By: Page Glave
June 10, 2021
By: Page Glave
June 10, 2021
Fifth grade (K-12) school districts are experiencing increasing cyber-attacks, especially in light of increased virtual learning due to the COVID-19 pandemic. From distributed denial of service attacks to ransomware, school districts are under a wide variety of attacks. Since 2016, districts in the United States have experienced more than 1,000 attacks. Cybercriminals are finding many school districts to be attractive targets. In addition to cybercriminals, schools also must deal with the internal threat of students who may want a day off, change their grades, or see what they can do. Most school districts do not have dedicated cybersecurity professionals, leaving other district personnel to learn the skills needed to implement a cybersecurity program quickly.
Where to start?
School districts need an effective way to implement measures to ensure student data privacy. One approach that can be used is working toward the Trusted Learning Environment seal. This program is a framework specifically designed for schools. The framework includes five key areas:
- Leadership Practice
- Business Practice
- Data Security Practice
- Professional Development Practice
- Classroom Practice
This is a great starting place for schools because the framework requirements are more easily managed than frameworks like the NIST Cybersecurity Framework or ISO 27001. The TLE also has steps to help the cybersecurity program integrate into the district and require collaboration between district leadership and cybersecurity. School districts can demonstrate a commitment to protecting student data by earning the TLE seal. This framework provides a starting point for districts unsure how to manage the growing compliance demands placed on their sector.
What is the TLE?
As listed above, the TLE framework has five domains. The Leadership Practices domain addresses administration involvement, policies, and resources. The Business Practices domain deals with contracts and makes sure companies the school district works with meet privacy and security requirements. The Data Security Practices domain provides specific requirements for data and security, including disaster recovery. The Professional Development Practices area has specifications for user training and offering cybersecurity information to parents. The Classroom Practices portion involves guidelines for incorporating cybersecurity into the curriculum and having teachers model appropriate security behavior. Some of these areas are much different than the areas found in most cybersecurity frameworks.
While the TLE provides beneficial domains to school districts, some areas are not as detailed as might be beneficial for districts. The domains addressing leadership and classroom practices are very helpful for ensuring a cybersecurity program that becomes integrated throughout the district. However, the TLE does not address all controls found in the NIST Cybersecurity Framework or the CIS Top 20. This can be a benefit to schools as the requirements can be less overwhelming. Districts seeking the TLE seal should also be aware that additional controls may be needed to address areas not specified by the TLE, particularly around the areas of detection and response. Working toward the TLE seal can guide help districts to prioritize controls from more comprehensive frameworks. This prioritization can be critical to help districts with limited cybersecurity, and information technology departments understand what measures can have the greatest impact. Ideally, a district would use the TLE as the priority framework to guide the implementation of an industry-standard framework. This can provide a win for districts (obtain the TLE seal) while working toward industry-standard cybersecurity practices.
How can districts move forward?
School districts are likely to see increasing compliance burdens related to cybersecurity. Some states in the United States have already passed legislation requiring minimum standards. The TLE serves as an effective starting point that can be integrated into any compliance requirements. It provides a framework that may be more familiar to the personnel responsible for implementing cybersecurity practices in a district than the NIST CSF or ISO 27001. District personnel must be provided the resources and education necessary to advance cybersecurity posture. The TLE is a good starting point, and Cybrary has resources that can be a primer for district personnel to gain the proficiency needed to improve cybersecurity quickly.
- Miami Dade DDoS attack: https://edscoop.com/miami-dade-schools-ddos-attack-student-charged/
- Baltimore ransomware attack: https://www.nytimes.com/2020/11/29/us/baltimore-schools-cyberattack.html