Fairfield schools cybersecurity audit: staff need more training
FAIRFIELD — A cybersecurity audit of the school district showed several areas that could use improvement, officials say.
The audit was conducted by Securance Consulting, which gave the department a B+, according to a presentation from Director of Information Technology Nancy Byrnes at Tuesday’s school board meeting.
She said one thing the audit found was that staffing and training are important components of making sure the district’s cybersecurity is up to task.
Byrnes said the district will look to hire a cybersecurity analyst, adding the department is requesting funding be included in the next budget. Additionally, she said more formal staff training is necessary to prevent phishing attacks and other types of breaches that could allow ransomeware to get into the district’s network — potentially costing the school system and town.
“We will be looking to acquire a formal training program that we will work with the administration to become mandated for all faculty and staff,” she said, noting students already have a rigorous, age-appropriate cybersecurity training. “This would be a little different. This would be more focused on our staff.”
Byrnes said the IT Department would look for better tools that allow the district to be more proactive, rather than reactive, in looking for anomalies — things going on in the network that don’t look or seem right. She said the tools will give the district an opportunity to identify possible issues early and deal with them ahead of time.
Another part of Byrnes’s report requested an increase in funding for existing IT staff members, who are non-bargaining employees, to keep their salaries competitive.
“Most of you are well aware of the competitive nature of technology jobs right now,” Byrnes said. “We want to be sure that we retain the best and the brightest — and we have some really great people working for us.”
Byrnes said creating a data governance board is a goal of the department, adding it would help create a more formal system of controls governing which departments are responsible for what systems. She said a lot those systems are already in place in an informal way.
“But it’s not universal,” she said. “The IT Department is very much in control of who has access to what is in our information systems. I don’t really feel that’s an appropriate use of our department. It should be someone in the instructional office, and potentially some other departments — special ed for example.”
Asked to characterize an overall assessment of the audit, Byrnes said it came back with good results.
“We didn’t have any major critical issues identified,” she said. “The other piece of it that I think was good for my engineer and I, is that we discovered we really knew what our weaknesses were. It allowed us to refocus on them, but we weren’t surprised by anything.”
Gloss