Cybersecurity Tips and Tools Webinars

A follow up webinar, "Establishing an Information Security Plan, Session 2," was delivered on April 12, 2017.

The third video in the webinar series on Cybersecurity Tips and Tools—"Conducting a Risk Assessment, Session 3"—was delivered on May 10, 2017.

The following webinar, "Incident Response: Being Prepared, Session 4," was delivered by Frosty Walker, Chief Information Security Officer at the Texas Education Agency, on September 13, 2017.

The presentation slides are available for download.

The following webinar, "Training: What is Available at No Cost" was delivered on October 11, 2017, and is the second in the 2017 fall series of Cybersecurity webinars presented by Frosty Walker, Chief Information Security Officer at the Texas Education Agency. The presentation slides are available for download.

The "Guidelines for Cybersecurity Documentation" training was presented on November 8, 2017. The presentation slides are available for download.

The "Cybersecurity/Privacy Awareness" training was presented on March 7, 2018. The presentation slides are available for download.

The April 11th webinar provides information regarding Securing Mobile Devices. Whether mobile devices are provided by your organization or you have a Bring Your Own Device (BYOD) policy, measures need to be implemented to adequately protect your information. Along with the webinar, the presentation slides and FAQs are available for downloading.

The May 9, 2018, webinar provides information regarding Data Privacy Agreements, and what needs to be included in your agreements with vendors and third parties to help you protect student, parent, and staff information. The presentation from the webinar is available for downloading.

Fall 2018 Cybersecurity Webinars

TEA would like to inform school districts and open-enrollment charter schools of an upcoming opportunity to participate in a webinar being conducted by TEA. The webinar will be led by TEA's Chief Information Security Officer, Frosty Walker, in collaboration with the Data Security Advisory Committee (DSAC) to provide insight regarding the resources available at the Cyber Security Tips and Tools section of the Texas Gateway portal.

Data Security Advisory Committee
The DSAC, consisting of members of school districts and Education Service Centers (ESCs), provides guidance to Texas education communities on maximizing collaboration and communication regarding information security issues and resources. The DSAC has reviewed and recommended the Cybersecurity Tips and Tools, which have been shared on the portal.

Wednesday, September 12, 2018

1:00 p.m.–2:00 p.m. CDT

Webinar Registration

The September 12th webinar provides information around communication needs during a cybersecurity incident. Internal, external and communications with the media in a crisis are difficult tasks. This presentation will cover processes for better communications during your incident and the efforts your organization is taking to resolve the issue.

Representatives interested in information security issues and resources, which can be utilized within the education communities, are encouraged to attend.

Wednesday, October 17, 2018

1:00 p.m.–2:00 p.m. CST

Webinar Registration

The October 17th webinar provides information which can be used to perform cybersecurity incident exercises. These exercises will help you identify any gaps in your incident response plan which might need attention should there be a real cybersecurity incident. Practicing will help your organization be better prepared for successfully preventing, detecting, responding to, and recovering from a cybersecurity incident.

Representatives interested in information security issues and resources, which can be utilized within the education communities, are encouraged to attend.

Wednesday, November 28, 2018

1:00 p.m.–2:00 p.m. CST

Webinar Registration

The November 28th webinar provides information on improving your websites and ways to help protect the information shared on them. This presentation will cover some of the key steps that can be taken to improve your websites’ cybersecurity posture.

Representatives interested in information security issues and resources, which can be utilized within the education communities, are encouraged to attend.

For additional information, contact Frosty Walker.

 

Cyber Advisory: New Type of Cyber Extortion/Threat Attack

Summary

Schools have long been targets for cyber thieves and criminals. We are writing to let you know of a new threat, where the criminals are seeking to extort money from school districts and other educational institutions on the threat of releasing sensitive data from student records. In some cases, this has included threats of violence, shaming, or bullying the children unless payment is received.

These attacks are being actively investigated by the FBI, and it is important to note that none of the threats of violence have thus far been judged to be credible. At least three states have been affected.

How to Protect Yourself
The attackers are likely targeting districts with weak data security, or well-known vulnerabilities that enable the attackers to gain access to sensitive data. This may be in the form of electronic attacks against school/district computers or applications, malicious software, or even through phishing attacks against staff or employees.

IT Staff at Schools/Districts are encouraged to protect your organizations by

  • conducting security audits to identify weaknesses and update/patch vulnerable systems;
  • ensuring proper audit logs are created and reviewed routinely for suspicious activity;
  • training staff and students on data security best practices and phishing/social engineering awareness; and
  • reviewing all sensitive data to verify that outside access is appropriately limited.

What to Do if This Happens to You
If your organization is affected by this type of attack, it is important to contact local law enforcement immediately. It's not mandatory, but if you are an affected K12 school, please contact us at privacyTA@ed.gov so that we can monitor the spread of this threat. Additionally, the Privacy Technical Assistance Center (PTAC) website contains a wealth of information that may be helpful in responding to and recovering from cyber attacks.

