Virtual Meeting Security Considerations

As we increase our use of online lessons and meetings, we need to be especially diligent with our cybersecurity efforts to protect the confidentiality, integrity, and availability of student and staff information. This session will review some common virtual meeting platforms, and how best to secure these meetings.

The presentation slides are available for downloading.

Cybersecurity Challenges with a Remote Workforce—Special Edition

The March 23rd webinar covered some of the cybersecurity challenges we face with a remote workforce and remote classrooms. Users may have less protection from malware and phishing scams when deployed remotely versus when working in district facilities. We will cover some of the challenges and how to improve cybersecurity under these unusual conditions.

Cybersecurity Challenges with a Remote Workforce Questions and Answers are available for downloading/

SB 820 and HB 3834 (86th) Updates for Texas School Districts

The Cybersecurity Tips and Tools webinar, SB 820 and HB 3834 (86th) Updates for Texas School Districts, was provided by Frosty Walker, Chief Information Security Officer for the Texas Education Agency, on January 29, 2020. The presentation slides are available for the January 29th webinar.

Basic Incident Response

The November 6th webinar provided information regarding Basic Incident Response and the impact of a cybersecurity incident for your organization. This presentation covered the fundamental steps your organization will need to perform when a cyber event becomes an incident. Understanding the Basic Incident Response fundamentals will help cybersecurity coordinators being compliant with SB 820 requirements in reporting a breach of system security.

The presentation slides are available for downloading.

Texas Cybersecurity Framework

Frosty Walker, TEA's Chief Information Security Officer, presented an October 2nd webinar on the Texas Cybersecurity Framework (TCF) and its primary function. This presentation provided information on the fundamental categories of Identify, Protect, Detect, Respond and Recover, which are incorporated into the TCF. The TCF meets the requirements for the cybersecurity policy in SB 820. Understanding the categories and the objectives for each can be beneficial to your end users and assist your organization in complying with SB 820.

The presentation slides for the Texas Cybersecurity Framework are available for downloading. Questions and Answers are also available. 

Cybersecurity Tips and Tools—Ransomware Prevention, Detection, and Recovery

Led by TEA's Chief Information Security Officer, Frosty Walker, the September 4, 2019, webinar provides information on how best to protect information resources from a ransomware attack. TEA was joined by a special guest from the FBI, sharing expertise on ransomware and answering questions.

The Ransomware webinar addressed the following topics:

• Types of ransomware and their effects
• How ransomware works
• Dos and don’ts of ransomware
• Prevention and detection
• How to remove ransomware
• Ransomware recovery/resources

Superintendents, cybersecurity coordinators, and representatives interested in cybersecurity issues and resources, which can be utilized within the education communities, are encouraged to view this webinar.

The ransomware slides and the questions and answers for the ransomware presentation are available for downloading.

SB820 and HB3834 Impact on and Requirements for Texas School Districts

The September 11th webinar provides information on SB 820 and HB 3834 and their potential impacts for Texas school districts. The presentation will include planned processes to address the requirements established by the bills’ amendments to the Texas Education Code and Government Code.

The SB820 and HB3834 slides are available for downloading. Questions and Answers from the SB820 and HB3834 are also available.

The Texas Cybersecurity Framework is a self-assessment to determine cybersecurity risks.  This sample is populated with examples of how to rate yourself based on the 6 levels identified at the bottom of the first tab (SAMPLE TCF).  Once you have rated yourself in all 40 objectives the graph help determine highest risks and prioritization for mitigation. The roadmap with help identify processes and documentation needed to reach 3.0 in each objective.

For each Cybersecurity objective, update columns D through I with the agency's self-assessment as to percentage (in whole numbers) of the organization that meets the DIR standard for maturity.

Column K tabulates the entries' "points" and normalizes the 6 grade levels that reflect the maturity score for the Cybersecurity objective.

Column L converts the objectives' points to the CMMI scale.

Summary

Schools have long been targets for cyber thieves and criminals. We are writing to let you know of a new threat, where the criminals are seeking to extort money from school districts and other educational institutions on the threat of releasing sensitive data from student records. In some cases, this has included threats of violence, shaming, or bullying the children unless payment is received.

These attacks are being actively investigated by the FBI, and it is important to note that none of the threats of violence have thus far been judged to be credible. At least three states have been affected.

How to Protect Yourself
The attackers are likely targeting districts with weak data security, or well-known vulnerabilities that enable the attackers to gain access to sensitive data. This may be in the form of electronic attacks against school/district computers or applications, malicious software, or even through phishing attacks against staff or employees.

