I have previously written about third party related cyber risk in relation to data protection and GDPR but I think it warrants a little bit of a further discussion. To start I will state what I believe is the key message:
A third-party system in use by your school, such as a cloud hosted MIS or Learning Platform doesn’t mean that data security and data protection isn’t your problem. Its still your data and although the third party might be processing it for you, you are still the controller. You are still responsible for the data and for ensuring that adequate security measures are in place, and that you can prove that they are in place, or at least have received reasonable assurances to the fact they are in place.
There is also a second key point which I feel needs making in that cyber security and data protection decisions should always use a risk-based approach. The approach and level of detail required in impact assessment for a learning tool where student emails are the only personal info and for a school management system containing name, address, medical, academic, pastoral and other personal data, are totally different. The greater the risk the greater the time and effort required to ensure that an appropriate assessment and appropriate decision making has taken place.
So, let’s take two different scenarios and look at them. The first scenario is a good old cloud hosted solution while the second is the one which is often overlooked, being a locally hosted solution using a third-party product.
A cloud hosted solution
I feel this is the more accepted and therefore easier of the two scenarios. Here we have a school using a cloud hosted MIS for example. The data is held on hardware outside the school on a third-party platform. The school must therefore ask a number of questions relating to how the third party keeps data secure, how they will provide the data in the event the school requests it and how the data will be deleted should the school cease using the service, to list just a few. Most of this info will be outlined in the terms and conditions or any contract which was signed so it is relatively easy to get the information. There will also be questions related to how the third party tests its security through penetration and/or vulnerability testing as well as what their process is should a data breach occur. I often ask vendors to confirm when their last penetration test took place and, in higher risk systems, ask them to provide a summary of findings. The answers to the above questions will help the school to establish a view on the risk associated with the platform plus to document that appropriate consideration of cyber security and data protection has taken place.
A locally hosted solution
This is, I feel, the more difficult scenario. The third-party platform is hosted on the schools own network and hardware and therefore the security of the platform can be directly impacted by configuration decisions of the school itself. The school therefore should ideally be conducting regular penetration testing to check the security of the infrastructure on which the third-party solution sits. The issue here is that some third parties at this point believe that the security of the data is therefore down to the school as they control the network and network setup. This is the kind of response I have received from a number of solutions vendors only recent. To a point they are correct but only to a point. The network should be constructed with “privacy by design” in mind such that it is developed with security always in mind, but the network infrastructure is only half the solution. The other half is the third-party software. It too should have been developed with “privacy by design” at the forefront of thinking and it is for schools to question whether this is the case. For me, this means asking questions in relation to how the company approaches checking their application for vulnerabilities. This ideally should involve a proactive search for vulnerabilities including the use of vulnerability assessment or through bug bounty programmes. There is also the acceptance that the finding of vulnerabilities should be treated as a “when” as opposed to an “if”. As such companies should be able to demonstrate that they have a plan in place for when a vulnerability is identified in their platform. This plan should involve notifying clients in a timely fashion. In relation to being timely I think it is important to consider the ICOs requirement to potential report data breaches within a 72 hour period, so it would be preferable that disclosure happens sooner, and ideally within 24hrs, rather than later. It is this vulnerability notification process which I seem to often find to be particularly lacking in third party vendors supplying solutions to schools.
As schools take on more and more third-party solutions, and as more and more of these solutions are integrated and communicate with each other, the cyber security and data protection risk related to third parties only increases. Schools therefore need to ensure that this is carefully considered and that they have taken all reasonable measures to ensure that their data and that of the students, staff and parents related to the school remain secure. An easy starting point is therefore contacting third parties and asking some of the questions listed in this post.
Technology and Learning