2023 Cyber Questionnaire

Please answer these questions to the best of your ability and knowledge. We understand these questions are very technical in nature, and interpretation of these questions can vary. If you have questions you can contact Paul Grienke at pgrienke@setseg.org. Our goal is to gain better visibility on the current cyber posture of Michigan Public Schools and how SET SEG can better protect member districts.

Employee Name(Required)

Job Title(Required)

District(Required)

Email(Required)

TRAINING

1. How often are email phishing tests conducted for all staff?

2. How often is cyber security awareness training conducted for all staff?

BACK-UP & RECOVERY

3. Are backups subject to the following Measures?

4. Are your backups kept separate from your network ("offline") or in a cloud service designed for this purpose?

Yes

5. How frequently is critical information backed up? Pick one:

6. Does your district have the following business continuity plans in place?

7. If you conduct backups, how frequently is a recovery from backup tested?

INTERNAL SECURITY

8. Is Multi-Factor Authentication (MFA) utilized for the following:

9. If Remote Desktop Protocol (RDP) is enabled, are the following protections implemented? If RDP is NOT enabled, please skip this question.

10. How often do you apply security patches to your systems and install antivirus updates?

11. Do your users have local administrative rights on their laptop/desktop?

Yes

12. Does your district utilize and End-Point Protection (EPP) or End-Point Detection and Response (EDR) solution?

	Yes	No
EPP
EDR

13. Does the organization scan their exterior network for open remote access ports and either close or protect them?

Yes

CYBER CRIME

14. Does the organization verify vendor/supplier bank accounts before adding to their accounts payable system?

Yes

15. Does the organization authenticate funds transfer requests (e.g. by calling a vendor to verify the request at a predetermined phone number)?

Yes

16. Does the organization prevent unauthorized employees from initiating wire transfers?

Yes

17. Is the organization currently utilizing the MyCyber platform offerred by SET SEG for the following?

	Yes	No
Conducting Vulnerability Scans
Tracking Progress through Cyber Hygiene Projects

NOTE this is not currently required, but highly recommended by SET SEG

18. If desired, provide commentary on what cyber security controls will be in place by July 1, 2023 that are not currently in place today.

19. Additional comments to expand on the answers above:

CAPTCHA

	Yes	No
Multi-factor Authentication (MFA)
Encryption
Immutable
Virus/Malware Scanning

	Yes	No
Disaster Recovery Plan
Business Continuity Plan
Incident Reponse Plan

	Yes	No
Virtual Private Network (VPN) for access
Multi-Factor Authentication (MFA) for access
Network level authentication enabled
Remote Desk Protocol honeypots

	Yes	No
Critical Systems (e.g. Finance, Human Resources, etc.)
Remote Access
Email