“That’s not a lot of people to cover security and privacy, and compliance with laws,” Siegl says. “I also want to look at the flip side of using third parties as a way of managing risk. A large company may be better suited to do that job than a small school district.”
Schools can outsource some of their security processes to a trusted partner. CDW has a wide range of security services for K–12 districts, from staff augmentation through virtual CISOs to penetration testing and risk audits. ManagedMethods also specifically serves K–12 districts, offering cloud security features that work across Google and Microsoft platforms.
The ManagedMethods solutions can automatically revoke an application the IT team has blocked. “We can send a warning message when someone tries downloading certain applications, saying, ‘You’re violating the school district’s technology acceptable use policy,’” Waugh explains. “Then, we can set up a rule that if that person or anyone else tries to install that app again, it sends the warning message and revokes the app and doesn’t allow the download to happen.”
What Are K–12 Districts Doing to Mitigate Risk?
“The typical approaches for managing risk are to transfer that risk, and that’s a lot of what schools do by outsourcing,” Siegl says. “But they’re not transferring the risk, they’re transferring the risk of managing it. At the end of the day, the school is responsible for the security and privacy of its data, as well as the safety of the students.”
This is one of the reasons the Moore Public School District in Oklahoma began its own application vetting process.
DISCOVER: How schools are modernizing their on-premises data centers with HCI.
First, the IT and ed tech teams worked together to create a flowchart for educators who want to download a new application. “We’ve created this flowchart where educators have to ask themselves certain questions about the product they want to use,” says Emily Monroe, education technology specialist at the district. “Every time they run into the green or the blue boxes, they have to submit a ticket for the application they want to use.”
The ticket first goes to the curriculum department, Monroe explains, which evaluates whether the technology connects to a strategy and whether there’s something already approved that offers the same benefits. Once software is approved by the curriculum department, it goes back to Monroe and her MPS colleague Michelle Hammond, another ed tech specialist.
“We go to their website, we analyze their privacy policy, we go find a contact email of some kind, and we’ll send our data survey off to that vendor,” Monroe says.
When the survey is returned, Monroe and Hammond sit down with MPS Technology Director Jun Kim to analyze the responses and make a determination.
With five or six requests coming per week, the team of three works hard to keep up. “It is a long, drawn-out process, but we have to keep students safe,” Hammond says.
Resources for Schools to Evaluate Risk and SaaS Applications
For his data privacy survey and overall evaluation of new applications, Kim takes his cues from the Consortium of School Networks and its Trusted Learning Environment standards.
“We’ve tweaked our process, but it all came from CoSN and their TLE process,” Kim says. “We manage it from a leadership perspective, a business perspective and a teacher training perspective.”
“CoSN provides a privacy toolkit that covers understanding the laws and vetting applications, and it provides a set of 25 best practices for schools as part of its trusted learning environment,” Siegl explains.
ManagedMethods has a checklist schools can use to determine the security of a new application, and other organizations have free resources for schools as well.
“Common Sense Media has also put together a division that just looks at educational software privacy policies, and rates the policies on three tiers,” Siegl says.
DIVE DEEPER: Explore five reliable cybersecurity resources for K–12 districts.
