UpstateSC ISSA Chapter - Feb 2021 - Greenville County Schools Security Briefing w/ Bill Brown

um so it does make a good segue to maybe my first announcement we're still trying to decide about these science um you know we definitely had canceled b-sides last year at the last minute for the in-person session uh just for the fear of you know we would not at least i would not want to be responsible for any transmission uh even to one one person even if they just got a little sick or not even sick at all so we're still debating what we're going to be doing for for this year i think it goes back and forth right now it sounds like kids are probably going to be vaccinated in september so i think you know our original plan

may be to have an in person at the end of october could work um we're just kind of still monitoring the situation and see if things stay on track uh if not probably what the the plan will be to do is a virtual in about six months and do do a in person probably early in 2022 like march so about about a year from now so uh so we'll see um i also haven't heard back from my car at all so so we'll see see uh see what happens there but uh so again so kind of stay tuned i think we'll have um by this time next month we'll have a we'll have a final decision on

on what we're going to do so obviously we all want to be back in in person uh together but you know i don't want to be responsible for even spreading covet to one person so we just have to make sure we do it safe so that's the update on uh b-sides couple other quick announcements one is uh so gary had reached out from uh ogletree ryan's old boss and uh was looking for some part-time help for anybody uh who's looking for some part-time work said 20 to 40 hours a week depending on the week but helping complete the different vendor security questionnaires that come in right for the the self-assessment so if somebody has a background in

infrastructure ideally completing different types of security questionnaires then uh reach out i think david was supposed to be on the line as well because he works with gary i don't see him uh online but uh if that's something that you're interested in go ahead and shoot me an email uh and then i can get you in uh contact with gary or just you just reach out to gary burger at local tree on linkedin so appreciate that so yeah just uh i said reach out if it's of interest um i think um uh we're going to send out a questionnaire in a short order looking at scheduling we want to get back to doing our training classes

uh and so we're going to be trying to do one for the chapter on a quarterly basis so i was going to send out a survey to get a better idea of what everybody would like to have as options so like the previous ones it's a you know low cost probably a hundred dollars with all the money going to the chapter uh students uh those of you that might be unemployed right now are more than welcome to attend for free so again we'll get that survey out and start getting those scheduled for everybody so definitely i can't wait to uh get the training back on back on track it's been i know like six months i think since we uh we had the

last big class but um yeah 450 people that was that was a lot of fun so um so we'll get that that out um i don't see stuart on but stuart uh some of you might know he's actually just he's one of our students at greenville tech he's just wrapping up his degree this semester and then he's done he actually works day job so he usually isn't able to attend uh but he actually offered some of his time and services as being a webmaster for the chapter kind of communications director so he's bringing up a new website for us which is really exciting since uh we haven't had one it really in a long time

or the one that is there is very very old and uh not kept up to date so so really excited to uh that's to the mystique it does right we're a special secret club right that nobody knows about what's that we're like the chapter that flies under the radar i feel like right we are very in many in many different ways but but you know what i think it works out for us too so um it's kind of like uh what uh what's that secret club at disneyland right if you go to disneyland and you can eat at that secret restaurant in uh the uh was it new orleans quarter whatever they call it so

um for sure so so yeah so special thanks to stuart uh he's also gonna do the uh besides greenville site as well uh so that would be cool i think we're gonna actually slightly tweak our domain name so but it will send out announcements so nobody thinks we're trying to fish them so it sounds like there might have been an issue with some folks getting the announcement so um hopefully everybody got that but uh i mean some of you are here but i know charlie mentioned he didn't get his so i'll just kind of keep an eye out on on that uh the only other things i wanted to mention real quick was uh upcoming schedule so next month

adam anderson's going to be here uh so yeah club 33 that's the one they had a friend that uh got to be a lustrous member but his his uncle was walt disney so kind of makes sense i guess they still made them pay though isn't that crazy um so we had adam is going to come back uh for next month and what he's put together uh essentially is a game to run a table top exercise for executives and it's really about more along the lines especially for our group looking at us as most of us as security practitioners in technical security analyst roles better understanding cyber security from the business perspective from the executive perspective what type of

