Formalizing K-12 Cybersecurity Policies in Less Time
Cityscape Schools is a public charter school district in Texas that consists of three campuses, serves 1,300 students, and employs 180 staff members. As its mission, Cityscape partners with families to help children and young people maximize their impact in life and society. Cityscape provides a curriculum that focuses on communication skills, workforce readiness, and more.
We sat down with Brock Boggs, Director of Technology at Cityscape. When Brock joined the school district in 2018, he didn't have a cybersecurity background. He came aboard with 16 years of hands-on experience providing desktop, help desk, and IT support for K-12 school districts. His initial task was to build out an IT team, which consisted of only a network admin when he started. Today, Brock's duties include short- and long-term planning, overseeing team support, IT services, policy writing, and K-12 cybersecurity functions. (Cityscape doesn't have a Chief Information Security Officer or Director of Security.) Brock also works with other departments to help them meet their goals through technology.
During our conversation, Brock told us how a CIS SecureSuite® Membership, particularly the pro version of our CIS Configuration Assessment Tool (CIS-CAT® Pro), helped him solve some of Cityscape's business challenges. Let’s examine the way in which this happened below.
The Challenge: Establish K-12 Cybersecurity Policies Despite Budget and Staffing Constraints
A couple of years into his employment at Cityscape Schools, Brock began to consider adopting a cybersecurity program to protect the district's environment, which consists of 125 Microsoft Windows workstations and six servers. Then the COVID-19 pandemic happened. In response, Brock and his team pivoted to support students with remote learning options, delaying this project until 2022.
Two events helped to rekindle interest in a cybersecurity program for Cityscape. First, the passage of Texas Senate Bill 820 (SB-820), legislation which requires public schools in Texas to follow a cybersecurity framework, highlighted an opportunity for the district to adopt cybersecurity policies of its own despite the fact that Cityscape is a charter school and not affected by the Bill. Second, after learning of a cybersecurity incident at a neighboring school district, Cityscape's superintendent approached Brock about strengthening the district's cybersecurity posture. The superintendent specifically expressed interest in hiring more IT personnel, investing in training, and deploying software to harden Cityscape's cyber defenses.
Brock went online and started doing research. He found the Center for Internet Security® (CIS®) while looking through documentation. After reading up on CIS security best practices, he signed up to receive more information.
In the meantime, the superintendent approved a budget allowance to expand the IT team. Brock hired two individuals to provide desktop support, freeing him up from his daily support duties and helping him to focus on his other job responsibilities, including cybersecurity policies and hardening.
Cityscape also used some budget to undergo a cyber risk assessment. The district began by reaching out to the Region 10 Education Service Center, which connected Cityscape with a company specializing in cyber risk assessments. Several meetings and $8,000 later, the district received its first cyber risk assessment tied to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
The 100-page assessment listed everything Cityscape needed to fix. But without cybersecurity backgrounds, Brock and his team didn't know where to start. He spent half a day researching online and found an IT policy manual that tied back to NIST Special Publication (SP) 800-53. Using this document as a guidepost, Brock spent the next six months drafting up a customized IT policy manual as well as analyzing what protections were needed. He informed his superintendent that the district would need to invest $60K-$80K to secure only the most vulnerable areas highlighted in the cyber risk assessment – a non-starter for his superintendent. Even then, Brock and his team still didn't know where to start and how to prioritize the other findings of the cyber risk assessment.
The Solution – Part 1: Simplifying Secure Configurations with CIS-CAT Pro
Around the time that Brock finished writing up his IT policy manual, he remembered that he had stumbled upon CIS and signed Cityscape up to be a member of the Multi-State Information Sharing and Analysis Center® (MS-ISAC®). He gained even more exposure to CIS and the MS-ISAC when he attended a cybersecurity conference in Austin. This event gave him direction on how he could use the CIS Critical Security Controls® (CIS Controls®) to harden the district's cybersecurity posture.
After his experience in Austin, Brock decided to sit in on a CIS training for CIS-CAT Pro. He was impressed by the tool's ability to deliver actionable results quickly and how this functionality ties into hardening, which was one of his priorities at the time. Brock therefore reached out to CIS and asked to receive access to CIS-CAT Pro. His account manager set him up with a CIS SecureSuite Membership, which cost Cityscape nothing through its membership to the MS-ISAC.
Brock leveraged Cityscape's SecureSuite Membership to attend a webinar with about CIS-CAT Pro Dashboard v3. During the webinar, the presenter invited attendees to a future one-on-one discussion about CIS-CAT. Brock wanted to find out more about CIS-CAT, cybersecurity policies, and hardening, so he responded to the message. Not long after that, Brock began working with the CIS team to fulfill Cityscape's needs.
Over the course of the next four months, Brock and the CIS team met every 2-3 weeks to talk through topics related to CIS-CAT Pro and come up with tasks for Brock to take back. He began by downloading CIS-CAT Assessor v4 and running it on his Microsoft Windows 10 work computer. This initial scan returned a score of 26%, which is common when Members first analyze their systems' configurations against the security recommendations of the CIS Benchmarks™. After saving the scan, Brock created a list of all the failures and went through them one by one. He finished his baseline policy in just a few hours, at which point he created a Group Policy Object (GPO) and pushed it to his machine. Soon afterward, he conducted a beta test for 10 machines across the district's three schools, an exercise which led to further monitoring and adjustment before he pushed the GPO out to production. The CIS team captured Brock's configuration health journey and prepared a presentation with him to share during a meeting of the MS-ISAC K-12 Working Group.
The K-12 school district presentation in June 2023 was very impactful to attendees. Based on this success, the MS-ISAC team extended an invitation to Brock to present to a broader audience at the 2023 MS-ISAC Annual Meeting in August 2023. He found the conference to be emblematic of the support he had received from CIS and the MS-ISAC.
