SecurED Schools

The Learning Technology Center is hosting SecurED Schools (formerly K12 Data and Security Summit). Technology and education leaders will learn about data privacy and cybersecurity requirements, policies, and best-practice strategies during engaging presentations and hands-on activities. Workshops and sessions focus on four main strands: prevention and planning; intervention and response; policies, regulations, and leadership; and career and workforce development. Visit the SecurED page for more information.

Reasonable Security Practices for Cybersecurity and Data Privacy in IL K-12

Student Online Personal Protection Act (SOPPA) requires Illinois school districts to maintain reasonable security procedures and practices. Chris Wherley, Director of Technology Services for the Learning Technology Center, identifies practices that schools should adopt to meet SOPPA legislation.

This webinar will also feature the Center for Internet Security (CIS) Controls and the use of the CIS Controls Implementation Groups (IG), specifically IG 1, to help guide securing and protecting our schools. Participants will experience a demonstration of the CIS Controls Self-Assessment Tool (CSAT), a tool to help track what has been done and what else can be done. For more information, visit https://csat.cisecurity.org/

Achieving SOPPA Compliance with Reasonable Security Practices

The Student Online Personal Protection Act (SOPPA) requires all Illinois public school districts to provide additional guarantees to protect student data privacy, effective July 1, 2021 (105 ILCS 85/15). Among the requirements, the act directs schools to implement and maintain reasonable security procedures and practices that meet or exceed industry standards.

In preparation for SOPPA’s effective date, the Learning Technology Center selected 43 security best practices that all districts should implement to comply with this new legislation. The practices align with CIS Controls, a globally recognized cybersecurity standard, and are vetted by numerous Illinois school district technology leaders.

Although the Illinois State Board of Education will issue additional guidance throughout the coming year, these 43 security practices can form the foundation of a strong district-wide security program, starting today.

View Reasonable Security Practices

Legal Issues in School District Cybersecurity

Join Attorney Brandon K. Wright of Miller, Tracy, Braun, Funk & Miller, Ltd. as he discusses and takes your questions regarding the most important legal issues that arise with school district cybersecurity, data privacy, and related concerns. Whether it is remote learning, in-person tech use, or catching up on work on the weekend, are you ready to legally protect your school district’s network?

October is Cybersecurity Awareness Month

National Cybersecurity Awareness Month

Own IT. Secure IT. Protect IT.

National Cybersecurity Awareness Month (NCSAM) started in October 2004, and from 2009 until 2018, the theme was “Our Shared Responsibility”. This means ensuring security is a collective responsibility between corporations, governments, and citizens. This year the theme is “Own IT. Secure IT. Protect IT.” Below are 5 ways we can all take collective responsibility and protect ourselves.

Password vs. PassPhrase

Sites like useapassphrase.com demonstrate the value of longer passwords versus short complex ones.  A password like “Wave1234%” can be cracked in about 1 minute, but “wave ocean sun%” will take 18 centuries to crack! In fact, using a longer password in the form of a passphrase with the required uppercase and lowercase letters, numbers and punctuation makes it more secure and easier to remember.

Use Different Passwords

Do yourself a favor and don’t repeat the same password across applications or store them in your Notes app. How can you have a different password for the hundreds of applications and sites you use? Password managers such as LastPass and 1Password are examples of a better solution. To login to the manager, the user will choose one master password. When logging into applications, your device or the program’s browser extension will supply the specific username and password. For extra security, the manager will generate long and complex passwords.

2 Locks are Better than 1

You may have heard the terms, “Two-Factor Authentication”, “Two-Step Verification” or “Multi-Factor Authentication”. At its basic level, this is an additional password in the form of a code generated through a text message, an application, or a physical device in your possession. In addition to your password phrase, you have this second layer of protection to prove your identity. Sites such as G Suite for Education, Microsoft Office 365, Facebook, Twitter, and Instagram have this capability. For more information, visit https://twofactorauth.org.

Compromised?