information are the executives looking for during an incident response so as we're providing updates to the organization you know what they need to be best suited to make the appropriate decisions right to direct the company uh during those those wonderful times of our lives when there's a significant incident or or breach occurring so so i'm actually really excited to see how that works out i've kind of got the demo run through uh so it's kind of interesting i think we're actually going to do one at the floor with our i.t folks just and see how that goes so kind of interested to see how our different team members um like it and kind of again get a little bit more

insight into how the the executive thinks about not just cyber security but how cyber security really plugs into the big picture of the organization overall so so yeah so i'm really excited about that and obviously you know adam's always great to to have uh come and speak uh in april i'm actually gonna speak i'm gonna actually talk about industrial control security which we we usually pick up once every other two or three years um i actually am going to be launching a new free course that i'm going to do which is a 10-week course uh based on the book sandworm and it's going to be an introduction to to industrial control security so and it'll actually kick off

right after the the isa meeting so i thought that was a good time so that's going to be in april uh and then may i think we're going to have kevin uh from uh secure ideas he's going to come and talk so he's always great especially around web applications security or anything security realistically and then have a couple other folks lined up so so really excited so again hopefully by this time next month we'll have some b-size plans locked in um and i know we've actually had some of our sponsors reach out and ask us what we're doing so just kind of let them know that we're still still evaluating um so but yeah i think that's everything

i had so probably more than normal again just a reminder if someone's looking for some part-time work uh i think i saw david pop on uh so ogletree and and gary are looking for somebody to to work part-time to do security questionnaires from vendors and probably potential clients and and partners so so just reach out if you have any questions anybody have anything else you want to throw out there i know neil mentioned uh 60 minutes on sunday they're going to do a story on the solarwinds breach so they they usually do a really good job on reporting cyber security incidents that might be worth a worth of watch i already got a youtube tv set to

record it for me anybody have anything else all right with that then i will turn it over to bill i appreciate bill for coming and uh talking about how uh you brought uh greenville uh county schools into uh the 21st century uh cyber security style and uh so thank you sir i appreciate you for being here all right thank you very much uh i would say that this has been a very challenging year and a half almost to give you a little bit of background in march 13th of 2020 we were given orders from the state to shut down our schools the next day and switch 70 77 000 kids over to uh e-learning and 12 000

employees to remote and we had two days to do it so it's been an extremely challenging year for us i'm going to share a screen because the challenge is we didn't stop there we did a few more things after that let me know if you see this okay yeah it looks like it's loading yep looks good okay great so you know a lot of times folks don't know about greenville county schools that much uh and and so we like to do is you know kind of put together a brief overview of of where we're at and some of the unique challenges that we have uh again we have close to 78 000 students and 12 000 employees we're the largest

well between us and prisma were the largest employers and the largest employer in the upstate and if you were to take all of our our size and the number of folks we have we're the 25th largest city in the state so we are relatively big we're the 44th largest school district in the nation there's 18 000 school districts and we're number 44 and we keep going up i will say that we've been back 100 percent since august and the technology department never left the building we've been here through the entire pandemic uh and so we've learned a lot like how to keep yourself safe and not sick well let's see if i can move this so as

a quick biography uh i've been doing this for 40 years and i probably will maybe do it for another five and then i'll just kind of like move on to something else i'm a beekeeper so i'm gonna move on to beekeeping so uh i've been here at greenville county schools for 13 years my background before that was i worked for a managed service provider and then i worked for over the last four years i've worked for 32 fortune 500 companies throughout the united states so it's a very wide and diverse background i've worked at eli lilly pharmaceutical as an example dow chemical ford motor company general motors u.s air force u.s marine corps so greenville county schools has

this number of devices sitting out there right now this was taken i think as of last week but we have a hundred and ten thousand six hundred fifty chromebooks sitting in our students hands and they're they're everywhere i mean literally everywhere we've got uh half a dozen students in new zealand some in germany pakistan india taiwan alaska the uk germany again like i said germany before south africa we have kids all over the globe right now doing e-learning and virtual programmer which provides its unique challenges when you start dealing with iran iraq pakistan and india we've got all kinds of different laws sitting there that we have to abide by in the uk the gdpr and so

it's been very unique challenges so we have about 14 000 ipads 7 890 network based printers which is a unique security feature on those is that we require the hard drive be encrypted and we will remove the hard drive and destroy ourselves before it leaves the building so those are some of the unique things that we have with printers again 110 650 chromebooks we just ordered another 25 000. after four years when the warranty expires we rotate a new batch in we have 38 384 windows 10 uh laptops and desktops uh our our radio system that we have we have a tower up on paris mountain but we have 4 200 radios they're all digitally

