Enquire Now

Data and analytics

Some additional information in one line

Learning analytics

Transform your data into meaningful insights.
Learn More

Applications and data

Bespoke solutions to simplify and streamline your workflows.
Learn More

Artifical intelligence

Harness the power of AI to learn more from your data.
Learn More

Consulting

Some additional information in one line

Edtech

Some additional information in one line
Learn More

Change management

Some additional information in one line
Learn More

Cyber risk

Some additional information in one line
Learn More

ICT strategy

Some additional information in one line
Learn More

Managed services

Discover why more organisations are benefiting from managed services.

ICT managed services

We can manage all aspects of your ICT operations - from day-to-day tasks to long-term strategy.
Learn More

Managed data and analytics

Need some help with your data? Let us manage your systems and data for you.
Learn More

Escalation and remote support

Sometimes you just need a sounding board, or somebody to escalate a problem to. We're here to help.
Learn More

Our people

Multiple menus to choose from. Each drag-n-drop customizable.

Our values

Learn about the values that drive the people at RTG.
Learn More

Current vacancies

If you're looking for the next step in your career, RTG might have the perfect role for you.
Vacancies

Join us

If you like what you see, why not apply for a position with us? Submit your CV here.
Apply Now

Insights

9 min read

How to protect your schools' data and ensure it's not vulnerable to attackers.

Nov 17, 2020 9:21:29 AM

Even before COVID, an organisation’s obligation to safeguard its data had never been greater. Not only do you have to collect, store, process and discard data in ways that are compliant with regulations, you also need to have strong information security policies and practices to protect your data from malicious or unauthorised use.

The protection on an organisation’s digital assets can best be defined as a “numbers game”. The defenders of data assets must be right 100% of the time. However, the attackers only have to be right one time. Expertise in the protection of data assets is defined by mastering the basics of information security.  


Some examples of these basics include, but aren’t limited to, patch management, multi factor authentication, access and permission controls, backups, content filtering and monitoring, and so on.
 

However, the most challenging area to master for an organisation adopting and implementing data security controls, are its people. 

We can all agree the protection of data assets is challenging enough due to the agile nature in which it flows in an organisation’s network. This complexity stems mostly by the people operating and using data assets, and not by the digital systems and security controls attempting to secure them. An organisation may have the most up-to-date and progressive policy in place to manage, protect and control data assets, and as described above, fit the category of being a solid defender 100% of the time. However, it’s the people in the organisation having low adherence with policy and their respective roles and responsibilities towards data security that causes risk vulnerability to the organisation’s digital network and data ecosystem.   

To assist an organisation with insight on their risk of data assets throughout the information lifecycle, RTG has created an approach to assess current workflows and structures relating to data handling management. The Data Lifecycle & Management Review (“DLM”) ascertains the intent and effectiveness of organisational policy and process.  

The DLM is based on a framework built around three domains that gathers input from stakeholders at multiple points, providing a clear picture of the strengths and gaps in the organisation’s data handling and records management practice: 

Screen Shot 2020-11-13 at 4.03.58 pm

  1. Policies and Practices: guidelines that outline expectations on what practices to adopt across each stage of the information lifecycle. 
  2. Systems and Applications: the systems and applications used to operationalise data assets and records.  
  3. Data & Records: either digital or paper-based, assets that are created to facilitate business-as-usual operations and objectives. 

Through this framework, RTG collects data from within your organisations that tells us how uses create data and then where it journeys from there and what they do at the end. 

All organisations have preferred locations where data is created, whether that be a core system or in O365 or Google but once that data is created and saved its journey becomes less clear. Who is it shared with, is it copied elsewhere, is it converted to hard copy and what happens with that data moved outside that core system? 

The chart below is an example of a typical data workflows RTG’s collected from a large independent school reviewed earlier this yearWhilst it’s a complex, yet pretty looking visualisation, in this chart example, we are looking at the volume of data or records shared via a particular application 

There is a lot to unpack in this data and the other collected, but one example of what it revealed was is in the far-right column that I have circled. The questions here in the very large-sized green box, when asked how records are deleted or destroyed, staff’s common practice is “I do not delete from my device”.

Data Type Application Used Data Duplication Why Duplicate Share Method Delete Method

This practice significantly increases data risk vulnerability due to the potential of duplicated records and significant increase the risk of a violation of several privacy regulations that could potentially result in financial and reputational risk to the school should an investigation take place by regulating bodies.  

Numerous requirements and regulations against data handling is a complex affair for organisations to ensure appropriate risk mitigation practices are positioned against each stage of the data (information) lifecycle. Organisations have many processes and are regulated against how they create or collect data. Then there are processes and regulations on how to use that data, how to share and with whom, how and where to store data. RTG’s Data Lifecycle & Management Review (DLM) helps identify gaps in the implementation of your organisations data lifecycle, and how everyday practices of people are impacting the risk profile of your organisation. With a particular focus on storage, archiving, and deletion processes, the DLM uncovers recommended actions and initiatives for an organisation to strengthen its record management usage and strategy.  

Organisations wanting their staff to follow a particular data handling practices, not only need to set the objectives they want to achieve, but they also need to understand whether people are following those practices and what risk not following these create. Without this view, schools are running blindly to what possible data breach or incident may be just around the corner. 

If you’re interested in learning how a potentially harmful data breach can be prevented, feel free to reach out. I'll happily take you through the necessary steps to tackle any vulnerabilities that may exist that require immediate attention. 

(e) mgillies@rtg.com.au

(p) 1300 362 456

Melanie Gillies
Written by Melanie Gillies

Melanie Gillies is the Governance, Risk & Compliance Consultant at RTG. She has worked in education and not-for-profit sectors for 18 years, specialising in the adoption of digital technologies, plus digital safety and information security policy and practice. Skilled in Educational Technology, Risk Assessment and Management, Privacy Compliance, Cyber Security Controls, Training Delivery, Leadership and Project Management, Melanie is currently completing research towards her Master of Education thesis, looking at how policy and privacy regulations determine teacher practice and autonomy towards data governance and security.

Featured