Service Provider Management
There are several additional resources that contribute to the overall management and effectiveness of the NCDPI K-12 Cybersecurity Program. Primarily, the Third Party Data Integration Policy is guiding the protection of student data to ensure vendors are taking proper security measures.
Security Domain
CIS Control 15 – Service Provider Management
NIST CSF – Govern: Cybersecurity Supply Chain Risk Management (GV.SC), Risk Management Strategy (GV.RM), Protect: Data Security (PR.DS), Response: Incident Mitigation (RS.MI)
NIST 800-53 – System and Services Acquisition
Service Description
- NCDPI Third Party Data Integration – The North Carolina Department of Public Instruction is implementing new data security standards for any system that receives student information from a statewide system. This new policy is effective January 1, 2024.
Key Benefits
- Strengthened security and privacy protections for student data
- Streamlined framework to allow PSUs to implement a third-party application quickly
- Ensures PSUs have the resources needed to adequately evaluate the security readiness of vendor partners
Additional Resources:
- NCDIT Guide to Identifying & Managing Third Party Risks – As part of the 2021 Cybersecurity Symposium, speaker Valence Howden, the principal direction in the CIO Practice at Info-Tech Research Group, gave a talk regarding the importance of taking a risk-based approach to vendor contracts and communications. NCDIT has recorded and posted the talk on their website.
- NCDIT Supply Chain Policy – The Statewide Information Security Policies are the foundation for information technology security in North Carolina. This policy covers all State information and information systems to include those used, managed, or operated by a contractor, an agency, or other organization on behalf of the state.
- NCDIT Vendor Readiness Assessment Report (VRAR) – NCDIT has released two VRAR forms to be filled out by organizations: one for state-hosted solutions and one for non-state-hosted solutions. Accurate and full completion of this document captures the “baseline” security requirements that must be addressed by vendors to ensure the security of the State’s school data.
- CISA Supply Chain Risk Management – Through the National Risk Management Center, CISA works with government and industry partners to ensure that supply chain risk management is an integrated component of security and resilience planning for cybersecurity program infrastructure.
- CISA Supply Chain Risk Management Graphic – Protecting your organization’s information in a digitally connected world demands an understanding of third-party vendor supplier security. Consider which organizations are in your supply chain and whether you trust the hardware, software, and services you receive.
- CISA Connected Communities Procurement and Implementation Guidance to Ask Internally – State, Local, Tribal, and Territorial (SLTT) officials can utilize these questions to clarify their goals and assess potential vendor’s alignment with existing data protection and privacy as well as operational risk management,
- CISA Connected Communities Procurement and Implementation Guidance to Ask Vendors – State, Local, Tribal, and Territorial (SLTT) officials can pose to third-party vendors to help ensure alignment with cybersecurity, incident response, data protection and privacy, and supply chain risk management,
- K12 Security Information eXchange (K12 SIX) – A national non-profit organization that is dedicated to protecting K-12 organizations within the United States. K12 SIX acts as a national information sharing and analysis center (ISAC) for the K-12 community and provides specialized services as needed.
- FBI Internet Crime Complaint Center (IC3) – The FBI serves as the lead federal agency for investigating cyber crime. They hold a complaint submission service that allows organizations to submit incidents for investigation for free.