Data Privacy & Security Service
Issue 8 Data Privacy & Security Service
Fall 2017 (Issue 9)
Data Privacy & Security Service
Issue 9
STAFF DEVELOPMENT RESOURCES
In This Issue
LHRIC hires a DPSS professional
Page 1: LHRIC hires a DPSS PD professional Page 2: Train Your Employees Gone Fishin’ Phishin’ Train your staff on cybersecurity Page 3: Training Resources Comptroller’s Corner Page 4: Apps Tested for Children. Half Failed to Protect Their Data Policy Information Policies Ferpa’s Collision with Social Media Page 5: Schoology Access for PD Best Practices in PD According to COSN COSN Collaborates w/Sups Page 6: Sarahah Hack Attacks To access all of the resources of the Data Privacy and Security Service (DPSS), log into RIC One DPSS using your email address and the password provided by your RIC.
Superintendents face unique challenges when it comes to data privacy and securi- ty. Faculty and staff have a responsibility to protect district data. However, super- intendents own it all! Additionally, superintendents have an obligation to support their school boards and to fulfill the needs expressed by their communities.
In the 2017-18 school year, the Lower Hudson Regional Information Center (LHRIC) in Harrison, NY has employed a distinguished educator and technologist to devel- op and share, via the DPSS, professional development resources for superinten- dents. Dr. Nasrin Rouzati comes to the position having led Information Technology and Professional Development at the Mount Pleasant Central School District in Thornwood, NY and serving as faculty at Manhattan College in Riverdale, NY.
Nasrin’s work will address key audiences from a superintendent’s perspective, in- cluding:
1. Board of Education 2. Leadership Team
3. Network Administrators/ IT 4. Data Administrators (Staff) 5. Teachers
Overall, her work will assist superintendents to form a common understanding throughout their district. The resources she develops and shares will typically in- clude two parts. The first part will address some of the more general concepts per- taining to Data Privacy and Security. This will include how to keep abreast of cur- rent threats and potential cyber-attacks, preventive measures, best practices in safeguarding data, and practical solutions if such attacks happen. The second part will focus on protection of data as it relates to the specific roles and responsibilities of each group. For example, a BOE member utilizes district da- ta on a day-to-day basis serving within the governing body of the school district. It is a Board member’s responsiblity to adopt certain policies and procedures, assure compliance with laws, and provide guidance on financial investments in data priva- cy and security technology and cyber-insurance. Each audience has its role to play and a range of subjects will be covered in the second part to better define roles and responsibilities, including user access control, software adoption and supervi- sion.
Questions to think about:
Where are your district data?
Who is responsible for data in your district? Do those responsible for data know what to do and what not to do?
In summary, Nasrin’s goal is to support the pivotal instructional and administrative leader in districts with the essential knowledge needed to lead and support their colleagues and community.
1
Data Privacy & Security Service
Issue 9
TRAIN YOUR EMPLOYEES
StaySafeOnline.org provides many useful resources to promote cybersecurity and data privacy. Visit the Train Your Employees section for more information on the excerpt below. Training employees is a critical element of security. They need to understand the value of protecting customer (student) and colleague information and their role in keeping it safe. They also need a basic grounding in other risks and how to make good judgments online. Most importantly, they need to know the policies and practices you expect them to follow in the workplace regarding Internet safety. Talk to your employees about: keeping a clean machine, following good password practices, when in doubt, throw it out, back- ing up their work, staying watchful and speaking up.
PDF Resource: 5 Ways to Help Employees be #PrivacyAware
Gone Fishin’ Phishin’
Summer time and the living is easy or so the song goes and with that some people have been fishing. Oops, I mean phishing. Here are some recent emails requesting information:
From Patrick Bull ( and you can bet it was bull ): Your e-mailbox password will soon expire. To keep your password active. Please click… From Gillian.Molina: Your Microsoft Outlook Web Password will expire today (oh, no!). You are to Click on this link XXXXXXXXX immediately and fill the form correctly ( I just love that they want the in- formation filled out correctly ) and submit for immediate validation. Please if you cannot access the link, send your Username and Password to our System Administrator at XXXXXXXXXXXX for immediate Validation. This message is from IT Department.
