7 Your Cybersecurity Responsibilities

Basics

Cybersecurity is everyone’s responsibility. Knowing how to use devices and the network safely, how to keep information and data secure, and what to do in the inevitable case of an interaction with malware or a cybercriminal are critical responsibilities everyone in your district should understand--even when some of those users are just five years old. Not only should you know how to be vigilant against cybersecurity threats, you are on the front line for preparing others to maintain their vigilance, as well. This entire module about Cybersecurity will prepare you for those responsibilities and is informed by best practices and frameworks from state and national cybersecurity organizations. Part of your responsibility will be to keep up with changes in those frameworks and best practices to keep your network and users secure.

You should know the following terms:

  • Critical infrastructure
  • Personally Identifiable Information (PII)
  • Directory Information
  • Family Educational Rights Protection Act (FERPA)

Advocating for Cybersecurity Practices

The National Institute of Standards and Technology (NIST) has developed the Framework for Improving Critical Infrastructure Cybersecurity, last published in 2018, but it is considered a living document and is intended to be updated over time. The framework was designed because cybersecurity threats place “the Nation’s security, economy, and public safety and health at risk.” According to the Framework, cybersecurity threats drive up costs for any organization and can limit an organization's ability to innovate.

Your school system can be considered a part of the critical infrastructure of your community, state, and the country. Critical infrastructure refers to “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters” (U.S. Patriot Act of 2001). Organization’s that make up a part of the critical infrastructure are responsible for having a consistent and iterative approach to identifying, assessing, and managing cybersecurity risk, no matter how large or small that organization is, their level of exposure to threat, or cybersecurity sophistication.

The Framework includes a methodology to protect individual privacy and civil liberties that should complement processes that exist in your district and provide guidance to facilitate privacy risk management through your district’s approach to cybersecurity risk management. Integrating privacy and cybersecurity can standardize how information is shared across your district and simplify business operations.

The Framework is organized by five key functions:

  1. Identify. Develop an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
  2. Protect. Develop and implement the appropriate safeguards to ensure delivery of services.
  3. Detect. Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
  4. Respond. Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
  5. Recover. Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

This module includes information related to each of those five key functions. Your obligation to your district and your IT department is to understand your own responsibilities related to each of these functions and advocate that staff, students, and families do their best to follow best practice to avoid cybersecurity risks and follow guidelines for reporting potential risks should they occur.

Protecting Data

School personnel have long had to follow state and federal legislation that can limit what kind of data is shared for different purposes. We live at a time where near-ubiquitous access to digital devices makes it easy to create and share information of all types, including pictures and videos--not just text. The ease with which data can be created and shared has placed greater requirements on schools--and their IT Departments--to safeguard it. These requirements fall under existing and newly evolving state and federal legislation.

Protecting Personally Identifiable Information (PII) has become an important component of cybersecurity practices in schools and beyond. The U.S. Department of Labor describes PII as “Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.” It can include any information that is unique to an individual and can identify them, such as names; addresses including email, phone numbers; account information; and other data. 

More than a dozen states have created student privacy laws for the digital age that are intended to prevent vendors and others from collecting and using the PII of students without their consent or the consent of their guardians. Many districts include a review of data policy practices with any vendor that provides resources that students interact with. Unfortunately, many teachers may find and use online resources that have not undergone the same level of scrutiny and can inadvertently put student data at risk when using a new online tool.

PII can include the type of information called directory information that is described by the Family Educational Rights Protection Act (FERPA). FERPA requires schools to keep some student data secure, such as grades and other records about students. When gradebooks were in print, they were often kept in locked file cabinets in fire-safe vaults or other protected areas for years. Now that most districts use digital grading resources, like learning management systems (LMS) and student information systems (SIS), grades are much more easily shared. Students, teachers, and staff should only share student performance data and any student PII through secure means. Your district may help teachers do this by using encryption software for email and the transfer of other data. In fact, this may be required by law. Simply putting a disclaimer notice on external emails can’t prevent the sharing of PII.

FERPA does allow schools to publish directory information for some purposes, such as listing student names on the program for a school play or in a sports roster. As a member of the IT Department, you may have access to PII for staff and students, especially around the use of user credentials. Depending on your own level of access, you may or may not have access to email and password records, but if you do, you should know that these are considered PII, not directory information, and should not be shared.

Best Practices

The first stop for cybersecurity resources for every school district in Michigan is MISecure.org. This website, produced by Michigan Education Technology Leaders (METL) provides helpful resources to districts, such as the Quick Self-Audit tool and professional learning resources. It is likely that someone in your district or close to you is already a member. MISecure.org published the Essential Cybersecurity Practices for K12.

The Center for Internet Security® is an independent nonprofit organization known for its updated versions of Critical Security Controls®, now at Version 8, that are referenced throughout this toolkit. There are currently 18 controls intended to identify the most common and important cyberattacks and provide information for those who wish to implement “prescriptive, prioritized, highly focused” sets of actions under the umbrella of CIS Security Best Practices.” The Security Controls are organized in three Implementation Groups based on the size of an organization and the number of staff dedicated to cybersecurity, from limited expertise in small-to-medium organizations to organizations that employ multiple experts that specialize in different facets of cybersecurity (e.g., risk management, penetration testing, application security and others).

The Cybersecurity & Infrastructure Security Agency (CISA) publishes a list of Cross-Sector Cybersecurity Performance Goals (CPG). These voluntary goals provide a common set of cybersecurity practices that are fundamental for critical infrastructure and are especially designed to help small- and medium-sized organizations establish, implement, and maintain cybersecurity best practices. To support conversations in your district, CISA has also created a CPG Checklist that you can use to self-assess your district’s cybersecurity strategies and practices for eight different areas:

  1. Account Security
  2. Device Security
  3. Data Security
  4. Governance and Training
  5. Vulnerability Management
  6. Supply Chain/Third Party
  7. Response and Recover
  8. Other (Network segmentation, Detecting relevant threats, Email security)
     

Here are additional resources you may find useful:

Complete the following task or self-assessment:

Choose to do one or both of the following tasks:

  • Review the components of the Getting Started with the NIST Cybersecurity Framework: A Quick Start Guide and identify your responsibilities under each of the components under the five key functions.
  • Download and review the 20 questions in the MISecure Quick Self-Audit. These questions can help you think about cybersecurity more comprehensively and identify areas where your District appears well prepared and areas for improvement. Consider whom you can share your findings with after reflecting on the questions.