As schools gather their Teacher Assessed Grades (TAGs; We do like a good acronym in education) it got me thinking about cyber security.
The two potential key issues I see in relation to TAGs are:
- Loss of access: So, this could be deletion, ransomware or some other issue which means the school doesn’t have access to these important grades and therefore is unable to provide them to the relevant exam boards.
- Manipulation of grades: This would be an individual, internal, or external, gaining access to the grade information and manipulating it either for someone benefit or simply to cause mischief.
For this post, lets focus on loss of access: So, what measures can a school take?
The key mitigation measure for loss of access is backup. We need to ensure a backup is kept separate to the main systems on which the data is stored. So, if the data is being stored in the schools Management Information Systems (MIS) then ideally there should be an exported copy stored in Office 365. By keeping it in a separate system, we hopefully avoid any potential issues which might result from a significant problem with the MIS followed by issues recovering the MIS from its own backup. As our data backup is in a separate system, we would be able to deal with this scenario.
Ideally, we also want to keep copies geographically separate, so maybe stored on a separate site or using a cloud-based solution. We may also choose to use a removable media solution to “airgap” our backup.
The key thing for me is that there is no one single solution. You need to consider the risk, the available mitigation options, and their cost, in terms of financial costs, time, staffing, difficulty/complexity, etc. and then decide what works for your school. For example, removable media may help in terms of air gaping our backups, but it also would incur costs in terms of time to remove, replace and store the tapes/drives in use. If staff is limited this may therefore me a less appealing option. It is also about avoiding reliance on a single process/solution. So, having tape backup as a single solution is unlikely to be sufficient. You should be layering the various backup options to arrive at a solution which is appropriate to your resources, your data, your finances, etc. while reducing the risk of any single point of failure.
The other point I think is important to make regarding backups is the need to test them. All too often the only time backups are tested is at the point when recovery is required due to an incident. It is at this point that we can least afford backups to fail. As such it is important to test backups to make sure they work as they should, that you are aware of the processes and aware of any potential pitfalls. By doing so, you can be reasonably assured that when you truly and urgently need them you will know what do to and can be confident in the likely success of recovery processes.
Coming up with your school’s solution to backup doesn’t need to be complex. It is about considering different scenarios and the mitigation options and then identifying what is right for your school based on its needs and its appetite to risk. As I have often commented, it is all about risk management.