encrypted and connected to our network so each radio that we have out there has an ip address that we can ping and get to and then we have 28 510 other devices and that would be switches hubs we don't have too many hubs i think we might have one but switches networking components uh firewalls content filters uh web access filters we have over 2000 servers on our network right now and so that pretty much covers it we are a complete voip shop so we have over 10 000 phones we are going to 20 000 phones and so we have a lot of a lot of equipment out there so from the information security perspective we have four people that

serve in our information security department of course we have the information security administrator supervisor he's also our iso project manager and lead internal auditor so he spends a lot of time documenting we have an information security administrator that handles investigations and outreach outreach is a program we put together about 10 years ago it's been highly successful it focuses on that one component of your information security plan which is people and its purpose out there is to educate people on how to behave on the internet how to behave using email how to detect phishing attacks spear phishing attacks uh how to behave on social media so it's a great outreach program since uh 10 years ago when we put it in play

we've done over 4 000 sessions now and so we we go to schools community groups businesses and uh we bring up a nice program on on cyber security and basically how to play on the internet we have another information security administrator he does he handles endpoint security and cloud security he's like our primary google cloud person for security purposes and then takes care of all the alerts we might get from our palo altos regarding malware intrusions and stuff like that then we have an information security administrator that handles investigations contracts and outreach i think the unique thing here is contracts uh every application every google chrome extension every google chrome app every microsoft app has to go through a vetting process

and it has to be approved by multiple layers of people and the final level of approval is a data sharing agreement where we have control of our data when we send it to them since last year we've approved over 200 applications and gone through all the contracts she also handles outreach so she's out there also doing some of the training we have a very extensive job description for our security group we require a minimum of 10 years experience in the field i will say that out of everybody that's in the group two of them are former law enforcement where they've retired from being in law enforcement and now have come over to work with us one of them is from a

former military u.s army he was in the eod uh he's very helpful when we have bomb threats and yes we get bomb threats and so a lot of the people that we have on staff are either former military or former law enforcement with a minimum 10 years experience okay so one of the things that we're i'm going to walk into is what we call the challenges well what do we have out there that makes us a little bit more unique than perhaps a regular business so the internet you know i've been around since the internet's been born and it wasn't designed to have gatekeepers or somebody watching over content and services or you wouldn't know that today but originally

it kind of like was the wild west and uh that's important to note because a lot of the content that we're having to deal with today is content that there's no gatekeepers so we've been tracking these are numbers uh you know everybody knows 1.2 billion websites are out there there's almost 5 billion internet users now one of the things that's critical to know on when it comes to the 4.9 billion internet users is there's a lot of talk about sexual predators and pedophiles and stuff like that on the internet but the key thing here is that the bulk of the information we have is of those individuals in the united states and not any other country so

there's all kinds of communications that are happening with our students coming from other countries that they would be classified as a sexual predator in this country um so there's 40 million k-12 chromebooks that number has gone up drastically in the last year as school districts rushed to find chromebooks for their students we like chromebooks it solves one of the antivirus issues that we have to deal with and they're kind of easy to maintain you just turn them on and walk away and they have 10 hour battery life like i said we have over 90 000 at greenville county the other slide said a hundred thousand we keep a large spare population at any given time we have

five to six thousand devices being repaired and so we have to have very large spare population of devices so that we can swap them in and out so this is the internet threat against children this is the stuff that we're watching for instance 70 percent of children 17 to 18 have accidentally encountered online pornography now the school district by law is required to monitor all students and look for online pornography but the fcc has realized that no filter is a hundred percent and i agree with that and so oftentimes we're having to make special adjustments to like bing searches and google searches so that little images don't come up with pornography in them now 41 percent of unwanted sexual

solicitations to our minors law enforcement estimates that more than 50 000 known sexual predators are online at any given time uh that number is low uh we know of a facebook group that has over a hundred thousand sexual predators in it but again that's just in the united states they do not know anyone outside the united states uh 69 percent of teens regularly receive online communications from strangers i'll show you how we handle that and an estimated 725 000 children have been aggressively asked for sex online so to to bring it home the threat is real this happened in 2012 one of our students she was a riverside high school student was involved with this man that

