welcome back to student data privacy fundamentals.
This lesson is the data security checklist.
In this video, you will learn the purpose of a data security checklist.
What types of threats to look for, how to analyze existing vulnerabilities and how to evaluate information assets in your organization.
Ah, thorough risk analysis of all data network systems, policies and procedures shall be conducted on an annual basis or, as requested by the superintendent, I so or designee
the data. Certain security checklist examines the types of threats that may affect the ability to manage and protect the information resource
documents any existing vulnerabilities found within each entity, which could potentially exposed the information resource to threats and evaluates the information assets and the technology associated with its collection, storage, dissemination and protection
from the combination of threats, vulnerabilities and asset values. An estimate of the risks to the confidentiality, integrity and availability of the information is determined.
The product of the risk analysis will be referred to as the risk assessment,
the risk assessment or are a shall be used to develop a plan to mitigate, identify threats and risk to an acceptable level by reducing the extent of vulnerabilities
quiz time in your own words, summarize what type of information is in the risk assessment
and what the R A is used for.
So hopefully you answered something to the effect of combining threats, vulnerabilities, asset values, toe estimate, the risks to confidentiality integrity, etcetera.
And then the product of the risk analysis is the risk assessment. So analyzing all of those risks becomes the risk assessment, and the point of that is to develop a plan to mitigate those risks and reduce the extent of vulnerabilities.
So now the data security checklist for district and provider hosted systems. This is a specific section within your data security check list. You'll want to inventory and classify all of the data on your system,
so types of potential threats would be internal, external, natural man made Elektronik and non Elektronik.
So take a second to think about those different types of threats. So a potential threat, an internal threat that could be something like a user not protecting their password or a user
accessing information that they were not authorized to access
an external threat is probably the most dangerous where you could have someone who is malicious and trying to hack your data. A natural threat could be something like a flood or fire or tornado.
And so go through the rest of those and try to kind of come up with examples that you can then addressed specifically in your policy
and then, lastly, physical security of the system so that would Onley pertain to district hosted
Next, we have the location within network, including network systems protection. So that would be your firewall, your content filter and in your policy, want to specifically state what
you're what you use for yours. So, for example, for Danette would be a brand that is a
fireballing content filter. Ah, and if your system is externally facing or only allows for district network access so again, that's a district hosted on Lee.
Next, you'll want to address that the provider has accurate, accurate data security measures, including data management and incident response Again provider hosted only
ability to ensure proper access controls, including password security. So, um, those air again, your specific requirements for passwords and password security in your district and making sure those are enforced.
And the authentication methods eso that is different than password requirements. So authentication methods like using active directory single sign on any district manage accounts that you might have. So if you use Google dry, for example, and then user managed accounts
next, you'll want to address the server system security patch frequency. So how often you are going to look for the need for patches and apply patches
ability to access from mobile devices? Eso Sometimes we need to access different things for mobile devices. But but how are you going to address that for from the security sampling
ability to maintain critical system event logs that would be district hosted on Lee
and then ability to receive notification for critical system events, including system compromises or a security breach?
So in today's video, we discussed the purpose of a data security checklist what types of threats to look for, how to analyze existing vulnerabilities and how to evaluate the information assets in your organization, and we talked about some specific examples and some different things that you should kind of
take and specify for your specific organization.
In our next lesson, we will discuss data classification levels. See you soon.