While this new threat has thus far been directed only to K12, institutions of higher education should know that they are required to notify the Office of Federal Student Aid (FSA) of data breaches via email pursuant to the GLBA Act, and your Title IV participation and SAIG agreements.  Additional proactive tools for institutions of higher education are available at our Cybersecurity page on ifap.ed.gov.

Data Breach or PII Exposure Exercises

The following two exercises ask you to consider the appropriate actions to take in the event of a data breach or personally identifiable information (PII) exposure. After reading each slide, consider your next course of action, and list the steps you'd take. Then, move to the next slide.

Questions and Considerations for Cloud Providers

If your district is considering moving its data to a cloud provider, there are some basic questions to ask in order to determine if this host environment can safely and effectively store your sensitive data. Click the key words below to learn more.

HEISC Tool

The EDUCAUSE HEISC assessment tool was created to evaluate the maturity of higher education information security programs using as a framework the International Organization for Standardization (ISO) 27002:2013 "Information Technology Security Techniques. Code of Practice for Information Security Management."

This tool was intended for use by an institution as a whole, although a unit within an institution may also use it to help determine the maturity of its individual information security program. Unless otherwise noted, it should be completed by the chief information officer, chief information security officer or equivalent, or a designee. There are a total of 101 questions. On average it takes about 2 hours for an information security officer or equivalent familiar with their environment to complete this tool.

The self-assessment has been designed to be completed annually or at the frequency your institution feels is appropriate to track maturity. The assessment tool uses the ISO 21827:2008 framework for scoring maturing, which scales from 0 to 5, with 5 being the highest level of maturity:

0. Not Performed
1. Performed Informally
2. Planned
3. Well Defined
4. Quantitatively Controlled
5. Continuously Improving

Answer each question by selecting the appropriate level of maturity, 0–5. Each ISO section will be added up then averaged to provide a maturity assessment for the given section.

 

 

District Tools: NDA Sample and Information Security Policy Template

Texas Cybersecurity Framework

 

There are 40 Cybersecurity attributes that DIR is tracking under SB1597, and the linked Information Security Plan Summary spreadsheet shows this tracking in a bar chart. The numbering has been randomized on purpose so feel free to share it.

For each Cybersecurity objective, update columns D through I with the agency's self-assessment as to percentage (in whole numbers) of the organization that meets the DIR standard for maturity.

Column K tabulates the entries' "points" and normalizes the 6 grade levels that reflect the maturity score for the Cybersecurity objective.

Column L converts the objectives' points to the CMMI scale.

Cybrary Information: Free Cybersecurity Training

You can improve your cybersecurity awareness through free educational resources.

Cybersecurity is quickly evolving. Keep your team a step ahead by developing their skills.

Cybrary provides

  • access to Cybrary's complete course library with over 2,000+ lessons,
  • learning paths for learning outside the classroom, and
  • reporting tools to track course completions and site usage.

Visit Cybrary to view the complete topic catalog.

 

Frequently Asked Questions

Question: What is the website where the cybersecurity information is shared?

Answer: https://www.texasgateway.org/resource/cyber-security-tips-and-tools

Question: Is the security framework plan being discussed a TEA mandate?

Answer:  No. The security framework plan and the tips and tools are recommendations to address cybersecurity issues being encountered by the education community and improve overall cybersecurity posture.

Question:  Are the cybersecurity webinars being recorded and will they be available for future review?

Answer: Yes. The cybersecurity webinars are being recorded and will be available to view at https://www.texasgateway.org/resource/cyber-security-tips-and-tools.

Question:  You mentioned some available courses. How can I access them?

Answer:  The free online training discussed in the webinar regarding cyber security and IT related topics is available through an online resource called Cybrary.  More information regarding Cybrary is available at https://www.texasgateway.org/resource/cyber-security-tips-and-tools.

Questions and Answers from the September 13th webinar: Cyber Security Tips and Tools—Incident Response, Being Prepared

Can you tell me the difference between internal FERPA versus external FERPA release?
An educational agency or institution may disclose FERPA-protected information without parental consent to other school officials, including teachers, within the agency or institution if the agency or institution has determined the officials have a legitimate educational interest.  A contractor, consultant, volunteer, or other party to whom the school district has outsourced institutional services or functions may be considered a school official provided the party performs a function for which the district would otherwise use employees and is under the direct control of the district in regard to the use and maintenance of education records.  Neither FERPA nor its regulations define the required legitimate educational interest a school official must have to justify disclosure internally, but DOE has stated a school official generally has a legitimate educational interest if the official needs to review an education record in order to fulfill his or her professional responsibility.  The FERPA regulations provide if an educational agency or institution wishes to disclose education records without parental consent under the “school officials” exception, it must establish policies delineating which employees qualify as school officials and what constitutes a legitimate education interest.

