|
The Federal E-rate program, which is administered under the direction of the Federal Communications Commission (FCC), provides critical funding assistance to public schools and libraries. These funds provide eligible institutions with money to purchase the critical security and networking technologies they need to give students access to online educational resources at a significant discount. While most organizations see this as an opportunity to obtain discounted broadband access to their schools, E-rate also provides funds for required network infrastructures, as well as critical security solutions that help them comply with Federal regulations, such as the Family Educational Rights and Privacy Act (FERPA) and the Childrens Internet Protection Act (CIPA). E-rate provides a tremendous opportunity for K-12 schools to get strategic about securing their networks, their students, and their data. For many schools, security remains woefully inadequate and should be a top consideration for funding. Along with healthcare and municipalities, schools are a top target for ransomware, as well as malware designed to steal the personal data of students, faculty, and administrators. And because they are filled with tech-savvy students, they are also much more prone to attacks originating from within the network than most other organizations. Getting Started The question is where to begin? To help you with planning your strategy for this E-rate funding opportunity, we have provided a quick checklist of things to consider. The first step is to prioritize those areas of your organization that need the most help. Generally, security can be broken down into three general categories: risk management, data privacy, and cybersecurity. Lets take a look at each of these individually. Risk Management Risk Management involves identifying and quantifying the risks that an organization faces. Schools and school districts need to establish an executive team that meets regularly to identify and discuss security issues, especially as they relate to other initiatives. Digital transformation efforts, for example, have serious security implications that need to be understood from the outset. This team needs to ensure that the following things are in place: - Inventory control schools need to establish and maintain an inventory of technology assets, including installed operating systems, software, and applications. This allows for consistent patching and updating of all devices based on vendor updates and threat trends.
- Risk assessment this process involves keeping track of things like threat trends, vulnerabilities and exploits, and indicators of compromise and tying those back to existing inventory to identify risks and prioritize remediation efforts.
- Security policies and protocols A documented security policy is essential to ensuring that consistent controls are in place across the distributed school district. This should include things like BYOD policies, remote access, policies around unlawful activities, and consequences for non-compliance. A security policy should also include the process for reporting an incident, such as a ransomware attack or malware infection.
- Incident response strategy Steps needed for responding to an incident need to be documented. These should start with educating all network users with what to do when a breach or malware is detected. Roles and responsibilities should be pre-assigned along with appropriate authority to act. Communications and actions plans need to be in place to establish chains of command as well as to deal with external communications with law enforcement and the media. Resources needed for responding to and recovering from an attack also need to be in place and available.
Data Privacy Data privacy involves the secure management and handling of critical data, especially the PII of students and staff, including consent, notice, and compliance with regulations. - Data privacy policy The school district needs to establish a data privacy policy and share it with administrators, faculty, students, and their families. There are plenty of policies that can be used as a template, but it is essential that legal professionals with experience in this area be consulted.
- Regulatory compliance Schools are subject to a variety of specific policies that affect them directly, as well as local, state, and national requirements that need to be complied with. FERPA, SHERPA, CIPA, COPPA, HIPAA, PCI-DSS, are national regulations that need to be understood. And new laws, such as the California Consumer Privacy Act, may have an impact on how you manage data even if you are located in another state.
- Certification Not only schools, but their vendors must also comply with data privacy laws. Vendors not only need to certify that they are in compliance with regulations, but they need to be required to sign your districts compliance protocol and commitment policy.
Cybersecurity Cybersecurity involves the tools and systems required to secure, manage, and monitor any computers, servers, mobile and IoT devices, and access points connected to the district network, as well as all applications, workflows, and network traffic passing through and between these devices. Key areas to be considered include: - Connectivity This includes controlling what devices can access the internet, web filtering to protect students from inappropriate content, bandwidth management to ensure availability, traffic scanning for malicious payloads (email, http, ftp, etc.), and resiliency in the case of a connection failure or as the result of a malicious incident, such as a DDoS attack.
- Network security This includes the common set of security tools most organizations are familiar with, such as firewalls, IPS, antivirus, VPN, sandboxes, etc. However, a collection of isolated security tools can actually limit visibility and your ability to respond to an event. To address this challenge, security tools must be designed to function as a single entity through an integrated Security Fabric, enabling the sharing and correlation of threat intelligence through a central management console, and the ability to coordinate resources to respond to a cyber incident. And as networks expand to the cloud, adopt new IoT devices, and embrace technologies like Secure SD-WAN, security needs to remain consistent. One-off security solutions for new networking tools or environments can fracture and reduce visibility and limit control.
- Access control and authentication Network access control ensures that every device complies with policy. And when combined with network segmentation, devices can be dynamically assigned to appropriate network resources while restricting their access to sensitive data. Password management tools such as single sign-on and identity management ensure that only authorized individuals have access to specific technology resources.
Fortinet Products that Qualify for Category 2 E-rate Funding Fortinet provides a wide range of E-rate eligible solutions to support your cybersecurity development strategies. They include: - FortiGate: FortiGate Next-Generation Firewalls (NGFW) offer a range of integrated security functions, including firewall, IPS, antivirus, web filtering, and sandboxing, all combined with the latest threat intelligence from FortiGuard Labs.
- FortiAP and FortiSwitch: Fortinets secure access points and switches offer secure internal connections for reliable, seamless Wi-Fi. FortiAP is integrated with FortiGate to provide defense in-depth as students and faculty connect their mobile devices to the network, while FortiSwitch improves network efficiency and scalability.
- FortiCache: The FortiCache range of appliances provides a combination of content caching, WAN acceleration, and filtering controls to ensure the content you want is delivered promptly, bandwidth overheads are minimized, and controls are in place to ensure bandwidth misuse is mitigated.
- FortiCare: FortiCare is eligible under the Basic Maintenance of Internal Connections section of Category 2 funding. It ensures that schools have 24x7 access to technical support, including firmware upgrades, technical resources, incident reporting, and more.
Stretching Your E-rate Dollars with a More Strategic Approach By carefully walking through these guidelines, school district network administrators should be in a much better position to identify gaps in their security solutions and strategies and develop a strategic list of needed resources. When funding is combined with a best practices strategy, dollars stretch further and outcomes are more effective. The district is then not only able to build and maintain a more effective security program, but more effectively identify their most critical needs in order to maximize their E-rate dollars.
|