Training your staff on cybersecurity
The experts say that “training is essential” to make sure employees exhibit the securi- ty practices that will keep data as well as the organization safe. But did the “experts” really ever deal with employees? Five tips to teach staff security skills that stick are: 1 – Lead by Example – Both good and bad habits start at the top. Remember when you didn’t want your children seeing you do something bad, well, if you’re the boss, don’t let your employees see you place post-it notes with passwords on your comput- er. Don’t leave unsecured devices such as jump drives and laptops on your desk overnight. Practice good behavior and it will be mimicked by others.
2 – Send out a Daily Security Tip – Formal Policies are mandatory, but how do you know your employees are reading them? Send out a quick tip in a byte sized message that may be user friendly and manageable to remind employees about expected behavior. 3 – Rigorously Enforce Security Policies -- Policies are for protection and should be enforced. It is not a matter of distrust. It’s about protection of networks, data and people. 4 – Put Employees to the Test – Remember, this is the article suggesting this, not the DPSS or the Digital Digest . The suggestion is to see if employees follow protocol by putting them to the test. As a simple example, send out a phishing email and see who bites. 5 – Make Security Tools Freely Available – Employees won’t use tools like secure email for SFTP unless it is available and easy to use. Extend this concept beyond technology and include locking file cabinets and paper shred- ders.
“Make it easy to adopt good security behaviors, and employees will catch on” ( ¶7 ).
2
Data Privacy & Security Service
Issue 9
TRAINING RESOURCES
Additional Resources
The following organizations provide free and discounted cybersecurity-related pro- fessional development to school district staff.
The National CyberWatch Center (NCC) is a consortium of higher education in- stitutions, public and private schools, businesses, and government agencies focused on collaborative efforts to ad- vance cybersecurity education and strengthen the national cybersecurity workforce .
Center for Internet Security (CIS) and SANS Partnership
The partnership between SANS and the Center for Internet Security draws on the shared mission to ensure that InfoSec practitioners in critical organizations have the skills needed to protect national security and enhance the cyber security readiness and response of state, provincial, local, tribal and territorial government entities. This program offers both security awareness and online technical training courses to qualifying organizations at a substantial cost savings.
Online Training from SANS Institute is a flexible and effective option for information security professionals of all experi- ence levels to complete SANS' top training. The training is available via OnDemand or vLive Online Training formats - each offering slightly different features so that students can choose the workflow, interaction and speed of training that they pre- fer. Security Awareness training is a critical component of a comprehensive security program. Compliance and behavior change becomes difficult for non-technical individuals without the proper content. SANS Security Awareness offers a comprehensive solution for end users and individuals of all levels with expert-authored content.
Through a partnership with CIS, school districts receive up to 70% discounted pricing during aggregate purchase windows available twice a year (June 1 - July 31 & December 1 – January 31). See Aggregate Buy Program price sheet.
To participate, districts must be a member of Multi-State Information Sharing & Analysis Center (MS-ISAC). There is no cost to join but it requires the completion of a membership agreement. For more information, contact CIS at info@cisalliance.org or (518) 266-3460.
COMPTROLLER’S CORNER
In this Comptroller’s Corner, we feature an audit of the Rye Neck Union Free School District issued November 2016 that states, “The Board has not developed adequate policy and
procedures to ensure that District employees receive proper cyber security training to protect District IT assets…The lack of formal cyber security training increases the risk of District employees acting in a manner that could compromise District IT assets and security.” The Comptroller recommended that District officials should, “Ensure that employees receive formal IT security training on an ongoing basis that reflects current risks identified by the IT community.” In its response to the findings, the District stated that it had “added security awareness training to our list of required annual training for all employees.” Be sure to review and update your Board policy and procedures as necessary as it relates to cybersecurity staff training, and to document evidence of implementation.
View the contents of the full audit here .
3
Data Privacy & Security Service
Issue 9
APPS TESTED FOR CHILDREN. HALF FAILED TO PROTECT THEIR DATA.
The Washington Post reported that a research group, Usable Security & Privacy, affiliated with the University of California, Berkeley Center for Long-Term Cybersecurity, tested more than 5,000 children’s apps from the Google Play store. Since these apps are available for parents (teachers and schools) to download, it would be assumed that the kids’ data would be safe. Never assume. More than 50% of Google Play apps targeted to children under 13, many of which were downloaded millions of times, appear to fail to protect personally identifiable data. It was found that the apps regularly send “potentially sensitive information—including device serial numbers, which are often paired with location data, email addresses, and other personally identifiable information—to third party advertisers. Over 90% percent of these cases involve apps transmitting identifiers that cannot be changed or deleted, like hardware serial numbers –thereby enabling long-term tracking ” ( Washington Post , ¶2). Additional reading— Researchers report >4000 apps that secretly record audio and steal logs.