Many Student Information Systems (SIS) have a place for shot records, medicine taken by a student, etc. If a SIS is used by a nurse to track this information is that data subject to HIPAA rules and in turn do the districts have to follow HIPAA rules?
Student health records, including immunization records, maintained by an educational agency or institution, including records maintained by a school nurse, are education records subject to FERPA.  HIPAA’s regulations state that records that are subject to FERPA are not subject to HIPAA.

How does HIPAA relate to this and to the district?  Does it impact a breach in some way differently?
HIPAA’s regulations state that records that are subject to FERPA are not subject to HIPAA.  Student health records, including immunization records, maintained by an educational agency or institution, including records maintained by a school nurse, are education records subject to FERPA.

May I get a copy of the Incident Response Team Red Book?
Yes, the Incident Response Team Red Book is available for download by clicking on the hyperlink, and it is also located at the bottom of the page under Related Items, documents.

Will a copy of the PowerPoint presentation be made available for the attendees?
Yes, the slide deck is posted at: https://www.texasgateway.org/ in the Cybersecurity Tips and Tool section along with a recording of the presentation, Incident Response: Being Prepared, Session 4.

Is there any additional coordination we need to do with our Education Service Centers?
Anytime you are dealing with a potential exposure of sensitive identifying information, I recommend coordinating with your ESC.  They can be a valuable resource and also alert other ESCs of a potential threat which might prevent additional similar exposures.  Please do not hesitate to contact Frosty Walker at frosty.walker@tea.texas.gov or 512 463-5095 for assistance.

When will TEA stop requiring SSNs (except for the one time generating of TSDS numbers and then using TSDS number thereafter)?
TEA works with other entities such as institutes of higher education and the Texas Work Commission which need the SSN to correlate information as students progress into higher education and into the workforce.

What is the best process to use when data is published to the web and is accessible through Google and while you can remove the source document, Google keeps the document available on the cache?
You can notify Google but it will take days before its gone. Should you experience an exposure of sensitive information at a website which you do not control, you will need to work with the site ownership to remove the data.  This may take time and the data may continue to be cached for several days.  This is a situation in which law enforcement may be able to assist.

In a decentralized environment, which department should champion if not push Cybersecurity initiatives?  We do not have a CISO.
In most decentralized environments, the Information Technology department; however, that decision should be made by your leadership.

What is the URL for the Texas Gateway?
https://www.texasgateway.org/

Will you please post the slide deck from this presentation? 
Yes, the slide deck is posted at: https://www.texasgateway.org/ in the Cybersecurity Tips and Tool section along with a recording of the presentation, Incident Response: Being Prepared, Session 4.

Questions and Answers from the April 11, 2018, webinar on Mobile Security—Session 8

Anyone in the education community wishing to contact an individual LEA regarding a product they are using please contact frosty.walker@tea.texas.gov.

When it comes to BitLocker, do you recommend having it on all district laptops?  Any reason I wouldn't want it on all laptops?
Yes, if you are using Windows I recommend using BitLocker to provide whole disk encryption on all laptops.  Laptops which are checked in and out may create some additional management issues; however, whole disk encryption provides huge dividends if one is stolen or lost. If you wish to use a third party to provide whole disk encryption, that’s fine too.

Does TEA use a MDM and if so which one?
TEA’s MDM is scheduled to be replaced in 2019. We will review Gartner’s analysis of the products currently available and pick the one which meets our needs.

What MDM's are best for BYOD?  Specifically, personal cell phones.
If you are looking at managing BYOD devices other than by policy an Enterprise Mobility Management which provides containerization is what I would recommend. Gartner's Magic Quadrant shows VMWare, MobileIron and IBM as the leaders and Sophos, Ivanti, Microsoft, SOTI and Citrix and the visionaries.

Any advice on MDM products that can handle Microsoft, Android, OS X and iOS devices combined?
We use Filewave.  It handles them all. (a Texas LEA)
I like Miradore as an MDM for all devices.  FYI (a Texas LEA)
AIrwatch will manage all those platforms (a Texas LEA)
We use a product called iVanti. While it manages all, it is not perfect. It is better on Win but not as good as JAMF on iOS. (a Texas LEA)

Does TEA have or can provide a policy for encryption or other security-related issues and can it be shared?

It would be great if we could get a template for Technology Related Policies, much like what TEA does for Code of Conduct and Student Handbook.I'd love to have those policies too please

Do you have any policies on IT security?

We have shared a template on IT security policies at: https://www.texasgateway.org/sites/default/files/resources/documents/InformationSecurityPolicyTemplate.docxU30T

 

Texas Education Agency Correspondence on Cybersecurity