TCEA 2019: Where Is Your K–12 District on the Security Map?

The Texas Education Agency CISO offers a detailed plan to guide IT leaders through cybersecurity assessment and improvement.

Making a cybersecurity plan without an initial assessment of the status quo is like making an airplane reservation without knowing what city you’re flying out of, said Frosty Walker, CISO for the Texas Education Agency, at the Texas Computer Education Association Convention & Exposition in San Antonio on Monday. 

A common starting point with cybersecurity, Walker said, is “we know where we want to get to, but we really don’t know where we are today.”

His session, “Where Are You on the Cybersecurity Roadmap?”, gave attendees strategies to evaluate and improve data security in their K–12 districts. He also shared resources from TEA’s Texas Gateway, including a 40-item checklist that can serve as a detailed guide for IT leaders on a variety of data security strategies. 

JOIN THE CONVERSATION: Follow @EdTech_K12 on Twitter for continued TCEA 2019 coverage!.

Make the Case for K–12 Cybersecurity with Visual Tools

A formalized assessment method — a map, if you will — helps leaders define their current situation, develop a budget against it and make the case to senior administrators. Walker showed one chart that depicted the current security status for a hypothetical district, mapped against the 40 items on the checklist. A bright red line showed where the district was falling behind the desired level of due diligence. 

“Words don’t always paint the picture that we think we’re painting, so visual aids help us a lot when we’re talking about cybersecurity,” he said. 

Images like this, Walker said, give IT leaders an effective and powerful way to convey technical issues to their administrators.

“The farther away from due diligence we are, the higher the risk,” he said. “It makes a difference when they can see your security program mapped out.”

Such maps also give IT leaders a systematic way to manage their security strategies over the long term. 

“Improving your security posture is not something you fix overnight,” said Walker.

Evaluate Your District Against 6 Levels of Cybersecurity Readiness

To help IT leaders assess their district’s performance on each security measure, Walker offered a six-level framework:

  • Zero – At this level, security measures for the target objective are nonexistent.
  • 1 – Security strategies are ad hoc, inconsistent or reactive.
  • 2 – Strategies are repeatable and generally consistent, but for the most part they are still reactive and undocumented. The organization doesn’t routinely measure or enforce compliance with security policies.
  • 3 – The security approach is defined, detailed and documented. The organization regularly measures compliance.
  • 4 – Data security is achieved through an established risk management framework that measures and evaluates risk and integrates improvements, going beyond the minimal regulatory requirements.
  • 5 – Data security is optimized. The organization has refined standards and practices focused on ways to improve its capabilities in the most efficient and cost-effective way.

Walker also noted that while requirements such as the Texas Education Code and, more broadly, the Family Educational Rights and Privacy Act can serve as a guide to data security, they are the very least that districts should strive to achieve.

“Our objective here is to get beyond our minimal requirements, and we don’t know how close we are until we actually measure that,” Walker said. 

MORE FROM EDTECH: Three ways K–12 schools can improve their cybersecurity in 2019.

Update Security Assessments Routinely to Measure Progress

With a baseline assessment completed, routine updates become a comparatively easy lift, said Walker, adding that he finds quarterly updates manageable because they only require leaders to document changes from the previous 90 changes

Periodic snapshots of the district’s security posture also help leaders track maturity over time and demonstrate progress to leadership, he said.

Finally, he said, the due diligence of identifying, inventorying and prioritizing sensitive data assets will be extremely valuable if a district ever has a data breach, a natural disaster or a ransomware attack and needs to rebuild its systems.

“We do a pretty good job of tracking hardware and software, but those aren’t the only valuable assets we have,” said Walker. Districts have huge amounts of sensitive information that should be inventoried and prioritized, he said. 

No matter how good the disaster recovery plan is, he said, or how many times the team has run through a tabletop exercise, when you’re doing it for real, “you find things that just don’t work when you have to build the data center from scratch from backup.” 

Even so, he said, he recommends that IT leaders do take their teams through tabletops and other readiness activities.

“Every time I do a cybersecurity exercise, we find out all kinds of interesting things,” he said.

Keep this page bookmarked for articles from the event. Follow us on Twitter at @EdTech_K12 or the official conference Twitter account, @TCEA, and join the conversation using the hashtag #TCEA.

Chaay_Tee/Getty Images
Feb 05 2019

Sponsors