If you suspect foul play, visit these sites to learn about security breaches:

Have I Been Pwned – https://haveibeenpwned.com/
Firefox Monitor – https://monitor.firefox.com/

You can also use these sites to monitor and protect yourself from future incidents. If your email or password are listed, change your password on the affected site(s) and anywhere else you may have used it.

Don’t Get Hooked by a Phishing Attempt

Phishing is generally an attempt through email to get you to click on an attachment or a link to gain access to your device or login credentials. This could also be attempted through social media, texting, or even a phone call. Take Google’s phishing quiz/tutorial and click through the Show Me prompts to learn what to look for. In case of any phishing-like attempt, notify your technical support team so that they can notify others and help protect you.

More Resources

Here are some additional NCSAM resources
National Initiative for Cybersecurity Careers and Studies and Homeland Security
NCSAM 2019 Toolkit

Checking the Checkboxes: NIST Cybersecurity Framework

Checklists are widely recognized as important tools for many professions. Atal Gawande, a surgeon and the author of The Checklist Manifesto: How to Get Things Right, writes about checklists used in medicine and aviation to achieve better and safer results by ensuring that all necessary steps in a process, no matter how small, are completed. The checklist principle can by applied technology in K-12 schools and specifically to the area of cybersecurity.

Cybersecurity issues are regularly in the news, as illustrated by the number of incidents (681 at the time of this post) reported on the K12 Cyber Incident Map. The quantity of incidents increases each year, and it is the responsibility of the school district technology leader to ensure that either these incidents do not happen in the first place, or that the impact on people, time, and money is lessened. For many of the same reasons that medicine and aviation professionals adopted checklists, technology leaders should consider adopting a checklist like the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), which provides the functions, categories, and subcategories to form a high-level checklist of cybersecurity measures needed at an organizational level. The 5 major functions of the framework are Identify, Protect, Detect, Respond, and Recover and there are 23 categories and 108 sub-categories. This is the ultimate checklist for cybersecurity.

See the full NIST CSF
Google Sheet Format – http://bit.ly/webinarNISTchecklist 

The checklist is complex, and several organizations provide free resources to help technology leaders to understand and apply the framework. The Center for Internet Security (CIS) has a set of tools, controls, and benchmarks that can be used to help identify, protect, detect, respond and recover. CIS SecureSuite provides free membership to schools that include tools, resources, and webinars. The Multi-State Information Sharing & Analysis Center (MS-ISAC) is also available through CIS, and it provides advisories and notifications, webcasts, malicious domains/ip reports, and awareness/education materials.

Additional ways to learn about ways to begin checking the checkboxes of the NIST CSF are to attend workshops and conferences that are offered by organizations such as the Learning Technology Center (LTC), Illinois Education Technology Leaders (IETL, State Chapter of COSN), and Illinois Digital Educators Association (IDEA, formerly ICE and is the State Chapter of ISTE). In addition to learning about ideas and discovering resources, another reason to attend professional learning events is to build a network of people who are encountering and sharing many of the same experiences.

To give you a headstart, here is a checklist of items that you can use to begin the process of learning more about the NIST Cybersecurity Framework, so you can start checking the checkboxes and make an impact on your school environment.

Build Your Network

Research and Learn

Sign Up for Memberships

Attend Professional Learning Events

Data and Security Summit

Doug Levin, the CEO and Founder of EdTech Strategies, kicked off the event by sharing his work tracking publicly school cybersecurity incidents as part of the K-12 Cyber Incident Map, driving home the point that schools across the county, including Illinois, are dealing with cybersecurity incidents.

Breakout sessions and whole group conversations throughout the day were facilitated by Ross Lemke, the Director of the U.S. Department of Education’s Privacy and Technical Assistance Center; Chris Hill, the Chief Information Security Officer for the Illinois Department of Innovation and Technology; and Chris Wherley, the Learning Technology Center’s Network and Technology Services Coordinator.

As the day progressed, common themes surfaced in many sessions: school districts are vulnerable, communication and planning is essential, and security is a shared responsibility between all district leaders and not just the technology staff.

In case you missed the events, here are the presentations and resources:

Among our favorite tools referenced are: