[VDOE] FRIDAY CYBER - November 6, 2020 - Cyber News and Views for VA Schools

Virginia Department of Education sent this bulletin at 11/06/2020 07:44 PM EST

11/6/20

This Week: Disaster Recovery Planning

Hi. My name is Tim Tillman and I am the Chief Information Security Officer (CISO) for the VDOE. Our team of cybersecurity analysts support the security program of the VDOE. I am excited to provide this email resource to you. Together, we can make our cybersecurity posture in Virginia's K-12 schools strong and a model to be admired.

Contact me at tim.tillman@doe.virginia.gov

News

We read a lot of articles and blogs on security. Here are a few items we found to share that help reinforce this week's topic.

What K–12 School Districts Need to Know About DRaaS

Data is backed up to multiple locations — creating a backup of a backup — on dedicated remote servers, either on-premises or in the cloud. Innovations in disaster recovery mean there are more options for administrators to find solutions that make the most sense for their data and budget needs. Disaster Recovery as a Service, through the cloud, promises fast recovery and flexibility. DRaaS can be fully managed by a provider, assisted or self-service.
Are You Flirting with Data Disaster?
“Cloud-based disaster recovery is top of mind for virtually every IT department, regardless of the size of the business,” Paul Hughes, the former program director for IDC’s Storage and Data Management Services, told StateTech.

Learning

Everyone loves hearing about the good old days of networking and system administration in the 90s, right? My nostalgia extends to the backup tape drives that were prevalent in my experiences for the first 5-10 years of my career. The image above is the Exabyte 8mm tape drive that I used the most.

In those days, we were taught a simple rule for data disaster recovery - a file doesn't really exist unless it is in three places, two of which should be on separate media, and one should be offsite. Therefore, you have your original file on your HDD, a backup file on daily/weekly tape or diskette, and monthly tapes are stored offsite. For disaster recovery we were mostly concerned with protecting data not with recovery of systems, hardware, intellectual property, reputation, etc. The idea of a hot site or cold site was out of reach for K-12 environments. Vendor relationships may have promised same day or next day replacements, but often were not utilized. Purchasing a backup server was also out of reach. In the environments where I worked, we ignored recovery time objectives in favor of recovery point objectives and data integrity. Of course, that all depended on whether anyone changed the tape on the previous night.

Today, we don't have to sacrifice to have good disaster recovery. In an Information Security context, we are concerned with confidentiality, integrity, and availability of data and systems. These three principles apply to our disaster planning. It's important that we plan in advance and put controls in place that help us recovery from disaster, maintain our resilience, and quickly recover with minimum data loss.

What is a disaster? There are three categories - natural, man-made, and a hybrid. A natural disaster can be defined as a storm, tornado, pandemic, earthquake, "Act of God", or similar. A man-made disaster can be the accidental or willful destruction of a system or data by a persons actions or lack or actions. Hybrid disasters are combinations of both. Imagine a hybrid disaster as a natural disaster that is triggered in some way by a man-made disaster - perhaps a dam break that causes a flood or the failure of an air conditioning unit that causes heat to destroy a data center.

Disasters happen every day. Don't think of your disaster recovery planning as something that will hardly ever be used. If your current plan is dusty or doesn't exist, there is work to do. Disasters are not once-in-a-lifetime. You may be affected by a down-stream or up-stream disaster. You may have a water line break in the middle of your school. A power failure could wreak havoc. You may have another pandemic strike. All disasters will attack confidentiality, integrity, and/or availability of systems and data.

The Disaster Recovery Plan (DRP) is an essential element of your security program. It's purpose is to inform and provide guidance for the preparation and/or recovery of a disaster. It should be easily read and understood by non-technical peoples including Board members and Superintendents. Unless you are following a framework like NIST 800-53 or NIST CSF or similar, there is no set template for a DRP. How you decide to organize the elements of a plan are up to you.

Ideally, your DRP should include the following elements:

Identification of risk tolerance levels and common threats related to geographic or historical data
Inventory and descriptions of major systems
Inventory of hardware and software
Backup and restorations plans and procedures for each major system
Identification of recovery time and recovery point objectives
List of responsibilities and roles of local staff
Communication plan, contact list, and external vendor contacts and SLAs
Locations of alternate sites and/or safe sites
Explicit instructions for handling sensitive data in times of crisis
Instructions for regular testing and review of the plan

Your DRP may include more than the technology elements of a disaster. In some businesses the DRP first addresses human safety and reporting, then moves to assets. A division's comprehensive DRP might include more detailed contact information, notification trees, or emergency closing codes. In our Virginia divisions, the technology DRP may be included in a comprehensive Continuity of Operations Plan (COOP). Your division may be unique in how detailed your DRP becomes.

Here are some resources that can help you develop a DRP for your division's technology:

Example Disaster Recovery Plan Templates Word | PowerPoint | PDF | Smartsheet
University of Iowa Example DRP
Finding the Right Server Backup Methods for You
CoSN Technology Disaster Recovery Checklist
CoSN IT Crisis Preparedness for Natural Disasters

DRP is more than just backups of data. Having a properly constructed plan to recover from a disaster can provide peace of mind not only to your IT staff but to all stakeholders. Information Security includes DRP as a means of protecting CIA in times of crisis. Make sure you include a basic DRP in your security program.

Community

Share this newsletter with staff and faculty. Encourage colleagues to sign up for VDOE newsletters here.

Join

If you are a technology leader in your school division, consider joining the non-profit group Consortium for School Networking (CoSN). The advocacy, research, reports, and training that are generated from the organization are very valuable. You can join CoSN as an individual member or your school district can join. CoSN is also the creator of the Certified Education Technology Leader (CETL) certification and the Trusted Learning Environment (TLE) seal. Many of your colleagues (like me!) and neighboring school divisions have already attained these credentials. Could you be next?

The K-12 Cybersecurity Resource Center helps to spread the word about reported K-12 cybersecurity incidents and raise awareness of attacks and mitigation strategies. You can learn from the experiences of others.

2020-2021 Friday Cyber Archive:

7/31/20 - Cybersecurity in Schools
8/14/20 - Cybersecurity Awareness Training
8/28/20 - Patches, Updates, and Fixes... oh my!
9/11/20 - Next Generation Firewalls
9/25/20 - The Art of Cyber Resilience
10/9/20 - Network Segmentation
10/23/20 - Ransomware Special Edition

Stay Connected with the Virginia Department of Education

This service is provided to you at no charge by the Virginia Department of Education. Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page. You will need to use your email address to log in. If you have questions or problems with the subscription service, please visit Subscriber Help.