1.1. Client Security

• Must Have Practices

  • Should have endpoint protection installed on all managed devices

  • MDM and/or GPO should be used to manage policies that ensure a secure client

  • End users should backup their data

    • Network admins should provide a means to store the backup data

    • Training should be provided to end users

  • Patching should be completed for the OS and any installed 3rd party applications

• Best Practices

  • Software Restriction Policies (Windows GPO)

  • Computer Configuration => Policies => Windows Settings => Security Settings =>Software Restriction Policies

• • No Local Admin rights for users

  • Use approved applications list through MDM for self-service software installations

  • Use drive encryption



1.2. End User Security

• Must Have Practices

  • Provide appropriate training/documentation to protect against phishing, social engineering, etc.

  • Password management

    • Consider complexity, history, security

  • Policy and procedure for provisioning/deprovisioning of user accounts

• Best Practices

  • Use of multi-factor authentication

  • Use a password manager

  • Auto provisioning/deprovisioning of user accounts

1.3. Server Security

• Must Have Practices

  • Hardware should be in a secure location

    • Document who has access to servers

  • Secure access to network & power feeds to servers

  • Patching should be completed for the OS and any installed 3rd party applications

  • Change the default username for the Domain Administrator Account

• Best Practices

  • Use a separate admin account to administer each server

  • Technology administrators should have a standard user account for day-to-day tasks and a privileged account for administrative functions

  • Use software that rotates passwords on a scheduled basis (Cyberark)

  • Use a password manager

  • Use of multi-factor authentication

  • Run automated tasks/services under a dedicated service account

1.4. Wiring Closets

• Must Have Practices

  • Adequate power and cooling

    • Security and communication systems rely on network services

    • Use dedicated power circuits

    • UPS to handle brief power outage

  • Secure, locked location

• Best Practices

  • Devoted to no other equipment other than network/server hardware

  • Card access with logging

  • Security cameras

  • Document cabling and label all equipment

  • UPS to handle extended power outage

  • Generator to provide backup power

1.5. Wireless

• Must Have Practices

  • Must use at minimum WPA2/AES encryption on the SSID

  • Use of multiple SSIDs to segment traffic

    • Guest and production at a minimum

    • Each SSID should be segmented on separate vlans and use ACL (access control lists) to limit access between these network segments

• Best Practices

  • Newer Security Methods

    • Use 802.1x authentication for clients

    • PPSK (Personal Pre Shared Key)

  • Separation of guest and production networks can also be done using a single SSID via  the wireless network vendor

  • Consider password rotations

1.6. Switches

• Must Have Practices

  • Use SSH/SSL for management

  • Capabilities

    • VLAN segmentation

      • Splits network devices into containers/traffic lanes

    • Access Control Lists (ACL)

      • Allows/Blocks certain traffic from communicating with other traffic.

    • Network Access Control (NAC)

      • Checked devices to make sure they meet organizations security requirements (Has Antivirus, installed windows patches, etc)

    • Redundant power supplies

      • Security and voice services rely on network connectivity.

• Best Practices

  • Set Console session timeouts

    • Prevent a rogue user from connecting to a device with elevated privileges

    • Technicians should ensure they log off each session, whether remote or direct.

  • Redundant core switches configured for failover

  • Ensure maintenance contract matches life expectancy of hardware

  • Ensure security updates will be available to match the life expectancy of the hardware.

  • Configure VLAN segmentation to split traffic and meet security objectives of organization.

  • Traffic prioritization

    • Allows voice, security, or other services as the organization identifies to have a higher network priority than other traffic including, but not limited to rouge or malicious traffic.

  • Auto provisioning of ports (VLAN segmentation and ACL)

    • Cameras, access points, servers, clients, guest devices

1.7. Filtering

• Must Have Practices

  • Granular Policy enforcement (staff / student)

  • Filtering needs to meet CIPA requirements

  • Off site filtering of student devices

  • Selective SSL Decryption

  • Ability to create custom categories

  • Determine how unknown sites are handled

  • Determine how sites are categorized

    • Determine how site submissions handled

      • Human intervention

      • Machine Learning

• Best Practices

  • Policy enforcement by directory service and IP address

  • Ability to exclude IP address from filtering

  • Off site filtering of all devices, student or staff.

1.8. Firewall

• Next Gen Firewall

  • Must Have Practices

    • Application Control

    • Intrusion Prevention

    • SSL Decryption for all traffic flows/sessions

    • Zone definitions to include, Outside, Inside, DMZ

    • Secure VPN access controlled via policy

    • Ensure proper firewall sizing based on needs

    • Ensure logging/reporting retention fits districts needs

    • Allow for connectivity to the outside Internet aggregation switch at ESU3

      • Districts should not traverse the ESU3 Private LAN

  • Best Practices

    • Log Analysis and Notifications of important events.

    • Web Content Filtering

    • Anti-Virus

    • Ensure maintenance contract matches life expectancy of hardware

    • Life cycle of device

      • Future growth

      • Hardware end of life

1.9. IP Addressing

• Must Have Practices

  • Private address space should be used for internal addressing

• Best Practices

  • If public IP address is used, be sure it is behind a NAT firewall

  • Reasonable DHCP lease expiration

1.10. Backups

• Must Have Practices

  • Systems deemed as critical should be backed up

    • This may included financial system, student systems, Active Directory, etc.

  • All backups should be securely stored at an offsite location

  • Be sure retention matches business objectives

  • Test your backups - cloud and local

  • Review cloud services DR plans

    • Don’t assume that cloud backups are safe

• Best Practices

  • All servers should be backed up

  • Use volume shadow copy

  • Prioritize backup of systems based on how critical they are to your environment

    • Create backup retention schedules based on priority of systems

  • Encrypt backup data, both in transit and at rest

  • Air gap between backups and production data to protect against crypto attacks

1.11. 3rd Party Vendor Equipment

Example would include: HVAC, Lighting, IoT, Clocks

• Must Have Practices

  • Don’t use default credentials

  • Document the equipment that is connected to the network

  • Secure protocols between devices and mgmt systems

• Best Practices

  • Use vlan segmentation with ACLs to control access

  • Firmware updates for security vulnerabilities if available.

1.12. Security Risk Assessment \ Documentation

• Must Have Practices

  • Self assessment of all risks related to technology

    • NIST Cybersecurity framework (https://www.nist.gov/cyberframework)

  • Develop and maintain a Disaster Recovery plan

  • Develop and maintain an Incident Response plan

  • Ensure logging/reporting retention fits districts needs

• Best Practices

  • Contract with security consultant to assess all risks related to technology

  • Penetration testing

  • Review Disaster Recovery and Incident Response plan annually

  • Review policies related to security annually