"I've never encountered an organization so willing to try and walk you through something," he told us. "CIS and the MS-ISAC gave me a start-to-finish idea of how to take one of the major pieces out of a Control Group and bring it around to system hardening. I was looking for someone who had a product, yes, but I knew that the product itself wasn't the solution. I was looking for support to see these things all the way through. CIS and the MS-ISAC gave me that."
Want to learn how to use CIS-CAT Pro to speed policy to implementation at your organization? Check out our video below.
The Solution – Part 2: Deepening Cybersecurity Focus with Other CIS Products and Services
CIS-CAT Pro was a launchpad for Cityscape to advance its cybersecurity journey using additional CIS products and services. Here are just a few that Brock and his team used to strengthen the district's cybersecurity posture even further.
Enhancing Custom IT Policy Manual with CIS-Hosted CSAT
After his session at the 2023 MS-ISAC Annual Conference, Brock attended a session on the CIS Controls Self Assessment Tool (CSAT), a tool which is designed to help you track and prioritize your implementation efforts of the Controls. Following the session, he resolved to use CIS CSAT to take another look at his IT policy manual.
Brock began by downloading all the policy templates available through the Controls v8 resources. He used them as references to revise what he did in the first version of his IT policy manual. Additionally, he used CIS-hosted CSAT to start scoring with the Controls.
"What's really great about the downloadable Controls PDF is that it gives you definitions," Brock explained. "This is really helpful when you don't have a deep background in cybersecurity. The same goes for how the document identifies low- and no-cost CIS tools that you can use to achieve each of the Controls. It made the process so easy."
In late 2023, Brock held a meeting with his superintendent about bringing his updated IT policy manual before the School Board for approval. His superintendent knew that he had partnered with us on revising Cityscape's IT policy manual, among other projects. He therefore supported Brock's decision in moving forward.
On January 19, 2024, Cityscape's School Board approved Brock's IT policy manual.
Quick Incident Response and Mitigation with the CIS Security Operations Center
At one point, Brock learned of a security incident affecting one of Cityscape's endpoints. The district's endpoint protection service notified his team that a cyber threat actor had created a backdoor on an unpatched Apache server used for access control. Cityscape didn't have a managed security service at that time; all Brock had was an incident response manual. That's when he remembered he had an email from the MS-ISAC about the 24x7x365 CIS Security Operations Center (SOC). He reached out to the CIS SOC, and within minutes, he started working with CIS experts to address the incident. It took under an hour to remove the backdoor and remediate.
"Priceless" Support from the CIS Team
Brock expressed deep gratitude to everyone on CIS's team who helped him strengthen Cityscape Schools' cybersecurity posture to where it is today.
"I'm blessed to have worked with Maureen, Kim, Kelly, Dave, and all the other people at CIS," he explained. "I've worked with a lot of vendors; CIS stands out because of its interest to hear about our experiences. We would not be in the posture we are today without the help of the CIS team. There's no price tag or number that I could place on what their support means to me, both personally and professionally. It's priceless."
The Impact: Time Savings and Plans to Expand K-12 Cybersecurity Maturity
Early Accomplishments
In just eight hours, Brock and his team used CIS-CAT Pro to increase Cityscape's conformance score for the CIS Windows 10 Benchmark from 26% to 91%. This experience informed his subsequent hardening efforts. They increased the conformance score against the CIS Benchmark for Microsoft Windows Server 2022 from 27% to 74% – all in just one hour. Part of their success was their ability to make decisions on initial failures using Benchmark information in 45 minutes. Brock and his team ultimately capitalized on this speed to implement completed hardened policies within two months.
The IT team at Cityscape didn't save time only through their use of CIS-CAT Pro. It was a similar story with CIS-hosted CSAT. In just 2-4 hours spread out over a couple of days, Brock went through the majority of the Controls for Implementation Group 1 (IG1). He had an idea of what he needed and where he needed to implement it to help Cityscape achieve essential cyber hygiene. Just a few weeks later and under 15 working hours in total, he completed a revised draft of a fully written IT policy manual aligned to the Controls vetted by his network admin. That's in contrast to the 100 personal working hours and six months he spent writing up the first version of the manual. In time savings alone, Brock estimates that CIS CSAT saved Cityscape approximately $4,000 on producing the updated manual.
Finally, Brock used his access to CIS products and services to communicate the impact of his team's security efforts to leadership.
Looking to the Future
Brock intends to formalize some of the processes he's established with the support of a CIS SecureSuite Membership. He's also looking to bring on other CIS products and services to increase Cityscape's cybersecurity maturity even further. Here's a look at a few of his plans:
- Build in quarterly or monthly CIS-CAT Pro scans and use the results to continue to refine the team's system-hardening efforts
- Conduct an assessment using the Business Impact Analysis tool
- Set up the Malicious Domain Blocking and Reporting (MDBR) service
- Investigate and deploy additional services in support of the approved IT policy manual
- Achieve his Certified Information Systems Security Professional (CISSP) certification
"Any organization that doesn't know where to get started with cybersecurity needs to reach out to CIS," Brock observed. "There's a direct value-add in the form of immediate, actionable resources that you can bring to your organization – especially if you're a K-12 district. I know thousands of K-12 cybersecurity professionals who were in the same boat as I was a year ago. To them, I'd say that CIS is perhaps the greatest un-tapped resource for IT and/or cybersecurity personnel in the K-12 sector."
Now It’s Your Turn!
Through the use of a CIS SecureSuite Membership, Cityscape Schools implemented a hardening policy for its workstations and saved its IT staff time so that they could enact other measures around email, cybersecurity scoring, and drafting a comprehensive IT policy manual.
Interested in learning how CIS SecureSuite can benefit your organization?