Third party app developers use advertising packages within their code. It is the developer’s responsibility to disable the types of tracking and data sharing that might cause conflicts with COPPA and other regulations. The “high rate of potential COPPA violations also reveals a systemic and troubling lack of oversight. While app developers are ultimately liable for such violations, it is clear that app stores like Google Play and Apple’s iTunes Store, as well as agencies like the Federal Trade Commission, need to play a greater role ( Washington Post , ¶7).
AppCensus was created by a collaboration of researchers with combined expertise in the fields of networking, privacy, security, and usability. This group has analyzed over 21K apps in an effort to identify use and misuse of personally identifiable information. The website contains a searchable database of mobile apps and provides known details on data privacy with regard to those apps. Of course, the best prevention of transmis- sion of PII is to read the terms and conditions of the click agreement. However, most consumers do not read the agreements. Consumers can help protect their data by demanding more transparency from app de- velopers and third-party advertisers. There is always the option to delete the app and to let the developer know why it was deleted.
POLICY INFORMATION
FERPA’s Collision With Social Media
Policies and Other Information Broward County Public Schools has a Privacy Information website. This webpage contains resources that may be of interest. Also, the County has Security Incident Handling Guidelines . Erie I BOCES has a Prevention, Response and Notification in the Event of a Breach policy available for review. The Privacy Technical Assistance Center offers a Data Breach Check- list. The checklist covers before, during and after a breach. It also con- tains useful links.
“Do you have a FERPA problem?” This is the question Joel Buckman poses as he presents a social media situa- tion that crosses the line and exposes personally- identifiable information regarding a student. A teacher’s frustration and the ready access to social media can be a combination for disaster. Buckman reminds us of what is defined as an education record and who has rights to that record. He uncovers the sources of that information and states it could include staff email, student information systems, gradebooks, and extra-curricular participation records. Now expand information and consider that edu- cation records can also be created with smartphone use or video-records during a class. The article clarifies, who can have access to a student’s education records and re- minds us that posting to social media would more than likely be outside that scope. “As part of a district’s ad- ministrative policy to prohibit nonconsensual disclosure to third parties, school districts might consider adopting districtwide social media or FERPA policies that prohibit staff from posting any such information” (Frontline, Feb- ruary 2017).
The Office of Information Technology Services offers draft policies on: Risk As- sessment, Information Clas- sification Resources, Re- mote Access, Acceptable Use Policies, and many more.
4
Data Privacy & Security Service
Issue 9
SCHOOLOGY ACCESS FOR PD
Your membership in the Data Privacy & Security Service (DPSS) includes access to a web-based security awareness training that follows a structured outline, including a formal assessment and printable certificates of completion. The training is based on the NIST SP800-16 stand- ard (Information Technology Security Training Requirements as per the National Institute of Standards & Technology). Each session typically runs 15 minutes with 10 minutes for questions and answers. Security awareness training follows a structured outline, augmented by any customized content. Log in to the DPSS web site and click on the Professional Development tab to view the Information Security Course Overview as well as doc- umentation and brief tutorials. We’ve provided a quick-start guide below to help get you started. How to provide district staff the ability to self-enroll in the Data Privacy Schoology (DPS) course in three easy steps! RIC DPS administrator will give the District DPS administrator the Course Code District DPS administrator gives code to staff/teachers Teachers use code to activate enrollment in Security Course regardless of whether he/she has a Schoology account or not.
Teachers with current Schoology account:
Navigate to www.Schoology.com
Select Log In: Enter User Name and Password In the field labeled School or Postal Code: enter 12205 and Choose: Northeastern RIC Click Log In Click Courses → Join Type in Access Code → Click Join.
Teachers without a Schoology account
Navigate to www.Schoology.com
Select Sign up > Choose STUDENT You will be asked for the Access Code, enter code given to you by District admin Click on Continue Fill in the requested information: First Name, Last Name, Email or Username, Password Confirm, Password Enter Go to Courses at the top menu bar; Choose Information Security Quarterly Training and begin.
