Interactive publication on the topic of data privacy and security. Including current cyber security information, effective strategies, best practices and leadership resources.
Data Privacy & Security Service DPSS Winter Digest The Leadership Issue
Included in this Issue:
The Role of the School Board in K-12 Cybersecurity How to develop a strong Incident Response plan
Cybersecurity News to watch Helpful Cybersecurity Resources
Winter 19 (Issue 14)
National Cybersecurity Assessments and Technical Services (NCATS)- No-cost Risk Assessment Services
Cyber Hygiene: Vulnerability Scanning Near persistent scanning of Internet accessible systems for vulnerabilities, configuration errors, and suboptimal security practices. Phishing Campaign Assessments Measures propensity to click on email phishing lures to increase training and awareness. Risk Assessments • Risk & Vulnerability Assessments - Combines national threat information with data collected and vulnerabilties identified through onsite assessment activities in order to provide tailored risk analysis reports. • Remote Penetration Testing - Focus solely on Internet accessible systems, such as firewalls, routers, web portals, and the elimination of remote attack paths. Valdiated Artchitecture Design & Review Evaluates resiliency of a stakeholder’s systems, networks, and security services. Qualification
We were fortunate to recently learn more about NCATS recently and wanted to share information on this cost-free risk assessment resource option. NCATS is a group of highly trained information security experts within the Department of Homeland Security (DHS) National Cybersecurity & Communications Integration Center (NCCIC). Their mission: To help stakeholders pro-actively identify cybersecurity risks and build up our national cybersecurity defenses. NCATS assessments are not conducted in reaction to an incident but instead are used to identify, mitigate and remediate vulnerabilities prior to exploitation by an attacker.
NCATS defines their work as: A proactive, risk-based approach to analyzing stakeholder systems
Expertise in identification of vulnerabilities, risk evaluation, and prioritized mitigation guidance
Empowering stakeholders to increase speed and effectiveness of their cyber-attack response capabilities NCATS offers a variety of service offerings. Some services have a waitlist and service delivery timelines are made available by request. Here is a listing of current NCATS offerings:
Assistance in qualifying third- party organization teams with DHS assessment standards.
NCATS Assessments Continued
NCATS assessments are available to Federal, State, Local, Tribal & Territorial levels of governments, which includes educational stakeholders. Any information collected during assessments is not shared without written and agreed consent from the participating stakeholder. Anonymized data is used to develop non-attributed reports for trending and analysis purposes. The data collected for analysis represents the diversity across the many stakeholders the NCCIC and NCATS support. The California State Legislature has passed the California Consumer Privacy Act (CCPA) recently to protect consumer data. Alastair Mactaggart, chairman of Californians for Consumer Privacy, outlines what rights the California Consumer Privacy Act (CCPA) gives all California consumers: • Know all data a business collects about you • Say no to the sale of your information • Delete data you’ve given to a business • Be informed what categories of data will be collected about you prior to its collection If you are interested in using these services, NCATS recommends you
contact them as soon as possible as testing availability may be limited, with the exception of Cyber Hygiene services. This scanning service is ongoing with no wait time and no limit on annual capacity. To sign up for NCATS assessments, please email NCATS_INFO@HQ.DHS. GOV.
Included in this Issue:
Pages 1 & 2: Feature Article: NCATS No-cost Risk Assessment Services New Privacy Regulations: California Consumer Privacy Act Page 3 K-12 Cybersecurity: The Role of the School Board NSBA CyberSecurity Board Recommendations
Use this link for additional information on NCATS and to view sample reports.
New Privacy Regulations: California Consumer Privacy Act
• Mandated opt-in before sale of children’s information (under the age of 16) • Know where your data is shared • Know where your data was acquired • Know why your information is being collected • A private right of action (meaning you can sue companies) when companies don’t take reasonable steps to protect your information, and it’s stolen. As more states implement privacy data laws to protect consumers we will keep you up to date with the latest legislation.
