Skip To Content

Blueprint for Cybersecurity Annex Compliance

Article

On Sept. 23, 2024, the Texas School Safety Center (TxSSC) will open the online portal for school districts to submit their EOP Basic Plan and Cybersecurity Annex for review. Both annexes must be submitted by October 23. The annex is a new requirement, and we understand school staff might have questions. This is the second in a three-article series that offers guidance and resources to help members comply.

The first article provides an overview and key dates. In this article, we identify the highest priority action items for you, based on recommendations from the Cybersecurity and Infrastructure Security Agency (CISA).

Tip: Refer to the TXSSC Cybersecurity Annex Evaluation Checklist while reading this article.

1. Legislative Requirements (CS5 & CS6)

Meeting all legislative requirements of the cyber annex is critical. Superintendents are tasked with appointing their district’s cybersecurity coordinator, and the coordinator is required to complete annual cybersecurity training. You can update your district’s cybersecurity coordinator on the TEA website and learn about the training requirement in this TASB HR Servies Q&A.

2. Require Authentication Tools (CS16)

Implementing multifactor authentication (MFA) is an essential cybersecurity measure that strengthens the protection of online accounts and the sensitive data they contain. Microsoft reported that “MFA can block over 99.9% of account compromise attacks.” By requiring multiple forms of verification, MFA ensures that even if one factor, such as a password, is compromised, unauthorized users are still unable to access the accounts. This additional layer of security makes it significantly more difficult for attackers to breach systems and obtain sensitive information.

Prioritizing MFA across all accounts, particularly for system administrators and users with elevated privileges, is crucial. As one of the simplest and most effective ways to safeguard data and systems, MFA is an indispensable component of every robust cybersecurity strategy.

3. Provide Updates on All Systems (CS13)

Many cyberattacks succeed because victims are using unpatched software when safer, updated versions are available. Regularly updating all systems, including internet-connected devices like smartphones and tablets, helps close security gaps that attackers exploit. System updates are one of the most cost-effective ways to enhance an organization’s cybersecurity.

4. Employ and Test a Backup Solution (CS10 & CS11)

Creating and regularly testing backups is vital for protecting your district’s data from cyber threats like ransomware. Ensure all key systems are backed up frequently and stored offline, offsite, or air gapped. Regular testing of data restoration verifies backup functionality. Document your backup process thoroughly, review testing results, and address gaps. Implementing and testing a robust backup solution enhances data security, enables swift recovery during cyber incidents, and minimizes disruption.

5. Close or Block Network Ports That Aren’t in Use (CS17)

In networking, a port is a virtual point where connections start and end. Attackers commonly exploit weaknesses in exposed ports. Look to close unused ports, and make sure services running on open ports aren’t using default credentials. Shoring up port security reduces avenues for attackers to infiltrate your network.

6. Develop and Exercise an Incident Response Plan (CS19 & CS21)

By developing and exercising an Incident Response Plan (IRP), you can enhance your district’s ability to mitigate cyberattacks. Your IRP should define roles and responsibilities for all major activities. Conduct regularly scheduled exercises, such as tabletop simulations, to test and refine response procedures. Simulations allow teams to prepare for potential security incidents and identify areas for improvement in policies, procedures, and technologies. You should also know your cyber coverage provider and who to call in the event of an incident. By developing and exercising an IRP, your district can enhance its ability to respond to and mitigate cyberattack.

7. Training and Awareness at All Levels (CS18)

Cybersecurity isn't solely about technology tools. People must do their part. Effective training raises awareness and empowers employees to take appropriate action. Staff members on the front lines need to know how to recognize and report suspicious activity, while those receiving reports must understand how to respond effectively. Investing in training is as important as investing in cybersecurity tools and solutions.

Takeaways

Addressing the highest priority items on the Texas School Safety Center cyber annex checklist is essential to strengthening your district’s cybersecurity:

  • Begin by ensuring compliance with legislative requirements, including the appointment and training of a cybersecurity coordinator. 
  • Implement multifactor authentication (MFA) to protect accounts, and regularly update all systems to close security gaps. 
  • Employ and test a backup solution, close or block unused network ports, and develop and exercise an Incident Response Plan (IRP). 
  • Finally, implement training and awareness programs at all levels to empower your district to recognize and respond to cyber threats effectively.

For more guidance, we offer members with cybersecurity coverage resources such as our cybersecurity guide plan, and support from our subject matter experts here at TASB. You can also reach out to your EOP Review Specialist at the Texas School Safety Center. Prioritizing these measures will provide the most immediate increase to your organization's cybersecurity posture and help safeguard against potential cyber threats.

Fund members with Privacy and Information Security coverage benefit from expert support at no additional cost. Let us train your team to build a state-mandated cybersecurity plan, avoid common scams and attacks, and recover from incidents.

Bryce Sipes
Bryce Sipes
Cybersecurity Intern

Bryce Sipes is a cybersecurity intern who joined TASB in 2024. His responsibilities include researching industry trends, creating member-centered content and training, and identifying products and services that strengthen members' cybersecurity programs. Sipes is ISC2 CC certified and Google IT Support certified.