Using google G suite and Microsoft office 365 offers school districts many benefits. From improving productivity and collaboration to outsourcing infrastructure security, schools and districts of all sizes choose to move to the cloud.
But there are also security issues with cloud computing. The iSmile technologies recommends that you regularly conduct a risk assessment and cloud security audit. This cloud application security checklist is designed to help you conduct an audit for your district’s G suite and office 365 to minimize security issues.
List of Top 10 security checklist
1. Set password policies
Passwords are the foundation of any good security plan. Educate both students and staff on what factors make passwords strong or weak and why password strength is important.
When you first set the standards, conduct a review of current passwords to determine whose passwords do not match the new standards. You can then use your admin console to force a change in passwords.
2. Make multi-factor authentication must
Multi-factor authentication requires users to take a second step after entering the correct password to prove authorized access. This usually involves entering a code that is sent to your phone via text message. It can also include phone calls, answering security questions, prompts through mobile apps, and more.
3. Manage saas access and authorizations
Open authorization (oauth) makes app usage convenient for end-users, but it can be a bit of a nightmare for those responsible for IT security. The increasing use of saas in classrooms and school districts makes it difficult to track which apps have access to your cloud environment, what permissions they are granted, and how secure the app itself is.
School district system administrators can control which apps are allowed access to the organization’s google or Microsoft cloud accounts. This can be as simple as restricting access to risky apps or as customized and detailed as creating lists of sanctioned and non-sanctioned apps.
4. Enable anti-phishing protective measures
Email phishing remains the most common external threat vector. And there are a variety of tools on the market that aim to remove phishing emails from inboxes. Unfortunately, none of them work with 100% certainty.
The best option is to start by configuring your cloud email provider’s anti-phishing features and then add additional protection and monitoring on top of that. It’s also extremely important to educate the rest of your district about common and emerging phishing attacks and how to recognize them.
5. Turn on unintended external reply warning
One of the ways you can ensure that sensitive, internal information is not shared outside of your school district without authorization is to enable an external response alert. This feature also protects your district from spoofed emails from malicious hackers attempting to access internal files and information.
When the external reply warning is enabled, users will receive a pop-up notification asking to send the email to an external domain. You must clarify to your colleagues why they need to pay attention to this pop-up and think twice before ignoring it.
6. Set external sharing standards
In addition to sending emails, you should configure external sharing standards for shared calendars, drives, folders, and files to protect against data loss. It’s best to start with the strictest standards possible and then open them up as needed.
Files and folders containing particularly sensitive data, such as student, parent/guardian, and personal staff data, and financial data, should rarely (if ever) be configured to allow external sharing and access.
7. Set up message encryption
Encryption prevents anyone other than the intended audience from reading a message. Microsoft and google offer native encryption options. In google’s case, there is “confidential mode,” which works a little differently. There are also several third-party encryption tools.
When sending sensitive or confidential information via email, you should always enable encryption and confidentiality protection. This forces the recipient to authenticate that they are the addressee, and the information cannot be forwarded to others. The sender can also set an expiration date to ensure that the information remains in the recipient’s inbox forever.
8. Set up data loss prevention policies
Data loss prevention is a strategy to ensure that your district’s sensitive and proprietary information does not inadvertently leave the network – whether it happens accidentally or maliciously.
System administrators can set up data loss prevention policies in the most popular and “enterprise-ready” cloud applications. These policies help administrators manage and automate rules for accessing and sharing information. Most policies create alerts and actions the system can take when a data loss prevention policy is violated. For example, suppose an employee account attempts to share a table of social security numbers with an external domain. In that case, the policy can be set up to automatically warn the user and/or quarantine the file.
9. Enable mobile administration
Everyone in your school district likely uses mobile devices to access school cloud accounts – primarily email, files, and drives. These mobile devices represent additional endpoints that need to be secured through IT. But endpoint security is not enough when it comes to cloud computing security. You also need to configure mobile device policies in your cloud applications.
10. Run a security health /score audit
Once you have completed this checklist, you should perform a cloud security audit of your environment. An audit will review configuration errors, sharing risks, files containing sensitive information, and more.
It’s also important that you conduct an audit regularly. Weekly and/or monthly audits and reports can be automated and provide you with detailed information about the security posture of your cloud applications. Microsoft provides office 365 secure score, which is very helpful when reviewing the health of your applications on an ongoing basis and making recommendations. Especially when new security features are introduced and new risks are identified.
For more assistance, you can take an expert’s advice at iSmile Technologies.