BEST PRACTICES IN PD ACCORDING TO COSN
CoSN collaborates with superinten- dents to assess their challenges and increase their capacities to lead tech- nology efforts. The Empowered Su- perintendent web page provides re- sources that guide and empower su- perintendents and their leadership teams on important edtech topics, including these one-page reference sheets. The Importance of Cybersecurity – The top 5 reasons why district tech leaders must make cybersecurity a priority. Student Data Privacy – Five critical guidelines for ensuring data privacy in your use of technology.
Led by CoSN, the Trusted Learning Environment (TLE) Seal Program was developed by school system leaders for school system leaders. Created in collaboration with 28 school system leaders nationwide, supported by lead partners such as AASA, the School Superintendents Association, ASBO, the Association of School Business Officials International and ASCD, this group identified the characteristics and practices of a TLE, setting high standards around pro- tecting student data. The TLE Seal Program provides school systems with concrete practices to evolve their student data protections beyond the legal requirements. Here are their rec- ommendations for best practices in professional development: 1. Privacy and security of student data is embedded into training and professional develop- ment in all areas of school operations and academics. 2. The school system provides employees with up-to-date, easily accessible resources and documented processes, including exemplars and templates that facilitate student data priva- cy and security. 3. Parents are offered awareness training and resources about student data privacy and se- curity.
5
Data Privacy & Security Service
Issue 9
RECENT EVENTS
Data Privacy and Security Service Digital Digest Fall 2017
Sarahah
There’s a new social media app called Sarahah that lets you send and receive comments from friends and strangers anonymously. The app draws from the contact list on your phone so that you can connect and send text messages to people without being identified. It was first developed to allow employees to share feedback with employers. The name Sarahah means loosely translates to honesty or frankly in Arabic. The cyberbullying poten- tial with this app is legion ( HuffPost ). Sarahah may be a contributor to the adolescent narcissism epidemic caused by social me- dia. Teenagers are preoccupied with themselves and social media gives them a forum for their preoccupation. Things like follower and likes provide endorphin like boosts to self- esteem. Add to this Sarahah’s anonymity and there is the potential for inappropriate re- marks that bring out the worst in people. Srivastava, a counsellor and psychotherapist, states: “At a time when educational institutions are trying to take strong action against ragging and bullying, there is a need to understand that in the online space as well, adoles- cents are targets of trolling and cyber-bullying. Youth need to be educated on the ways of using technology appropriately and positively. Educational institutes and parents must also invest time and energy in inculcating proper values to adolescents, making them realize that cruelty in the name of honesty (for that is what the word Sarahah means in Arabic!) or self-expression is just as hurtful as exercising excessive liberties under the garb of anonymi- ty. Responsibility of action needs to be taught. Parents and educators need to ensure not only that their child does not fall victim to cyberbullying, but also that they are not raising a bully themselves” ( Firstpost , ¶8).
For further information contact your local RIC. Click here to find your local RIC contact.
For Subscribers to Service:
Digests & Archived Digests
Hack Attacks
Digital Debriefs
International hackers got into the networks of four Florida school districts two months before the U.S. presidential election. Before they were discovered, they spent three months looking at personally identifiable data. But what they were really looking for was a network back door where they could slip into other sensitive government systems, includ- ing voting systems.
Inventory Tool
Information Security Online PD for Teachers
In this incidence, the hackers did not succeed. But the attempt exposed the vulnerabilities of the networks as well as the amount of PII data stores.
Digital Blasts
“If you’re trying to steal identities or cobble together identities, if you can get a person’s name, date of birth, home address, you’re starting to get a fairly complete record,” said Michael Kaiser, the executive director of the National Cyber Security Alliance. “Think of the things school districts have — it’s more than many businesses” ( Miami Herald , ¶16).
“High school kids, almost all of them have a very clean slate when it comes to credit scor- ing. So they’re trying to gain access to a large volume of teenagers’ [information] that can help them down the road,” he said. “These guys have time. They’re willing to wait a year, two years before they can actually monetize that data” ( Miami Herald , ¶17). Monetizing stolen social security numbers can bring in bucks. On the dark web, a stolen Social Security number could sell for $25 to $35, multiply that by the number of students in a school and it adds up.
Winter Digest
Digital Citizenship
6
Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7Made with FlippingBook HTML5