The evolution of technology has undeniably changed the way that schools function, with Edtech becoming more intricately entwined throughout all operations as time goes on.
Processes that would have once taken hours or days to complete can now be achieved at the click of a button, and the advancements in web-based systems for almost every facet of school activity has all but eliminated the need for physical records and haphazard paper files.
But whilst schools now consider their systems and hardware as critical to their day-to-day functions, they also acknowledge that these advancements have introduced a variety of security concerns and risks that were unheard of even just a decade or two ago.
From ransomware attacks to data breaches, information security issues can have a major impact on daily operations and reputation, presenting a very real threat to schools around the world.
When assessing these threats, each school must not only look at themselves and what they are doing internally, but also at threats that can be presented outside of the school’s control like vendors, to ensure that they have also done their due diligence in protecting your interests.
For TASS, our recent ISO 27001 certification has made us look at our business from the ground up, providing another level of assurance for both our customers and team.
In this month’s blog, we spoke to Sam Fisher, Chief Technology Officer and Information Security Leader at TASS, about our recent ISO 27001 Certification, what the process looked like and what it means for our customers.
What is ISO 27001?
Sam: ISO 27001 is the global standard for Information Security Management Systems, but it's not a prescriptive list of instructions or commands. Every business is different, and the ISO 27001 approach allowed us to implement controls that were actually relevant to our business - first identifying any risks to the company and working backwards from there.
This risk-based approach means that our information security activities target the actual risks and threats we could face, rather than solving problems that we don't and won't have. In a practical sense, ISO 27001 asks businesses to consider:
- What are the risks you'll face?
- How do you treat or address these? (This forms the basis for your controls)
- How do you manage these controls?
- How will you measure the success of these controls?
Once you have controls in place, these form part of a feedback loop that asks businesses to proactively monitor and track their success, to ensure that these controls address what they're supposed to and aren't causing more problems than they solve.
Why did we decide to undertake certification?
Given the industry that we're in, we've always had strict expectations for information security. We know our customers expect us to handle their sensitive data as securely as possible, and that each school has stakeholders that expect the same - from staff and parents to the ATO and other organisations.
The advantage of ISO 27001 compliance is that it ensures certified organisations are managing risks the same way, to the same standard. This creates a closed-loop of compliance, ensuring consistency across other vendors like AWS (Amazon Web Services), used for our Cloud Hosting Services, and aligning TASS with relevant security legislation like the Privacy Act.
Ultimately, it was an opportunity for us to reflect on and improve our business - so we know that we're doing the best we can to manage risks.
What does being ISO 27001 certified mean for our customers?
Fundamentally, it's a demonstration of our commitment to managing information security risks for our business, our products and our customers.
Though we've always been big on information security, and spoken about it several times, it's nice to prove that we're not just saying this - we've been externally audited and deemed compliant to a globally recognised standard.
What are the major steps to getting certified?
- Our first step was to identify any risks to the business and establish how each risk relates to individual controls/points in the ISO 27001 standards.
- Secondly, we needed to create a ‘statement of applicability', which goes through which items from the standards we felt were relevant to the business, and justifying their inclusion/exclusion. For items that were included, we also needed to detail what controls were in place to address the identified risks.
- This meant demonstrating that we were taking real action, not just writing a document - we needed to prove that policies and procedures were actually being followed.
- The third step was for the business to undergo an external audit process, which is split into two stages. At the end of each stage, we received a pass or fail response with auditor comments and a list of things to address.
- Finally, once the auditors were satisfied that we were complying with the standards, we were notified that we had achieved certification. This remains current for three years, after which we are required to renew our certification.
What kind of changes or adjustments did we have to make to ensure compliance?
One of the biggest things that came out of this was improving the rigour with which we make changes. As an IT person, it's tempting to jump straight into ITSM (IT Service Management), but information security is much broader than that. Things like locked doors and clean desk policies which are non-technical but also play an important part in reducing risk.
This meant we had to think about the scale, impact and associated risks of every decision; we couldn't just go off and do whatever we wanted. Instead, decisions had to involve the collective management team.
What was the most challenging part of the process? Is there anything surprising or unexpected that stands out?
Time. It takes a lot of time, focus and a particular skill set, to apply what is quite a technical standard. Making assessments on how things apply to the business, where the risks sit, and how we should assess and implement controls is quite a tricky and time-consuming process, especially when it comes to the more technical aspects of information security.
Internally, people were surprised by the controls that focus on staff competency. This made sense considering that people generally are the biggest weak link - clicking on suspicious links in emails or forgetting to follow rules can have severe consequences across the business.
As a result of this, we reviewed the processes we use to hire staff, to make sure that we're formally assessing and carefully managing the recruitment process, and added additional checks regarding information security.
What does the future look like - how are we managing ongoing changes and new threats/risks?
Now that we're certified and have a dedicated Information Security Leader, our job is to make sure that we're proactive in identifying and mitigating risks. In terms of our day-to-day, we're making sure that we manage and resolve any issues as a team. We'll continue to track and maintain a register for known risks and issues, with the management team meeting regularly to review these and ensure we're all up to speed.
We'll also be looking outside the business - obviously continuing to undergo external audits to ensure we're compliant but also contracting external services like penetration testing.
What has been a key learning for you? Do you have any advice that you would offer schools?
The journey was incredibly eye-opening - it's interesting to align yourself with what's considered the gold standard in information security and have the actual structure to back up information security management differently than I would have done before.
Becoming compliant is a huge journey, a big investment and a long-term commitment. What is really valuable about the standard (or any security standard) is that it gives you a place to start, and even if you don't choose to get certified, it's a great way to discover blind spots or things you hadn't thought about before.
It's good to get into that mindset of continual review and improvement - risks evolve, and you need to make sure that no matter what you're doing, you're thinking about this consistently, not becoming stagnant or complacent.
Thank you to Sam Fisher for sharing his insights on the ISO 27001 journey.