she met on facebook and the man came over to her dad's house and tried to kill him when this first came out on march 28th uh we went and pulled all the logs and everything and so she was using her district device to communicate with the person on facebook by using a proxy bypass and then once they got a hold of it we were able to provide all the information to them but by the way it says was an attempted murder charge it was later changed to a murder charge because he in fact did kill the father so we know it's real and there's a lot of these out there so one of the things that like i said

before was email communications uh students are really smart so or adults they're moving off of the email and going into creating google docs and going onto sites like scratch at mit and are using their chat features so that they know that you know we might not have the capability of monitoring some of these systems but you know there's 251 million americans that use email quite often and so our email by the numbers is that well first off we use the google cloud for our email so everything all our mx records point through google and google and respond in return handles our anti-spam and anti-virus and attachment quarantine and also once if a student email goes

out through google and it's checked for spam and stuff like that we then send it to a third party provider that uses an ai based analysis system to detect for questionable content keywords bullying threats harassment and then that in turn uh can either block or let the email go through but on an average day and you can see over the last few months you know we're pushing um 800 000 plus emails received a day and if you look the inbound email spam you know a good portion of these emails are not flagged as spam and are coming in in the past we've seen it where like 86 percent of email coming in was spam but that's not the case anymore it's a

rather low percentage that's coming in so we have an incident response team uh and it consists of about eight people which also which includes law enforcement mental health coordinators uh counselors and uh we're getting a lot i'll just put it that way i'll show it to you by the numbers so this is just since uh january 1st on average we get 56 well 57 instances per school per day and we have 100 schools we review just looking at it of course through automation you know over 50 000 email messages and you know you can take a look at about 120 000 google drive files that we actually scan and the way we scan the google drive

files is anytime a drive file is either uploaded or put on into the drive space we scan that file and it can be anything it could be a spreadsheet a document file it could be a movie it could be images if it's a movie or images we actually use an algorithm that detects skin and if skin comes up as a percentage of the image then what happens is the image is sent for review so we are detecting child pornography students photographing themselves and sending them to their friends we have all that being currently detected on an incident per item ratio we're pretty low but we're actually above and that's this blue line here we're actually above kind of like the

national average quite a bit above it and then over here we have the number of items that we're scanning and at the first the year we scanned quite a few items kids come back from school and starting to post more stuff so if you would have looked at this in december it would have been pretty low because you know we didn't have a lot of things going on then so at the over here at the final end is incident type and these are the incidents that we're actually looking at like for instance we have a defined set of rules that says that this is what classifies as an incident and so we've had over 7009

incidents comes in come in now there are a couple types one is questionable content and that's what we call the cue con here and so excuse me the 30 of the incidences coming in are questionable it could be a kid that is uh mad because their girlfriend broke up with them and they feel really poor and you know they're complaining about to their friends or they're going to harm somebody and then the pss which is 168 instances since january 1st those are ones that are eminent threats for instance somebody's saying that they're going to come into the school and blow it up or somebody's saying that you know i've had it this covet thing's driving me

crazy i'm going to just hang myself excuse me i don't have covid by the way so 168 incidences came in that's 24 by 7. so what we have is we have a methodology in place right now where those type of incidents comes in they're immediately notified to our security desk which is a ul approved security center who then contacts one either the principal or a person that's on duty at night and you know for instance if we get something in where there's a student that wants to harm themselves we're going to actually send a wellness call with the sheriff's office over to their house and it doesn't matter what time or day it comes in a lot of times mom and dad

doesn't know the kids using their computer at 2 am till the police knock on the front door so we had about 168 of those that we had to deal with for now i will say that in the 30 of questionable content we can receive for instance students taking naked pictures of themselves and emailing it to other people we will capture those and we will remove them from google drive or email so they can't be distributed any further and then we notify the national center for missing and exploited children who then notifies the attorney general in the state who then notifies the greenville county sheriff so we are very aggressive on those type of images we don't want our students to

be sending them off to people but there are some that do so one of the things that since this is the issa we use a layered security module you know just kind of like the onion layer you got to peel everything back there are a lot of school districts in our state that do not have a layered security model they basically have their internet to their firewall to their network and that's it we have a lot deeper layers and i'll show them to you let's see here we go so we'll start from uh my right where the internet's coming in our internet connection is 10 10 gigabit bonded circuits so we have a hundred gigabytes of uh gigabits of of internet

