Introduction
A large K-12 school system based in Maryland consists of 77 schools and 57,293 students. To support a district of its size, the school system relies on an expansive network of third-party vendors to provide various services, including technology, transportation, food, and maintenance services. A third-party breach impacting a neighboring school district, prompted the school system to evaluate the effectiveness of its own security.
Straightaway, the district determined it had limited visibility of its total vendor ecosystem and lacked standardized processes for managing its vendors’ security practices. The district’s information security team faced persistent issues with vendor vetting and assessment. It also struggled with continuously monitoring its expansive third-party network to identify vulnerabilities and new risks as they arise. To address this issue, the district implemented the myCYPR platform for customizable TPCRM and risk assessment processes.
Challenges
The school system faced several challenges managing their third-party cyber risks, including:
- Limited visibility into vendor security practices: The school system collaborated with numerous vendors, but they lacked visibility into the vendors’ security practices, making it challenging to assess and manage the risks posed by them.
- Lack of standardized processes: The school system did not have a standardized process for evaluating vendor risk across its expansive third-party network. The absence of standardized evaluation processes resulted in gaps in vendor security protocols and impeded the district’s ability to identify and mitigate potential cyber threats.
- Resource constraints: The school system did not have the resources or expertise to carry out comprehensive security assessments of their vendors.
More Data, Comprehensive Risk Visibility
The school district’s Chief Information Security Officer (CISO) determined a TPCRM platform would be an effective use of budget and personnel resources for achieving effective vendor risk management. myCYPR allowed the district to manage their third-party cyber risks by increasing visibility into vendor security practices, creating standardized processes for vetting, and continuously monitoring vendor security.
The school district to created a customized program for managing vendor risk by combining three tiers of myCYPR’s risk assessments. The platform leverages multiple sources of risk intelligence to create its assessment tiers to provide in-depth visibility of vendor security practices. The district evaluated a variety of vendors based on their individual risk postures, while also developing a standardized process for assessing the overall vendor risk profile. Most vendors were assessed with OPSEC | SAQ, but the district’s most critical vendors received an in-depth OPSEC | ASSESS risk assessment. myCYPR scored to each vendor based on their assessment results, enabling the school system to prioritize their risk mitigation efforts.
Additionally, myCYPR enabled the district to monitor and report on risk in real-time. The platform increased visibility into the district’s vendor ecosystem by identifying potential risks and vulnerabilities. As vendors made remediations, the district observed their improvements and updated scores in real-time. As vendor scores improved, the district’s own risk score was correspondingly updated, delivering continuous monitoring and insights into vendor security, ensuring ongoing risk visibility over time.
Conclusion
As a result, the public school district significantly enhanced its vendor risk management process, amplified visibility into its vendor ecosystem, and standardized its processes. The platform equipped the district to better manage potential cyber threats, allowing them to focus their resources on high-risk vendors and ensure all vendors adhere to their security standards.
So long as the school system expands its vendor network, its information security team will continue to rely on myCYPR to manage third-party cyber risks and scale their risk management program. With myCYPR, the district can maintain a vigilant watch over their vendors, effectively identify potential risks and vulnerabilities, and take effective action to mitigate them. Above all, myCYPR’s real-time monitoring and reporting capabilities helped the district build a robust risk management framework that enables them to navigate the evolving threat landscape and protect their district from potential cyberattacks.