Educator Privacy Toolkit
Page 4: Data Privacy & Security for Administrators Pages 5 & 6: District Spotlight: Manhasset UFSD
5 Creative Ways to Effectively Deliver Anti-Phishing Training
Cybersecurity News
• Craft phishing emails relevant to roles & departments • Perform unscheduled simulation campaigns • Use Computer-Based Training (CBT) • Use gamification & rewards for motivation • Provide continuous performance improvement by introducing increasingly challenging content
Page 7: Cybersecurity Resources
Read the full article here.
K-12 Cybersecurity: The Role of the School Board The National School Board Association has launched an initiative to educate, advise and provide relevant resources to school board members about cybersecurity. Can your school district answer the following four questions?
1. How many significant cyber incidents has the district experienced in the last few years? 2. How do we measure the sufficiency and effectiveness of our district’s cybersecurity program?
3. How much of our IT budget is being spent on cybersecurity-related activities and risk management? 4. What metrics do we use to evaluate cybersecurity awareness across the district?
Read more about this initiative here.
NSBA Cybersecurity Board Recommendations The K-12 National Advisory Council on Cybersecurity (NACC) established support district and community cybersecurity policies.
School leaders can review the NSBA Cybersecurity Board Recommendations here. Additional cybersecurity resources, including webinars and a newsletter, can be found on the NSBA Cybersecure Schools page.
guidelines for the National School Board Association (NSBA) outlining cybersecurity recommendations school board leaders should consider when developing cybersecurity board policies. The guidelines address how to establish, implement and
Educator Toolkit for Teacher & Student Privacy
behavior in regards to digital citzenship and the protection of personal data. You can access the toolkit using this link. The toolkit supplements the Parent Toolkit for Student Privacy released last year with the Campaign for a Commercial- Free Childhood.
There is a new Educator Toolkit for Teacher & Student Privacy provided by the Parent Coalition for Student Privacy and BATS (Badass Teachers Assocation). The toolkit is a comprehensive guide that enables teachers to address rapidly growing threats to education-related data. It is designed toprovidebest practices and encourages responsible
Data Privacy & Security Service, Issue 13
Page 3
Data Privacy & Security for Administrators
To read more about Cookie management practices by Google, Microsoft and HTTPS encryption see:
Many students and K-12 districts may inadvertently be allowing third parties to collect and sell student data through their web browsing and embedding of information into presentations.
Mind Your Cookies
Mindful Tracking Cookie Policies Improve K-12 Data Security
One of the easiest ways to prevent this occurrence is to cut down on tracking cookies.
Here is a compliance checklist for review: • Screen vendors, especially online vendors, for compliance • Know when to release and withhold records • Be aware of confidentiality law and disclosure – especially in regards to social media • Have secure methods of communication and data transfer in place
The Family Educational Rights and Privacy Act, or FERPA, protects student education records in both K-12 and higher education. The article addresses unintentional ways that educators and districts might be breaking the law.
The Unintentional Ways Schools Might Be Violating FERPA, and How They Can Stay Vigilant
Use this link to access the full Edsurge article.
Having a strong Incident Response Plan (IRP) in place is critical to enable your organization to respond quickly and effectively. Follow this checklist to implement an IRP: • Identify your risk profile using a cybersecurity risk assessment • Know your compliance responsibilities
• Create a Communication Plan • Identify and train stakeholders • Automate alert handling to prioritize highest-risk threats • Evolve and improve your Incident Response Plan over time
Quick Tips for Developing an IR Plan
Read more about developing a plan in this Security Boulevard article.
Voice-activated, artificial intelligence devices such as Alexa and Google Home are now part of classroom use. While they create an immersive learning experience there are privacy concerns that need to be addressed. Some simple steps include staff development on
FERPA, COPPAandCIPA at thebeginning of the school year, specific procedures and policies for having devices in classrooms, teacher input on technology committees, and administrative observance of instruction using this technology.
The Privacy Risks of AI Use in Schools
For more check out the full article from District Administration.