coming into our network uh right now we're only using 20 gig of it but we have the ability to go up to 100 if we want to the u.s department of homeland security one of the fbi's fusion centers monitors all the traffic leaving our internet and coming into it and we'll tend to get like notifications from them if they're detecting large amounts of data going over to north korea or iraq or iran or so they'll actually send us an email saying hey this is homeland we've got an issue and we're seeing this and you guys need to take a look deeper into it we don't really get maybe once one notification for them every three or four years

uh the firewalls that we use uh are really good at at throttling back and alerting to us on when large amounts of data is leaving the network that's kind of unusual so we go from our firewalls to our gateways you can consider these proxy servers we use dan's guardian proxy servers we have a cluster of 24 of them and i'll explain before i leave this why we use those proxy servers they do handle outbound stuff but they also handle inbound stuff then we have our web filtering which we consider our web access filters we use the barracuda web access filters to front end all of our servers and mitigate things such as sql server injections

so we have what we call we have a school of fish here between the school of fish and our proxy servers we have a device in there that the south carolina information sharing and analysis center monitors and again it's looking for any kind of unusual traffic that's leaving our network and they too will send us an email saying that you have an issue but again we haven't heard from them in three or four years and then from there we we drop into our vlans so we have multiple vlans on the network we have a guest network which is of course is wide open no password you can get to it from any school so you know and and we had that in there

for the byod initiative several years ago that anybody could bring their own device in and connect to our network and go so there's no antivirus there's risk of malware there's risk of viruses the guest network actually the vlan terminates in a palo alto firewall and then that firewall goes over to our primary firewall so we're firewalled at twice the guest network so if you're on the guest network you do not see any of our servers you do not see any of our vmware clusters or anything like that you just basically get the internet student network is a little bit higher risk we have we do updates and passwords and we have antivirus on them but the

student network is actually further broken down into three different networks so we have age based networks so the guest network wide open but you're limited to where you can get to the student network depending upon your age you could be an elementary student a middle student or a high school student and each one of those goes through a different filtering set so as you move up into high school you have less filtering than you had at middle and you had at elementary and that has to do a lot with the copa law the children's online privacy protection act which says you can only anybody under the age of 13 has to be kind of like

really filtered out there so nobody steals their data staff network's also filtered it has its own set of rules as well and these are all separate vlans that plug into the different systems so there's there's some uh ingress and egress filters going on between the two of the three different vlans now the reason i said that this is kind of like showing you what the outbound is i'm on the guest network i go out through the filters i'm getting filtered i go out through the different gateways proxy servers and the reason why we do proxy servers here is that our proxy servers and outbound traffic rewrite urls and so if you're going to google.com we're going to send you to

safesearch.google.com so even if you try to turn off restricted searching and everything like that it doesn't matter you're still going through the safe search at google.com same thing goes with bing and other search providers we send them through it as well as youtube if you type in youtube.com you're going through the education version of youtube and that's because uh our proxy servers are actually rewriting the urls now when we've sent everybody home with their computer what we've done is we've hard-coded the proxy servers in all of the chromebooks and laptops so when you're at home or at mcdonald's or panera it doesn't matter where you're at as soon as your device connects it goes through our proxy servers

so all the traffic is going to come from the outside in hit our proxy servers and then go back out through all the filtering and firewalls back out to the to the internet so the same filtering they get in the classroom is the same filtering to get home or anywhere else there's an internet connection uh it's same the same thing holds true for our buses we have 425 buses with wi-fi on it when that access point fires up it establishes a vpn tunnel back to our network and goes out through our firewalls so it doesn't matter if you're using a district computer or your personal phone you're still going through all of our filtering systems

so a lot of people ask about our data centers i've had a lot of questions about it originally we were looking at basically outboarding our data centers to other facilities but then we ran into some breaches and issues associated with servers and so what we did is we pulled everything back in house and and then and put them in one two central locations so where i'm at is this bottom picture here where it says primary data centers mt anderson support center if you've ever been in our schools they're built like a fortress you know i'm in an office right now that my walls are concrete blocked reinforced with rebar and filled with concrete and i've got t

