Data Privacy & Security Digital Digest_Winter 2020

Data Privacy & Security Service

DIGITAL DIGEST

IN THIS ISSUE: Cyber Initiatives and Legislation, Online Safety, Cybersecurity Resources and more!

Cybersecurity Initiatives

Bipartisan legislation was proposed by both the Senate and theHouse to address the cybersecurity workforce shortage we currently face. The Cyber Ready Workforce Act was introduced in the Senate by Senators Jacky Rosen (D-NV) and Kevin Cramer (R-ND) and by Congresspersons Susie Lee (D-NV) and Elise Stefanik (R-NY). The bill includes proposed legislation that would award grants for supporting the “creation, The Cyber Ready Workforce Act Arkansas has unveiled a School Cyber Threat Response team, a small group of IT professionals who will provide onsite support to Arkansas school districts in the event of a cyber attack, at no cost to the districts. This is the nation’s first P-12 cyber response team established by a state education agency. The response team plans to build the Arkansas Department of Education’s internal capacity to handle and respond to cyber threats based on hands-on experience in districts. Hopefully this model will be followed in other states as well. Click here to learn more about this initiative to support Arkansas school districts in the event of a cyber attack. Arkansas Responds to School Cyber Threats

implementation and expansion of registered apprenticeship programs in cybersecurity.” The bill hasn’t picked up too much steam, but will hopefully be backed by more Members of Congress over time.

Click here to learn more about this bipartisan effort.

Security

Privacy

In today’s digital age, the terms confidentiality, security, and privacy are used interchangeably. In reality, they are related but separate concepts that need to be more clearly defined and understood. • Confidentiality ensures secret information is protected from unauthorized disclosure. Districts must have confidentiality controls in place and functioning to minimize the risk of breaches. Controls, such as encryption technology, must be revisited and updated on a regular basis. Social media can be a wonderful tool with many educational applications but it can also be the cause of many problems and liabilities for school districts. Experts recommend school districts follow these rules to prevent potential abuse or questionable relationships between teachers and students: • Integrity protects information from

unauthorized modification; Access controls are the major mechanism to enforce integrity requirements. • Privacy protects the rights of an individual to control the information that the institution collects, maintains and shares with others. Understanding these terms by all involved, along with good communication, ongoing training and open dialogue, is paramount to success. You can access the full article from EdTech using this link.

• Only allowcontact throughdistrict electronic platforms and on district - provided devices “that restrict access to social media apps”

• Prohibit communication through personal email accounts, social media, texts, and calls

Use this link to learn how you can safely use social media platforms in your district.

Education Law 2-d Part 121 Update

The last 45-day public comment period for the proposed Part 121 regulations closed on December 9. The implementation timeline shown below is dependent upon the Board of Regents adopting the updated proposed Part 121 regulations in January. Visit the NYS Education Department’s Student Data Privacy page for the latest updates.

Comptroller’s Corner

The Office of the Comptroller conducted five Information Technology audits since October 2019. The results demonstrate a clear need for districts to address sensitive IT controls and to provide cybersecurity training for staff. Out of the five districts audited: • One district did not regularly review network user accounts and disable those that were determined to be unnecessary. • One district had hardware and software inventory records that were inaccurate and outdated. • One district had four employees using Personal Internet on computers who routinely accessed personal, private and sensitive information (PPSI). • Two districts did not monitor computer use policies or adopt adequate IT security policies. • Two districts did not develop procedures for managing, limiting and monitoring user accounts and permissions and securing personal, private and sensitive information. • Two districts did not have a disaster recovery plan.

Online Safety

It is not surprising to learn from the Fraud and Risk Intelligent Unit at RSA Security that the digital ease and transformation with which we do business has introduced new risks that organizations not only need to be aware of but also manage. Mobile App Fraud Is On the Rise

to increase, but a new threat via rogue mobile applications is now the fastest-growing concern in 2019. These attacks trick users by spoofing brands and legitimate organizations such as banks.

Global fraud attacks through phishing continue

Read this article for more on this threat.

Girl Scouts Offer New Cybersecurity Badges

IRS Advises Making Online Safety a Top Priority The IRS is advocating to families to be mindful of the risks associated with sharing devices at home, shopping online, navigating the web and using social media platforms. • Notrevealingorsharingpersonal information • Use of security software • Phishing risks – clicking and downloading • Thieves posing as legitimate organizations in calls and texts • Safety concerns on the use of public wi-fi Common sense conversations can include:

In recognition of the importance of understanding cybersecurity risks and threats, the Girl Scouts of America have come up with nine new badges that address this concern. Making girls “cyber-aware” will prepare them for future employment and may lead to careers in cybersecurity, a workforce gap we desperately need to fill.

Click here for additional guidance from the IRS.

Learn more about this new Girl Scout Initiative here.

Cybersecurity Resources

Click play to view this video on “Understanding COPPA” provided by the Student Privacy Resource Center.

The Cybersecurity and Infrastructure Security Agency offers CISA Insights

The New York State Chief Information Security Office (CISO) provides the public with a variety of helpful cybersecurity resources, including training materials, incident reporting/ breach notification resources, and more. NYS CISO Cybersecurity Resources

The

Cybersecurity

and

Four new Insights products were released last fall that include information on:

Infrastructure

Security

Agency provides information on cyber threats and exploits, as well as mitigation activities through CISA Insights. All Insights are “informed by U.S. cyber intelligence and real-world events” and new CISA Insights are updated as they become available. (CISA)

• Mitigating DNS Tampering • Remediating

Vulnerabilities on Internet-Accessible Systems • Securing High Value Assets • Enhancing Email and Web Security

Visit the main CISO Home Page and navigate to Cyber Security - you won’t be disappointed.

Thank you for reading the latest issue of the Data Privacy & Security Digital Digest. Contact your Local RIC for additional information on the Data Privacy and Security Initiative (DPS) and to view additional subscription components.

Page 1 Page 2 Page 3 Page 4 Page 5 Page 6

Made with FlippingBook Learn more on our blog