Comprehensive Risk Assessment for Large State’s Board of Education

Project Description

The State Board’s Technology Support and Infrastructure Division sought to engage the professional services of an independent, qualified to conduct a multi-phased Comprehensive Risk Assessment. This assessment should include an Information Technology (IT) policy, program, and architectural Risk Assessment to identify risks, create a sound policy foundation, and develop a mitigation plan covering privacy, confidentiality, and security practices of a student, employee, and educational data systems.  In addition, the assessment should cover security controls around hard copy data, specifically data containing Personal Identifiable Information (PII).  During the Presentation Phase, the Vendor will make recommendations to key ISBE personnel that cover governance, security plans, policies, and procedures; system and applications architecture review; risk management and information security programs; and technical, management, and operational security controls.

Project Goals

The State’s Board is reliant on electronic infrastructure.  There are over 150 applications, networks and interconnections to local education agencies (LEAs), schools, universities, and nonprofits.  In recent years, ISBE has internally developed critical systems that collect and store confidential information at the district-, school-, educator- and student-level, and has developed a statewide longitudinal data system (LDS), hosted by a third-party vendor.  The LDS is used by a variety of constituents and also includes public-facing portals.  The State Board’s security and protection of private and confidential data is a paramount responsibility.

While the State Board’s electronic infrastructure is extensive, hard copy data is present and remains in-use throughout the agency. Protecting this data, particularly any data containing PII, is of high importance to the agency.  The Vendor will provide recommendations to the State Board for any necessary revisions and/or formulation of new data controls that specifically address any risk from policy or practice identified during the assessment.

Services Delivered

SDI as a Subcontractor to Crowe LLP will deliver the following services:

  • Network Design and Architecture
  • Network Device Configuration
  • Logging and Monitoring
  • Asset Management

SDI has delivered cost-effective, innovative technology systems to organizations throughout the public and private sectors.

Learn more about how the SDI Team can advance your organization to a secure digital enterprise.

Contact Us