Cybersecurity & Data Protection for Schools

• Phishing & Social Engineering – Staff or students tricked into revealing sensitive information.
• Ransomware– Malware that locks files and demands payment for release.
• Data Breaches – Unauthorized access to student records, financial information, or employee files.
• Unauthorized Access – Weak passwords or poor access controls leading to compromised accounts.
• Third-Party Vendor Risks – Software or service providers with inadequate security practices.

• Protects student and staff privacy – Prevents exposure of sensitive personal data.
• Ensures operational continuity – Minimizes disruptions to teaching and administration.
• Reduces liability – Compliance with FERPA, Children's Online Privacy Protection Rule ("COPPA"), and state privacy regulations lowers legal risk.
• Supports community trust – Demonstrates a commitment to safeguarding information.

• Risk Assessments – Conduct IT and network vulnerability reviews.
• Staff Training & Awareness – Provide ongoing phishing, password, and safe tech use training.
• Incident Response Plans – Establish procedures for communication and recovery.
• Access Controls – Use MFA, strong passwords, and role-based access.
• Data Protection & Backups – Encrypt data; maintain secure, off-site backups.
• Vendor Oversight – Require cybersecurity assurances in agreements/MOU. If Software/IT services require cyber insurance as part of agreements/MOU.
• Regular Updates & Patching – Keep systems, apps, and security software current.

Teachers & Site Staff

• Lock screens when stepping away.
• Store assessment data securely.
• Incident Response Plans – Establish procedures for communication and recovery.
• Verify last-minute vendor invoice changes with a known contact.
• Use district-approved apps and cloud storage.

Office/HR/Business

• Confirm bank/wire changes using a verified channel.
• Store assessment data securely.
• Restrict PII to “need-to-know.”
• Verify last-minute vendor invoice changes with a known contact.
• Purge redundant files per retention rules.

Tech/IT

• Enforce MFA, device encryption, and patching.
• Maintain asset inventory and backups (offline/cross-domain).
• Configure email and network security; monitor logs.
• Implement geographic controls to outside US countries via firewalls

Leaders

• Champion annual training and recovery drills.
• Resource an incident response plan and communication templates.

• Incident Reporting: Who to contact, hours, and what info to provide.
• Phishing Response: Quarantine, block, reset, notify, ticket.
• Account Compromise: Password reset, MFA re-bind, log review, device scan.
• Ransomware Playbook: Isolate, preserve logs, activate Incident Response (IR) team, law enforcement notification, and rbckups.

• Annual staff courses (e.g., security awareness, social engineering, and data handling).
• Micro-learning: 2–5 minute refreshers, such as newsletters/staff meetings.
• Table top exercises: quarterly for admin/IT on phishing, data loss, and ransomware.
• Track Training via Sign-in Sheet: Printable roster for in-person sessions.
• Vector Solutions Online Training Courses: CSRM Members have access to a variety of online training that can be assigned to employees.  

• CISA — Cybersecurity for K-12 Education
• CISA — K-12 Online Toolkit
• CISA — K-12 Ransomware & Remote Learning
• CISA — Cyber Education & School Safety
• NIST Cybersecurity Framework 2.0
• K12 SIX — Cyber Incident Map
• NIST CSF Quick Start Guide
• National Cybersecurity Alliance (NCA)
• Cyber.org Curriculum
• REMS TA Center – Cybersecurity
• Vector Solutions – Cybersecurity Training

• Incident Reporting Guide (Please Email: SLC@csjpa.org)
• One-Page Incident Reporting Guide (Please Email: SLC@csjpa.org)
• One-Page (4) Awareness Posters/Guides (Please Email: SLC@csjpa.org)