor Access or navigating the NIST CSF journey, please contact Lisa MacDougall at lmacdougall@csiny.com or call 845.897.9480.