IT Staff at Schools/Districts are encouraged to protect your organizations by

• conducting security audits to identify weaknesses and update/patch vulnerable systems;
• ensuring proper audit logs are created and reviewed routinely for suspicious activity;
• training staff and students on data security best practices and phishing/social engineering awareness; and
• reviewing all sensitive data to verify that outside access is appropriately limited.

What to Do if This Happens to You
If your organization is affected by this type of attack, it is important to contact local law enforcement immediately. It's not mandatory, but if you are an affected K12 school, please contact us at privacyTA@ed.gov so that we can monitor the spread of this threat. Additionally, the Privacy Technical Assistance Center (PTAC) website contains a wealth of information that may be helpful in responding to and recovering from cyber attacks.

While this new threat has thus far been directed only to K12, institutions of higher education should know that they are required to notify the Office of Federal Student Aid (FSA) of data breaches via email pursuant to the GLBA Act, and your Title IV participation and SAIG agreements.  Additional proactive tools for institutions of higher education are available at our Cybersecurity page on ifap.ed.gov.

The following two exercises ask you to consider the appropriate actions to take in the event of a data breach or personally identifiable information (PII) exposure. After reading each slide, consider your next course of action, and list the steps you'd take. Then, move to the next slide.

If your district is considering moving its data to a cloud provider, there are some basic questions to ask in order to determine if this host environment can safely and effectively store your sensitive data. Click the key words below to learn more.

The EDUCAUSE HEISC assessment tool was created to evaluate the maturity of higher education information security programs using as a framework the International Organization for Standardization (ISO) 27002:2013 "Information Technology Security Techniques. Code of Practice for Information Security Management."

This tool was intended for use by an institution as a whole, although a unit within an institution may also use it to help determine the maturity of its individual information security program. Unless otherwise noted, it should be completed by the chief information officer, chief information security officer or equivalent, or a designee. There are a total of 101 questions. On average it takes about 2 hours for an information security officer or equivalent familiar with their environment to complete this tool.

The self-assessment has been designed to be completed annually or at the frequency your institution feels is appropriate to track maturity. The assessment tool uses the ISO 21827:2008 framework for scoring maturing, which scales from 0 to 5, with 5 being the highest level of maturity:

0. Not Performed
1. Performed Informally
2. Planned
3. Well Defined
4. Quantitatively Controlled
5. Continuously Improving

Answer each question by selecting the appropriate level of maturity, 0–5. Each ISO section will be added up then averaged to provide a maturity assessment for the given section.

Information Security Acknowledgement and Nondisclosure Agreement

Information Security Policy Template

You can improve your cybersecurity awareness through free educational resources.

Cybersecurity is quickly evolving. Keep your team a step ahead by developing their skills.

Cybrary provides

• access to Cybrary's complete course library with over 2,000+ lessons,
• learning paths for learning outside the classroom, and
• reporting tools to track course completions and site usage.

Visit Cybrary to view the complete topic catalog.

Question: What is the website where the cybersecurity information is shared?

Answer: https://www.texasgateway.org/resource/cybersecurity-tips-and-tools

Question: Is the security framework plan being discussed a TEA mandate?

Answer:  No. The security framework plan and the tips and tools are recommendations to address cybersecurity issues being encountered by the education community and improve overall cybersecurity posture.

Question:  Are the cybersecurity webinars being recorded and will they be available for future review?

Answer: Yes. The cybersecurity webinars are being recorded and will be available to view at https://www.texasgateway.org/resource/cybersecurity-tips-and-tools.

Question:  You mentioned some available courses. How can I access them?

Answer:  The free online training discussed in the webinar regarding cyber security and IT related topics is available through an online resource called Cybrary.  More information regarding Cybrary is available at https://www.texasgateway.org/resource/cybersecurity-tips-and-tools.

Questions and Answers from the September 13th webinar: Cyber Security Tips and Tools—Incident Response, Being Prepared

Can you tell me the difference between internal FERPA versus external FERPA release?
An educational agency or institution may disclose FERPA-protected information without parental consent to other school officials, including teachers, within the agency or institution if the agency or institution has determined the officials have a legitimate educational interest.  A contractor, consultant, volunteer, or other party to whom the school district has outsourced institutional services or functions may be considered a school official provided the party performs a function for which the district would otherwise use employees and is under the direct control of the district in regard to the use and maintenance of education records.  Neither FERPA nor its regulations define the required legitimate educational interest a school official must have to justify disclosure internally, but DOE has stated a school official generally has a legitimate educational interest if the official needs to review an education record in order to fulfill his or her professional responsibility.  The FERPA regulations provide if an educational agency or institution wishes to disclose education records without parental consent under the “school officials” exception, it must establish policies delineating which employees qualify as school officials and what constitutes a legitimate education interest.

