SCSC has developed a comprehensive "Security as a Service" (SaaS) program to help schools and local governments address the numerous cybersecurity challenges they face.
SCSC utilizes a continuous improvement model to implement common sense prevention and mitigation strategies to reduce your organization's risks.
This service typically includes
• creating and managing the implementation of an information security strategy,
• ensuring compliance with regulations,
• training and educating staff about information security, and
• responding to incidents.
The SaaS program provides strategic leadership in security matters, helps the organization align its security objectives with learning outcomes, and provides advice and guidance on managing risks and responding to incidents.
Cost-Effective: The organization gets access to information security leadership and risk management experience without paying a salary.
The SaaS model is particularly attractive to small and medium-sized organizations that may have significant security needs to be managed but do not require a full-time, dedicated staff person.
Flexible: The Security as a Service program can be scaled up or down based on the organization's needs.
Fast Startup: Work can usually begin quickly without requiring a lengthy recruitment and onboarding process.
How It Works
Role of the CvCISO
Throughout the entire process, SCSC provides your organization with a Certified virtual Chief Information Security Officer (CvCISO). The CvCISO will be your information security leader to ensure your organization meets your goals and will be there to assist with coaching, plans, asset management, or whenever else your team requires additional support.
The CvCISO works with and directly supports your current technology staff.
The Security Risk Assessment
The entirety of the SaaS process revolves around the Security Risk Assessment. An Information Security Risk Assessment is a tool for identifying, prioritizing, and managing risk and communicating that risk to organization leadership, who may then use that information to apply mitigation resources effectively.
With a solid risk assessment, leadership can clearly understand the information security risks they are ultimately responsible for, and staff have direction on the risks they need to address.
SCSC's CvCISO will conduct a full Security Risk Assessment to identify risks in administrative, physical, internal, and technical controls and perform vulnerability scans of specified systems.
Your assessment results will be used to set objective thresholds for acceptable risk and decision-making, to provide liability defense for cybersecurity insurance, and to meet the Minnesota Government Data Practices Act annual requirements.
A Cybersecurity Action Plan
With the completed Security Risk Assessment, the CvCISO works with your district to develop a customized cybersecurity program specific to your needs and situation, providing you with a detailed, common-sense roadmap for program development.
The plan will begin by focusing on the highest-impact security objectives to improve your security posture quickly.
Individual Services Offered
The Cybersecurity Action Plan may include some or all of the following services. These can also be procured individually as needed.
Additionally, the Security Risk Assessment described above can be purchased separately, that is, without the customized roadmap for program development, for a reduced price.
Business Continuity Plans and Tabletop Exercises
The CvCISO works with you to create meaningful Business Impact Analyses (BIAs) and conduct practical tabletop exercises to recover from unintended events and ensure continuity of operations, whatever the cause of the interruption.
The exercises and scenarios are tailored to your organization's specific needs and desired outcomes.
The SCSC CvCISO leads your team through a data-mapping exercise to determine where your data is and how it is protected.
Information Security Program Documentation
SCSC's CvCISO works with your team to build out your Information Security Policy and associated procedures and guidelines, which will form the foundation of your organization's data privacy and information security program. We help you design policies and plans, including Incident Response and Business Continuity Plans, that match your organization’s needs, culture, and unique operating environment.
Quarterly Governance Meeting
A fundamental but often overlooked aspect of data privacy and information security programs is a quarterly governance committee meeting. Your organization's leadership can only make informed decisions if they understand their data privacy and information security risks. A quarterly committee meeting facilitates that communication, and SCSC's CvCISO can lead or assist with one or all of those meetings.
SCSC partners with InfoSec Institute to provide and manage online staff training to further your organization's security awareness program and reduce the risk of an information security incident caused by human error. (This service requires a one-year commitment.)
Third-Party Vendor Reviews
Your organization's cybersecurity responsibilities extend to any cloud-based and other third-party services you may procure.
SCSC's CvCISO can conduct a complete review of vendor information security and ensure that controls are in place and aligned with the organization's broader security strategy.
Let us know; we can help.