DPSS District Spotlight: Manhasset UFSD
Districts are always working toward Ed Law 2-d compliance and can look to other districts for best practices and recommendations. Manhasset UFSD has developed a sophisticated procedure ensuring products used within the district meet Ed Law 2-d compliance regulations. Manhasset’s Director of Technology, Dr. Sean Adcroft, works with two teachers who “wear multiple hats”, Rob Mashburn and Stacey Weinberg. They review teacher requests for software products and determine if requested products are
Ed Law 2-d compliant. Teachers enter product requests in Manhasset’s work order/ ticket system (Spiceworks). Mr. Mashburn handles requests from the secondary school and elementary school requests go to Ms. Weinberg. If products do not appear to meet Ed Law 2-d compliance in the DPSS Inventory Tool based on their public facing policy, the vendor is contacted directly to confirm the product will meet Ed Law 2d compliance. Manhasset recognizes that the DPSS Inventory Tool is “informative, not confirmatory”.
The data privacy agreement drawn up by the district attorney is sent to vendors once Ed Law 2-d compliance is confirmed. Dr. Adcroft explains once the agreement is received by the vendor there can be a delay until both vendors and the district attorneys agree on suggested language changes. The process Manhasset employed to meet Ed Law 2-d compliance is illustrated in the workflow diagram shown below. Teachers are provided status updates on their requests via the work order system.
Manhasset has generously agreed to share sample process templates found in the links provided here: • Manhasset Data Privacy Agreement • Request for Vendor to Submit to LHRIC • Request for Vendor to Update DPSS Inventory • Sample Letter to 3rd party vendor for 2-d compliance • Sample Letter to 3rd party vendor to sign district agreement
Note: It is recommended District Privacy Policy Agreements be drafted by an attorney representing the district.
Cybersecurity News
Online Quizzes are gaining popularity in classrooms. Some students are hacking them.
The popular online platform Kahoot has recently been experiencing hacks. Students have taken to programming bots causing disruption to their class quizzes, flashing inappropriate names onscreen, or getting the answer key. Reasoning behind this is as simple as
pranking, dislike of the competition, boredom and, interestingly, a rejection of technology being using in the classroom. Kahoot is adding additional security measures to combat this issue. For more read this article from the Fresno Bee.
Iranian Hackers Charged in Cyber Extortion Scheme
Two Iranian computer hackers created ransomware known as SamSam and were involved in encrypting data. Over 200 victims, including the cities of Newark, New Jersey and Atlanta had their data exploited and the hackers demanded ransom in bitcoin. The hackers were charged in the multimillion dollar cybercrime and authorities see this as not only extortion but an attempt to harm critical institutional infrastructure. For more see this article from Fios1 News.
Cybersecurity Resources
Data Privacy & Security Service Digital Digest
Contact your Local RIC for addi- tional information. Click here to find your local RIC contact. For Subscribers to the Service: • Digests & Archived Digests • Digital Debrief • Inventory Tool • Information Security Online Professional Development • Digital Blasts
KnowBe4 shared the Top-Clicked Phishing Email Subjects for Q3 2018. Click here to see the full infographic and results of their Q3 report. Image © of the the KnowBe4, knowbe4.com. Permission to reprint granted by KnowBe4.
Data Privacy Day- January 28, 2019
Data Privacy Day is an internation- al day observed annually to help spread the word on how important it is to protect our privacy and se- cure our data. Information and resources about Data Privacy Day can be found on the StaySafeOnline Data Privacy Day page.
Firefox Monitor is a free service that notifies people when their email ac- count has been compromised in a data breach. You can take these steps to assess your email account: • Visit monitor.firefox.com and type in your email address to see if your email has been part of a data breach. • When you sign up for Firefox Monitor, your email will be scanned against future data breaches, and you will be notified through private email if your account was involved. Additional resource for email account monitoring: Have I been pwned?
Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8Made with FlippingBook - professional solution for displaying marketing and sales documents online