Many Student Information Systems (SIS) have a place for shot records, medicine taken by a student, etc. If a SIS is used by a nurse to track this information is that data subject to HIPAA rules and in turn do the districts have to follow HIPAA rules?
Student health records, including immunization records, maintained by an educational agency or institution, including records maintained by a school nurse, are education records subject to FERPA.  HIPAA’s regulations state that records that are subject to FERPA are not subject to HIPAA.

How does HIPAA relate to this and to the district?  Does it impact a breach in some way differently?
HIPAA’s regulations state that records that are subject to FERPA are not subject to HIPAA.  Student health records, including immunization records, maintained by an educational agency or institution, including records maintained by a school nurse, are education records subject to FERPA.

May I get a copy of the Incident Response Team Red Book?
Yes, the Incident Response Team Red Book is available for download by clicking on the hyperlink, and it is also located at the bottom of the page under Related Items, documents.

Will a copy of the PowerPoint presentation be made available for the attendees?
Yes, the slide deck is posted at: https://www.texasgateway.org/ in the Cybersecurity Tips and Tool section along with a recording of the presentation, Incident Response: Being Prepared, Session 4.

Is there any additional coordination we need to do with our Education Service Centers?
Anytime you are dealing with a potential exposure of sensitive identifying information, I recommend coordinating with your ESC.  They can be a valuable resource and also alert other ESCs of a potential threat which might prevent additional similar exposures.  Please do not hesitate to contact Frosty Walker at frosty.walker@tea.texas.gov or 512 463-5095 for assistance.

When will TEA stop requiring SSNs (except for the one time generating of TSDS numbers and then using TSDS number thereafter)?
TEA works with other entities such as institutes of higher education and the Texas Work Commission which need the SSN to correlate information as students progress into higher education and into the workforce.

What is the best process to use when data is published to the web and is accessible through Google and while you can remove the source document, Google keeps the document available on the cache?
You can notify Google but it will take days before its gone. Should you experience an exposure of sensitive information at a website which you do not control, you will need to work with the site ownership to remove the data.  This may take time and the data may continue to be cached for several days.  This is a situation in which law enforcement may be able to assist.

In a decentralized environment, which department should champion if not push Cybersecurity initiatives?  We do not have a CISO.
In most decentralized environments, the Information Technology department; however, that decision should be made by your leadership.

What is the URL for the Texas Gateway?
https://www.texasgateway.org/

Will you please post the slide deck from this presentation? 
Yes, the slide deck is posted at: https://www.texasgateway.org/ in the Cybersecurity Tips and Tool section along with a recording of the presentation, Incident Response: Being Prepared, Session 4.

Questions and Answers from the April 11, 2018, webinar on Mobile Security—Session 8

Anyone in the education community wishing to contact an individual LEA regarding a product they are using please contact frosty.walker@tea.texas.gov.

When it comes to BitLocker, do you recommend having it on all district laptops?  Any reason I wouldn't want it on all laptops?
Yes, if you are using Windows I recommend using BitLocker to provide whole disk encryption on all laptops.  Laptops which are checked in and out may create some additional management issues; however, whole disk encryption provides huge dividends if one is stolen or lost. If you wish to use a third party to provide whole disk encryption, that’s fine too.

Does TEA use a MDM and if so which one?
TEA’s MDM is scheduled to be replaced in 2019. We will review Gartner’s analysis of the products currently available and pick the one which meets our needs.

What MDM's are best for BYOD?  Specifically, personal cell phones.
If you are looking at managing BYOD devices other than by policy an Enterprise Mobility Management which provides containerization is what I would recommend. Gartner's Magic Quadrant shows VMWare, MobileIron and IBM as the leaders and Sophos, Ivanti, Microsoft, SOTI and Citrix and the visionaries.

Any advice on MDM products that can handle Microsoft, Android, OS X and iOS devices combined?
We use Filewave.  It handles them all. (a Texas LEA)
I like Miradore as an MDM for all devices.  FYI (a Texas LEA)
AIrwatch will manage all those platforms (a Texas LEA)
We use a product called iVanti. While it manages all, it is not perfect. It is better on Win but not as good as JAMF on iOS. (a Texas LEA)

Does TEA have or can provide a policy for encryption or other security-related issues and can it be shared?

It would be great if we could get a template for Technology Related Policies, much like what TEA does for Code of Conduct and Student Handbook.I'd love to have those policies too please

Do you have any policies on IT security?

We have shared a template on IT security policies at: https://www.texasgateway.org/sites/default/files/resources/documents/InformationSecurityPolicyTemplate.docxU30T

The following Texas Education Agency Correspondence documents have been posted to the TEA website:

The following webinars were presented by Frosty Walker, Chief Information Security Officer at the Texas Education Agency. (This document provides video synopses and closed captioned versions of the videos, available on YouTube.)

