Student data is increasingly valuable to criminals, some of whom have recently extorted thousands of dollars in ransom from US schools unwilling to see student and parent data released. Over the next couple weeks, I’ll be outlining six artifacts I hope to see in place for our schools, and their alignment to indicators of the Trusted Learning Environment Seal. For each artifact, I’ll include a description of the challenges I see ahead of us and a few of the steps we’ll be taking along the way.
The Consortium for School Networking (CoSN) released their Trusted Learning Environment (TLE) certification process in 2015, a seal that’s rapidly becoming a coveted sign of commitment to compliance standards that keep student data safe.
My thanks to CoSN for not only launching this program, but for also providing so many rich resources on cybersecurity to support directors, CTOs, and CIOs. We have a large task ahead of us as we shepherd our school systems into new patterns of behavior, and we have a compelling reason to do so: the safety of our students.
–Drew
Part 1: Artifact 1
The TLE certification consists of four standards, each divided into four to seven indicators. These standards are:
- Leadership Practices (LP), with six indicators
- Business Practices (BP), with four indicators
- Data Security Practices (DSP), with seven indicators
- Classroom Practices (CP), with four indicators
For each artifact, the practices and indicators met are indicated at a glance. For the full text, see CoSN’s TLE application, available online.
Artifact 1: An operational security and data privacy policy approved by the Board
Practices and Indicators fulfilled:
“Security and data privacy policy” seems easy enough to say, but it belies a great amount of thought and work. From my reading on the subject, CoSN is looking for a document that …
- outlines compliance requirements around student data,
- provides evidence of how the school addresses those compliance requirements,
- sets out a specific individual as accountable owner of that compliance, and
- includes evidence for an operational data incident response plan
The compliance piece is the least defined of the steps above. In my mind, we can divide this concept into two sections: legal compliance and technical compliance.
In the first, legal compliance, schools must examine how well their vendor partnerships and internal practices abide by federal and state statutes like FERPA, COPPA, and CIPA. Schools must look at who has permission to what, how those permissions are assigned and rescinded, and how often permissions are reviewed. For compliance with external vendors, companies like Education Framework can take a good deal of the work out of the required annual review of partners’ Terms of Service documents.
On a more technical side, schools must grapple with decisions about the configuration and maintenance of their infrastructure and device fleet. For Grant Schneider, our current federal CISO and former CIO for the Department of Defense, the NIST framework is guiding each of the analyses that his department is performing for the agencies under his control. Our schools will be looking to the NIST CyberSecurity Framework for these compliance requirements as well, examining how we identify, protect, detect, respond, and recover from potential security incidents.
Schools must also be vigilant about how each of their existing partners protect themselves. As we have seen in the business sector, the entry point of a breach can be through compromised partner systems as much as the target’s own. Asking for information about protections up front should be a part of the governing security policy adopted by the Board.
Artifacts to come:
- Security and Data Privacy Audit
- Business Continuity and Disaster Recovery Plan
- Vetting Process for Online Services
- Security and Data Privacy PD
- Security and Data Privacy Website