beams above my head that will support that supports a whole second story that's pretty much our data centers the same way in in both facilities it's just they're built like brick houses it's just not going anywhere so primary data center is an mtn support center the secondary is downtown at the central office both are connected via dark fiber and both sync at the same time so we have clusters of cisco call managers clusters of sql servers clusters of web servers and the clusters are are geographically diverse i mean you have half the cluster at the central office and the other half of the cluster here and then we have a third facility that we can bring online that's outside

of south carolina we've contracted with both aws and google cloud and so we can spin up virtual machines whenever we need to do it have we ever used it no do we test our um data centers yes uh every even year mt anderson's tested every odd year the central office is tested so that and we've also taken them both down at the same time we've had duke power pull one leg of power to our building instead of both legs to see how our generators work and so we do a lot of disaster recovery testing with our data centers we've never had to call the third center but we can if we have to so what we did is is i kind of give you

a little history of greenville county schools it's a rather large enterprise and there was a proviso which is kind of like a law for us that came out in 2016 that said that all public sub divisions and we're considered a public subdivision must have an information security management system that is either equal to or greater to the state's department administration's isms however they never told us what theirs was so we decided to we would look at nist look at this and we went with this one just because we were looking for a risk management based uh isms and uh you know understandably if you try to do a vulnerability scan of our schools they're so dynamic

they change every minute that it's almost impossible to do a vulnerability scan at a school because you've got kids coming and going and they're bringing their computers in and everything the only thing you can do is vulnerability scan their you know the hard equipment like the switches and the racks and stuff like that but you just you just don't have the opportunity to do it and in some cases some schools there's over 4 000 devices just in the school so we wanted to look for a more risk based management system so here's our timeline now it takes you might have a hard time seeing it i'll go through one in 2008 we added an i.t governance section to

our technology plan now we're required by the federal government and the state government to have a technology plan that doesn't exceed five years and that's tied to some substantial funding coming from the feds and so well we've got to have a technology plan so in 2008 we added i.t governance to it in 2012 we did a presentation to the board our board of trustees on the merits of getting this iso certification and we compared it within this certification in the other industry standard certifications at the time then in 2013 we added it to goal three of our strategic education plan that we were going to get our certification 2014 we started training we our uh our security staff received their

lead auditor certification for iso 27001 in 2015 we uh passed an audit on processes and procedures and this is like do you have a continuity of operations plan do you have a business continuity plan do you have a disaster recovery plan do you have processes and procedures for like encrypting computers for uh determining which usb drives people can have and use and so we passed that in 2015 like i said 2016 the state mandated that public subdivisions are required to have an isms 2017 we had our first management review meeting and internal audits so our internal auditing team started auditing 2018 internal auditors received more training and then we had another management review meeting where we were

talking about incidences and continuous improvement processes 2019 we presented to the board to seek our formal certification and then in 2020 in the middle of a pandemic we had two internal audits the first of the year and then we had a phase one audit for certification in july in a phase 2 audit in august and we passed both of those with zero non-conformances so basically we received our certification in september which as you know is good for like three years and you have to do all this other kind of stuff between now and three years so one of the reasons that we like this certification we like it a lot is that we're required to be to follow a

slew of regulations you know hipaa's one uh regulation that everybody is kind of aware of ferpa is the family family educational rights privacy act it requires us to protect our data and what data they considered pii and what data they don't consider pii then we have protecting kids privacy online with copa which is again children's online privacy protection act and then the fcc has the children's internet protection act and then there's another one called the neighborhoods children internet protection act and then we have a whole bunch of titles that we have to deal with and then we have the office of civil rights the americans with disabilities act so what's really nice is a lot of these

organizations will sit there and send you this huge questionnaire that you have to fill out or you just send them your certificate and that's kind of what we do these days so it takes it actually reduces the time and resources that we have to expend on third-party audits even our financial auditors when they come in we show them that we're certified and usually they just ask a couple questions and walk away one of the nice things is and i think that you'll hear this from a lot of different folks and i think it might have been mentioned about getting senior staff involved in tabletop exercises in order to get this type of certification you need those people involved in the

process and what i mean by involved i mean i don't mean here's a table top exercise so that you can understand what i'm doing no here's stuff that you have to do and as a good example our superintendent actually created our training videos to tell everybody what they're responsible for when it comes with uh with regards to cyber and data security and data security even covers you know you have to have a clean desk policy and so he did a great video on it we've had support of our board of trustees all the way down to our finance our hr our academics departments transportation food nutrition everybody got on board department heads from every department