The first webinar webinar was delivered on March 8, 2017, and features detailed information about the Cybersecurity tips and tools available in this resource.

A follow up webinar, "Establishing an Information Security Plan, Session 2," was delivered on April 12, 2017.

The third video in the webinar series on Cybersecurity Tips and Tools—"Conducting a Risk Assessment, Session 3"—was delivered on May 10, 2017.

The following webinar, "Incident Response: Being Prepared, Session 4," was delivered by Frosty Walker, Chief Information Security Officer at the Texas Education Agency, on September 13, 2017.

The Session 4 slides are available for downloading.

The following webinar, "Training: What is Available at No Cost" was delivered on October 11, 2017, and is the second in the 2017 fall series of Cybersecurity webinars presented by Frosty Walker, Chief Information Security Officer at the Texas Education Agency. The Session 5 slides are available for download.

The "Guidelines for Cybersecurity Documentation" training was presented on November 8, 2017. The Session 6 slides are available for download.

The "Cybersecurity/Privacy Awareness" training was presented on March 7, 2018. The Session 7 slides are available for download.

The April 11th webinar provides information regarding Securing Mobile Devices. Whether mobile devices are provided by your organization or you have a Bring Your Own Device (BYOD) policy, measures need to be implemented to adequately protect your information. Along with the webinar, the Session 8 slides and FAQs are available for downloading.

The May 9, 2018, webinar provides information regarding Data Privacy Agreements, and what needs to be included in your agreements with vendors and third parties to help you protect student, parent, and staff information. The Session 9 slides from the webinar is available for downloading.

The following cybersecurity webinars were offered in 2018–2019 and led by TEA's Chief Information Security Officer, Frosty Walker, in collaboration with the Data Security Advisory Committee (DSAC). The webinars provide insight regarding the resources available at the Cybersecurity Tips and Tools section of the Texas Gateway portal.

Data Security Advisory Committee
The DSAC, consisting of members of school districts and Education Service Centers (ESCs), provides guidance to Texas education communities on maximizing collaboration and communication regarding information security issues and resources. The DSAC has reviewed and recommended the Cybersecurity Tips and Tools, which have been shared on the portal.

Crisis Communication During a Cybersecurity Incident—Session 10

This September 12th webinar provides information around communication needs during a cybersecurity incident. Internal and external communications, and communications with the media in a crisis are difficult tasks. This presentation covers processes for better communications during your incident and the efforts your organization is taking to resolve the issue. The Session 10 slides are available for downloading.

Practice, Practice, Practice—Session 11

The October 17th webinar provides information which can be used to perform cybersecurity incident exercises. These exercises will help you identify any gaps in your incident response plan which might need attention should there be a real cybersecurity incident. Practicing will help your organization be better prepared for successfully preventing, detecting, responding to, and recovering from a cybersecurity incident. The Session 11 slides are available to download.

Website Hardening—Session 12

The November 28th webinar provides information on improving your websites and ways to help protect the information shared on them. This presentation covers some of the key steps that can be taken to improve your websites’ cybersecurity posture. The Session 12 slides are available for downloading.

A Guide on Cyber Attacks and Malware—Session 13

The January 30th webinar provides information regarding common types of cybersecurity attacks and malicious activities. This presentation includes information regarding cyber threats such as phishing, spear phishing, viruses, trojans, ransomware, denial of service attacks, and SQL injection attacks as well as best practices to help prevent them from having a major impact on your organization. Representatives interested in information security issues and resources which can be utilized within the education communities are encouraged to view this session. The Session 13 slides are available for downloading.

Establishing a Security Awareness Program—Session 14

The March 27^th webinar provided information regarding establishing a Security Awareness Training program and what should be included in the program to make it beneficial to both your end users and your organization. This presentation covers who should be included, what they really need to know and how to ensure your end users are using the information they are receiving. Representatives interested in information security issues and resources, which can be utilized within the education communities, are encouraged to view this session. The Session 14 slides are available for downloading.

Key Elements of Effective Risk Management—Session 15

This May 1^st webinar provides information regarding some of the key elements for effective risk management. This presentation focuses on elements such as formalized risk assessment, controls assessment, risk decision making, risk tracking, sign-off for residual risk, and accountability. Understanding these elements will assist your organization in balancing mitigation, acceptance, and transfer of residual risk through conscious decision making. Representatives interested in information security issues and resources, which can be utilized within the education communities, are encouraged to view this session. Session 15 presentation slides are available for downloading.