Driving K-12's Digital Security and Privacy
How does the Leander, Texas Independent School District ensure the protection of their students' data?
Recently, an Illinois woman and her daughter filed a lawsuit against education publishing giant Pearson, a British-owned company that operates in all 50 U.S. states, of negligence when handling student data. The lawsuit is the aftermath of the Pearson data breach, confirmed by the company in July. The breach compromised the personal information of nearly one million students in more than 13 states.
Today, more than ever, it’s imperative that schools protect students and their privacy. The Leander Independent School District (ISD) in Leander, Texas is one school that’s taking the lead in this area. Serving more than 43,000 students across 43 campuses, Leander ISD is one of the fastest growing school districts in Texas. Recently, Leander ISD was awarded the national Trusted Learning Environment (TLE) Seal from the Consortium for School Networking (CoSN), a professional association for school system technology leaders.
The TLE Seal recognizes school systems for demonstrating strong student data privacy practices. It requires recipients to regularly monitor and improve their privacy practices and reapply for the Seal every two years.
“We are very proud of receiving the TLE Seal. One of the things that Leander ISD is excited about is how good this is for our community. Much like everywhere in America today, people feel uncertain and see things in the news, regarding themselves, their children and the technological world we live in. It is rewarding for us to give them good news about their data and their children’s data, so they can continue to feel confident that their privacy is ensured,” says James Watson, a Security Administrator for the Leander ISD. Watson has more than 20 years of practice in the K-12 education sector and experience in identity and access management, federation services, system administration, privacy, log aggregation and analysis, endpoint protection, network security analysis and policy and governance.
Communicating the Value of Security
One of the challenges in K-12 cybersecurity, says Watson, is how quickly it changes. “An area that K-12 deals with is a very rapid degree of change, and that might be specific to our district, which continues to grow every day. Vast amounts of sites, campuses, networks, vendors and software are all coming online at all times,” Watson says.
The most difficult part of Watson and his department’s job is communicating the value of security, he notes. “As a target, as a goal, as a deliverable, we are always trying to communicate the value of security. Just like in any organization, there is no one clamoring for security. We have to push to remain secure, always educating and communicating the value of work because it’s never a priority in people’s mind,” Watson says.
Communicating security's value involves instilling strong and strict data privacy practices across the organization. “On the operational side, we focus on the basics of IT security, such as frequently updating systems, restricting access to least-privileged and need-to-know. But protecting privacy goes beyond that,” Watson notes.
It starts with limiting the data that is collected, stored, shared and used, Watson says. “We have to look at our vendors, our relationship with them and what we share with them. We also look at our district employees and the data we share with them, as well, and the type of access they have to sensitive data,” Watson adds.
Beyond that, there is constant training involved for all district employees. “Making our staff aware of the threats they should be looking out for to help us mitigate and prevent any data malpractices is critical, as well,” he says. “We need a complete team-effort because no one can do it alone.”
Data Governance Rules
“Our leadership team has been very helpful to us in governance, designating rules and procedures regarding data collection, use, security and the use of online educational programs,” says Watson.
To support continuous monitoring, improvement and to create a culture of data security and privacy, the Leander ISD employs a Data Governance Committee that is responsible for optimizing data management, data processes and review processes. It encompasses IT Senior Executive Director, Chief Facilities/Operations Officer, IT Director of Student Information Systems, IT Security Administrator and many other important roles. The Committee works to:
- Monitor and review the regulatory environment and community expectations for data security and privacy.
- Identify, document and review critical district data assets.
- Assign and review data owners and custodians for all critical data assets.
- Propose, create, review and revise data security and privacy standards, practices and documentation.
“Leveraging all of these resources have made us feel confident that we are complying with federal and state law, as well as our community expectations for protecting against identify theft, harassment, unauthorized data collection and other cyber threats,” Watson notes.
Leander ISD also involves families, teachers and students to promote responsible use of digital resources to protect personal security and privacy inside and outside the District. There are strict codes of conduct when it comes to staff and student’s use of the network, which involves computer workstations, mobile devices, applications, databases, online resources, internet access, email and all interconnected technologies made available through the district. Students and staff are required and prompted to regularly change their passwords and keep them private. Inappropriate uses of technology resources are communicated, to include maliciously harming or destroying, or negligence of materials or data and negligence of reasonable security protections such as not applying security updates and not running anti-malware software on devices used to connect to Leander ISD’s network.
A few other inappropriate uses of the district’s technology uses would include:
- Encrypting communications to avoid security review.
- Using accounts or login credentials other than their own or sharing accounts or credentials with other individuals
- Visiting websites that collect personal identifiable information, such as chat rooms, emails, instant messaging, personal profiles or websites, registration forms or mailing lists.
Training to Prevent Vulnerabilities
To further educate staff, Leander ISD’s Professional Development department participates with the governance committee through mandatory, annual training sessions. “On an annual basis, all our employees must take refreshing training on data practices and principles. In addition, we perform security training in areas such as phishing simulations and compliance video-training as well. Currently, we are under discussion regarding increasing the amount of minor reminders we send out to employees, given the nature of the threats that are resurfacing daily, especially those attacking K-12 in a manner never seen before,” says Watson.
Additionally, Leander ISD believes in sharing their data practices with family members and students, including designating a place or contact where students and families can learn of their rights to their data. Student’s personal information is only shared with service providers for legitimate educational purposes, and parental consent to share must be given by a parent, guardian or a student (if he or she is younger than 18).
“One of the requirement of the TLE Seal is that we must involve parents and students in ensuring their data remains safe. We have transparent communication with our community. We publish public documentation regarding our data practices online. Beyond that, we communicate their existence to the parents in enewsletters and engage in social media campaigns to try to increase awareness,” notes Watson.
Another requirement of the TLE Seal is addressing classroom practices, says Watson. “Part of that involves educating teachers on software selection and the use of digital and online resources. It involves helping students understand online safety and digital citizenship. In the modern age, this is just as important as reading, writing and arithmetic. It helps students apply real-world concepts to stay safe and secure in the world they live in,” Watson notes.
Furthermore, ensuring data practices involves the help of technology, which Watson says, are “next generation firewalls, building internet content, deploying internet protection on all devices, email filters, which protect us from phishing and other threats, and log monitoring and analysis. We also audit those technologies to ensure they are performing at optimal levels. Those practices provide us the functionality that allow us to feel confident in our safety measures.”
“Overall, these practices strengthen and prioritize our internal efforts to optimize data security and privacy,” says Watson.
A Future Focused on Student Privacy
There are many frameworks that school leaders can refer to and tailor to their environment, Watson says. “I recommend the CoSN environment because they distill the vast and broad frameworks that have been developed to very focused K-12 recommendations and steps that an organization like a school district can bite off and chew,” he suggests.
Additionally, even if schools lack adequate funding to ensure their student’s privacy, Watson says, there is no shortage of tools that can be used at no cost. “The basics are updating software, controlling use of administrative privileges, installing endpoint protection on devices, managing vendor relations, defining processes for digital resources in the classroom, training, defining policy and leadership policy. Those are the most effective means to improve security and safety across organizations,” Watson says.
Regarding artificial intelligence (AI), deep learning and data-mining, Watson believes that there will be acceptance and interest, as long as they are used to improve educational outcomes and to deliver individualized learning. “The question that emerges is facial recognition,” he says. “The most restrictive local regulations against its use exist in the city where the technology is being developed. While facial recognition is expanding widely in other locations, it’s an interesting divergence. Our best bet, in the K-12 sector, is to continue to educate our community to be aware of and engage with us on matters of privacy. Under those conditions, our community will guide us in terms of where they want their district to be.”