are on the management review meeting uh committee and it's important that you have that buy-in because receiving these certifications regardless of which one you have for information security requires work from everybody i mean i'm not the one that's getting phishing attacks that's a principal at a school and so they're involved as well and that was what really helped a lot was getting that buy-in so a lot of hard work was completed to get this certification process we had to develop high-level policies so if you go online and look at greenville county schools and go into the board of trustees there is actually a board rule called efe a board policy called efe which talks about

this isms system which goes down to a board rule efe which is where the administrators get involved and define more rules and then it actually goes down into the high-level policies that we've had to create it we had to create so high-level policies is important incident response plan uh we have an incident response plan that's very detailed and then covers all kinds of incidences from your cyber security instances all the way down to your bomb threats or student instances it has contact information who are you going to call what you're going to do what documentation is going to be provided um ethical components to it like you know whoever's working on this is not going to share it with anybody

uh you know we we do have some man-state mandated reporting for instance if i see child pornography i'm reported directly to law enforcement without going through my administration so a lot of that's defined in this incident response plan uh information security and contracts we dealt with our procurement department and went through every single contract template that they had and changed them all to have information security as a key critical component to it especially in breach notifications you know breach notifications for a district our size is costly the stamps alone to mail out seventy five thousand envelopes is thirty five thousand dollars so it can cost a lot of money to just go ahead and notify people that

we've had a breach or one of our providers has had a breach we developed information security policies we developed a we've had a disaster recovery plan for over 13 years but the disaster recovery plan is more than a document now it actually works uh which is kind of important these days for instance in there it says that backup tapes are great but you need to test them every month to make sure you can recover your data a lot of times we've seen companies where they've tried to restore data and it's the tape doesn't work but the backup completed successfully so we do testing of every two weeks of our backup tapes make sure we can

restore from them and in content management you've got to have a place where all this content is going all these policies procedures regulations rules laws and so we had to implement a content management system as well so some of the lessons learned during this process uh you know again consider implementing an isms but pick a standard that has top-down management support involvement that's very important that you start at the top and work your way down also because we've had many breaches uh consider providing identity theft coverage is a standard benefit okay so a lot of times when we have a breach and there's been breaches where we have had no control like we've sent a cesv file to a vendor

they've signed a contract with us saying they would protect their data our data gets out in the wild and we're responsible according to state law to handle notifications not them so you know a lot of times we'll provide identity theft insurance to the individuals that have been breached now you know i think you all are aware that a breach doesn't necessarily mean the data's been used so a lot of times when we have breaches the data has never been used encrypt everything laptops flash drives portable storage cell phones mobile devices tablets data and transit this is very important we've had a couple cases long time ago where a flash drive was found in the parking lot and ended up having student

data on it so now our flash drives are fips level four and require biometric entry just to use it and that's the only flash drive in employees allowed to use with student or staff data on it the same thing goes with laptops we've had many laptops still a lot of people's cars the good thing is is there's a lot less heartache when you tell the superintendent that the laptop was encrypted and nobody can get into it without the person's credentials it just makes it a lot easier change passwords frequently this was really really really hard to do in a school district but we finally got around to doing it we are using complex passwords and we're changing them frequently

i don't necessarily believe in complex passwords i still think they can be broken into easily so all of our administrator accounts are two-factor authentication and require a fido key to get into those accounts so you have to have something with you to get into those oh the biggest thing i'm you know my background's i.t my security people our backgrounds are like law enforcement and security hire a technical writer if you're going to do this because it is a boatload of documentation that you have to write and so that's one of the things that we did is we hired a technical writer we hired a risk manager to to handle those things um and then awareness awareness awareness

it's critical component no matter how good your firewall is no matter how good your policies and procedures are you're still going to have that one person that clicks the link and enters their username and password on a fake screen and next thing you know their google accounts compromise and sending spam to the world so awareness awareness awareness is is critical and that's why we have at least 200 training sessions a year with all of our employees even our students saying that you watch out for this watch out for this and this is a new attack vector this is called spear phishing that if anybody asks you for a credit card or anybody asks you for money

disregard who it came from and call them on the phone because that's kind of uh critical and so i'm open to some questions

