The Tech Office sets digital security as its highest priority. Here is a brief background document on our approach to digital security. Several of our services are directed toward helping our parishes and schools understand and address their security exposures. Please engage the Tech Office if you have any questions or concerns about parish or school security and the technology requirements you are facing.
Digital Security Policy
Safety and security are the top priority for the North Deanery Technology Office. This includes physical security systems as well as information security.
This policy addresses digital security, with a focus on two areas:
- Identity and access management
- Intrusion detection and prevention
We have identified these areas as having the greatest impact on reducing risk on our campuses today.
Identity and access management
Credential management for staff
- Use strong passwords, with a minimum of 9 characters. Eight-character passwords can now be cracked by criminals.
- Follow good practices for passwords, see this reference for password selection advice.
- Do not re-use passwords across multiple applications.
- Use random passwords offered by the operating system when you create a new account and store them in the OS keychain.
- Use OS keychain features to simplify password management — iOS, MacOS, Windows, Chrome.
- Do not share your password with any other person.
- Do not record passwords on paper or digitally in clear text.
Credential management for students
- Follow good credential management in an age-appropriate way for students. The same principles apply, but schools may need to modify procedures to accommodate students’ capabilities.
- Use the built-in security features of student devices (e.g. iOS keychain on iPads, or Chrome password management) to help students manage their credentials. This is possible even for young students.
- Recognize our responsibility to teach young people good password management practices as an essential part of digital citizenship. This is a life skill they will use frequently.
- Avoid writing down student passwords. Avoid writing credentials on stickers. Never make the credentials visible on the device. This is teaching students poor practices with passwords and creates opportunities for many kinds of classroom issues.
System Administrator Considerations
- Use a password vault for cross-platform credential access (vs keychain) when credential management must span multiple OS environments.
- Enforce password changes at 6-12-month intervals depending on system criticality
- Two Factor Authentication (2FA) should be implemented in critical systems.
- This feature must be enabled in the Google Suite for the school, it is not on by default in Google Suite for Education.
- Implement password self-reset capabilities so that users can change and recover their passwords by themselves.
Credential Management for System Administration Accounts
- Privileged access to all systems should be limited to a small number of people who are qualified to function as system administrators. Avoid providing privileged access to non-technical staff. Misuse of privileged access is a major security threat, whether intentional or unintentional.
- Administrative credentials should be well secured with strong passwords and two-factor authentication.
- Administrative credentials must be held by at least one Archdiocesan employee. Contractors should not be the only people with admin access to systems used on our campuses.The Tech Office can maintain these credentials on your behalf if you do not have local staff to manage this.
- In Google Suite, pay close attention to all accounts that have elevated privileges.Work to minimize these privileges. Be especially careful with super admin privileges in Google and other systems.
Intrusion detection and prevention
- Log off or lock the screen when leaving a computer, tablet, or mobile device unattended.
- Antivirus / Malware
- All Windows and MacOS computers should have AV/malware scanning enabled full-time
- Forticlient is our North Deanery standard for AV/malware scanning for all OS clients
- Strong firewall solutions are required for all Internet connections.
- Fortigate is our North Deanery standard, integrated across deanery campuses into a single security infrastructure.
- Minimize inbound connections to internal infrastructure through the firewall. This includes limiting open ports and services on an external IP address.
- Use VPN with encryption for external access to LAN resources through the firewall.
- Content filtering
- Content filtering must be in place for Internet traffic to schools.
- Implement a solution that supports differential filtering for staff and student traffic.
- Enable SSL inspection for content filtering of HTTPS traffic.
- Review filtering policies annually with school administrators.
- Use a security vendor service and category-based filtering to provide real-time identification of new threats. Your campus should have a subscription to a major vendor such as Fortinet Fortiguard to provide this service.
- Email scanning
- Use strong solutions for email spam and malware filtering. Google Mail provides a reasonable starting point for this capability.