TASB Risk Management Fund

Cybersecurity Series, Part 3

March 13, 2017 Cristina R. Blanton

Safety & Security

Cyber awareness starts with a plan

This is the third and final part of a series of articles covering cybersecurity issues that school districts and organizations should be aware of. In this article, you will learn about the importance of having a cyber security plan for your organization. Read part 1 (What you need to know about cyber safety) and part 3 (Cyber awareness starts with a plan) of the series.

Does your school district or organization have a data or information privacy program in place? A privacy program should address the organization’s response to storing, handling, and securing sensitive personal information. Additionally, the privacy program should include response protocols in the event of a detected breach or other unauthorized release of such sensitive information.

If you are not sure, chances are, there isn’t one or the program or plan is outdated and current employees are not being trained on the district’s requirements for safely handling, securing, storing, or destroying sensitive personal information. Consider the following issues as you get started with your data or information privacy program.

Obtain leadership support

Leadership involvement and awareness of the need for a privacy program or plan is essential to creating a comprehensive approach to the protection of all sensitive data. Ensuring that the school district’s leadership is involved also helps communicate to the school community that protection and security of sensitive personal information is an important focus for the district.

Bring the right people to the table

Consider having some or all of the employees listed below form a work group or data governance committee to review existing policies, procedures, or regulations related to the issues. Additionally, the district should consider appointing one employee, such as the chief privacy officer or information security advisor, to serve as the point person for ongoing monitoring of any policy, procedure, or regulations that are created. This individual should facilitate communication among all members of the committee and convene the committee when necessary.

This person should also serve as the contact person and liaison for the school when a data breach is reported and could include positions such as:

  • Director of technology or chief information officer;
  • Chief privacy officer or information security advisor;
  • Campus principals or administrator for student services;
  • In-house counsel, if applicable;
  • Policy director;
  • Human resources director;
  • Risk management coordinator, if applicable

Program considerations

When creating an information or data privacy program, the group should address compliance with state or federal regulations and laws in addition to locally created requirements and rules for the storage of sensitive information, destruction of information, including response measures when a data breach is detected. The district should ensure that the information program complies with CPC (LEGAL) and (LOCAL) policy for record retention, storage, and destruction provisions.

Keep in mind that creating an Acceptable Use Policy (AUP) while different from the privacy program addressed in this article, is equally important for districts to have. An AUP is typically focused on technology and network users within the district such as employees and students with district issued technology devices and members of the public who may use district technology or access the district’s network including WiFi access. Many districts may already have a starting point for an AUP in the district’s CQ (LOCAL) and (REGULATION) policies.

Assess the risk

Understanding where the risks lie for a potential data breach is an important step in creating any privacy program. Identifying the types of sensitive information held within the school district such as personally identifiably information of students and employees, vendor information, credit card numbers, bank account information, and more will allow the data governance committee to create a program that specifically addresses storage and security of the sensitive information identified and ensure that employees who handle such sensitive data are properly trained routinely.

An equally important but not so apparent risk, is the use of email within the district. Research shows that a data breach caused through the insertion of malware accomplished by a phishing attack continues to be a prevalent method used by outsiders seeking access to an organization’s sensitive information. A phishing attack is the use of an electronic communication to attempt to trick someone into providing sensitive information (e.g., user name and password, payment card details) by clicking on a link, or opening a file that introduces a malware into the system. Consider including training on identification of such suspicious communications to all employees within the district, including board members.

Other sources of risk for data breaches can include:

  • Student use of technology and “surfing the Internet”;
  • Vendors storing school district data with little to no data protection measures in place;
  • Inactive employee user access accounts following termination or resignation;
  • Downloading educational applications without verification.

Train employees and staff

Employees and staff who are issued district laptops, or any employee or staff member, including volunteers and board members that handle or work with sensitive personal information, (i.e., teachers, attendance clerks, bus drivers, cafeteria workers) should be cyber aware, security conscious, and trained on how to respond if a breach or suspicious activity is perceived. Annual training on the proper handling of sensitive information and how to report suspicious cyber activity should be routine for new and current employees. Additionally, if the IT department learns of increased phishing activity or suspicious malware spreading around the cyber world, it is important that the district encourage and require the IT department to send out alerts or notices to all users.

Monitor the program

Develop a method to monitor the implementation of the information privacy program and trainings. Having an ongoing monitoring process will provide the district with timely feedback on the effectiveness of current practices, alert the committee if a component of the program is out of date, or if there are concerns of a data breach. In the event of a breach, the district should review the privacy plan or program to include any lessons learned from a breach experience. As technology and software change frequently, periodic review of the program will keep the district up to speed on emerging issues facing the district.

Don’t forget your parents and students

It is important to remember that communicating general information about the district’s efforts in safeguarding sensitive personal information is important for building trust among parents and students. Consider incorporating cyber safety tips on the district’s website for parents and students. Educating students on digital citizenship is an important part of issuing technology to students for use in their daily lives and assists the district with educating students to avoid suspicious activity while online or in emails.

Helpful resources for school districts, parents, and students:

For more information about the Fund’s Privacy Information & Security coverage and resources, visit the Fund website.

Tagged: "cyber security", cybersecurity, "Privacy and Information Security"