so how supportive is the i.t group in implementing this policy um i will say that there's been some hesitation and it's not the kind of hesitation you think basically the hesitation is because of the length of time it adds all right if you've got a development group and i have a development group and a development group is trying to deliver a product on wednesday of next week but you make them go through a comprehensive website scan okay vulnerability scan and that scan takes two days to execute you know there's there's hesitation in that area can't we speed it up can't we just bypass that step and the answer is no and no and so uh we have to actually build

that into our timelines now especially if you're doing like a prototype because when a prototype launches we run a web scan against it and then when we go into live production we we run a web scan against it and any updates that people make we ran we run uh website scans against it and yeah there's there's some hesitation in that area uh there's also some hesitation in some of the areas where i want to use my own thumb drive i don't want to have to use a biometric thumb drive but i i think after a while and after you just keep saying no and they have to keep doing these things that they build a tolerance to it and they

just do it it's just become second nature now to them they understand in development that we're going to have to run a website scan against your code that's all there is now so initially there was some hesitation and but it's actually done very well and it was no would you shock me bill trent sorry i was just going to ask you i know that some of the stuff you can't share but are you willing to share the non-proprietary information with this group i can um what type of non-proprietary information oh really the steps that you all went through for your iso more than more than i'm not as much interested in the the network topology but the stuff

that you actually went through lessons learned that kind of stuff that's yeah i mean i mean uh some of the things that we've been written up on in regard to the iso now you know i told you the audit had zero zero now conformances right well prior to that audit we were doing internal audits okay and the internal audits are the ones that caught some of the stuff that of course the external caught like for instance we had 40 tapes sitting on the floor in our data center and we got written up on that because they should have been moved to our safe over at another okay facility and and you know we got written up on

that there's other things that we should have had a policy or procedure for this we were written up on that uh people having confidential data on their desk resulted in a cip continuous improvement process right up and resulted in the clean desk policy okay so there are uh quite a few things that we discovered initially that that never made it to that final audit because we addressed them but the final audit looked at all of our continuous improvement process documentation and saw all those issues so we weren't hiding from them that left 40 tapes in the data center they saw it okay they just saw that we actually created a process to address that and then we

addressed it and so it was considered you know and that i think that was the nice thing about this whole thing is is uh one of the things we got written up on one is is we use palo alto so we have some i think they're 50 5280s but we have a panorama box that basically all the palo altos dropped their log files into and what it ended up happening is as we increase the number of students doing remote work our log files were exceeding were well we're real large and our amount of storage time decreased from six months to three months well in our policy we said we had six months worth of storage

so we ended up having to upgrade our panoramas to meet whatever was that we said we would have and so but even then panoramas can't the panorama box just can't keep up it's just way too much traffic coming in thank you anybody else bill how much time would you say that you are saving and responding to um auditors and third parties now that you have an iso certification i would say it's hours and hours uh first off we'll let you know that we don't go through one audit a year okay when we close our books financially we go through an audit then we have the pci dss audits because we do you know there are some

schools that collect credit card information so we have to be pci dss compliant then we have federal auditors coming in from usac which is uh i can't even remember their name but it's the fcc's e-rate program where we get federal money we get millions of dollars a year and we have auditors coming in from them auditing as well and what really helps us time wise is spending two or three hours filling out a questionnaire have you done vulnerability checks do you have a policy for vulnerability checks you know if you say no i don't have a policy well you better start writing one because they're gonna want it all right so then what we do is we just

pull that policy for vulnerability checks out of our iso stuff and give it to them so it's kind of like all that documentation that we would have been requested for during an audit we now have and don't have to generate that's really helpful any others

anybody else and i will say it's not an eight to five job just so you know most most uh security jobs aren't yeah well i know you guys know it but you know my parents think we just work eight to five yeah right and even then we don't work much right okay so trent says will i share part of this deck i'll show the whole deck the whole deck's been scrubbed there's nothing in there that's confidential okay great and actually somebody did did ask would you mind if we posted this uh to youtube in our uh isa chapter uh section no i wouldn't mind okay i appreciate that i meant to ask you that ahead of time but i usually

end up sending the email after the fact so i really appreciate you for uh coming and sharing i think everybody really found it interesting and uh as a grandparent of a student in the greenville county school system i appreciate all the uh work that you do so yeah thank you very much and uh thanks for everybody for coming and then uh we'll see you next month and talk about uh cyber security from the executive perspective and how it fits into the big picture of the business thanks again bill thanks everybody all right take care