---

School Cybersecurity Resources

A curated list of recent information and resources to help U.S. public K-12 school leaders and policymakers navigate cybersecurity and related issues.

Know a great resource that’s missing from this list? Suggestions welcome.

---

K-12 Specific Cybersecurity Resources

• The K-12 Cybersecurity Self Assessment (a vendor-neutral, free, quick, useful, private, and anonymous self-assessment – based on NIST CSF – for school district IT leaders created by school district IT leaders)
• The K-12 Security Information Exchange (K12 SIX)
• U.S. Department of Education. “Security Best Practices.” Privacy Technical Assistance Center (PTAC) and the Family Policy Compliance Office (FPCO).
• Cybersecurity and Infrastructure Security Agency (CISA) (Dec 2020). Cyber Threats to K-12 Remote Learning Education.
• Cybersecurity and Infrastructure Security Agency (CISA) (Dec 2020). “Ransomware Reference Materials for K-12.”
• Michigan State Police, Office of School Safety (Dec 2020). Cybersecurity: Recommendations and Best Practices.
• ATLIS (Oct 2020). Cybersecurity Recommendations.
• Multi-State Information Sharing and Analysis Center (MS-ISAC) Toolkit.
• Samberg, M. J. (2020). “Cybersecurity in K-12: An Overview of the Threat Landscape.” Friday Institute for Educational Innovation. http://friday.institute/7721
• U.S. Government Accountability Office (Oct 2020). “Data Security: Recent K-12 Data Breaches Show That Students Are Vulnerable to Harm (GAO-20-644)“.
• NJCCIC (Sept 2020). Navigating New Challenges This Academic School Year: Informational Report.
• Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) (Sept 2020). Ransomware Guide.
• Indiana Executive Council on Cybersecurity (August 2020). Cybersecurity for Education Toolkit.
• The Internet Crimes Against Children Task Force (ICAC) Technology Related Incident Response Tool (IRT) for Schools (developed in partnership with iKeepSafe).
• Consortium for School Networking (CoSN). “Cybersecurity for the Digital District, a CoSN Leadership Initiative” (Note: some resources require log-in to access; others require membership)
• Cybersecurity & Infrastructure Security Agency (CISA) (May 2020). “Cybersecurity Recommendations for K-12 Schools using Video Conferencing Tools and Online Platforms.”
• Cybersecurity & Infrastructure Security Agency (CISA) (May 2020). “Tipsheet: Video Conferencing – Guidelines to Keep You and Your Students Safe.”
• CoSN (Mar 2020). “Cybersecurity Considerations in a COVID-19 World.”
• Michigan Education Technology Leaders (METL) (2019). “Essential Cybersecurity Practices for K-12.”
• New Zealand Ministry of Education (Dec 2019). “Protect your school from cyber-attacks and cyber security breaches.”
• Paakki, Travis. (June 2019). “An Exploration of the Strategies Information Assurance Technologists Need to Improve Information Security Practices in an School District” Colorado Technical University. (Dissertation)
• Texas Association of School Boards (2019). School Cybersecurity: Getting Started. [PDF]
• Center for Democracy and Technology (2019). Balancing the Scale of Student Data Deletion and Retention in Education. [PDF]
• Parent Coalition for Student Privacy and the Badass Teachers Association (October 2018). “Educator Toolkit for Teacher and Student Privacy: A Practical Guide for Protecting Personal Data.” [PDF]
• Utah State Board of Education:
  • December 2018. “COPPA in the Classroom.” (video)
  • July 2018. “Data Security Basics for the Classroom.” (video)
  • July 2018. “Malware Attacks on Schools.” (video)
  • Dec 2017. “Top 5 Data Security Tips for Schools.” (video)
• CERT NZ (2018). “Keeping your school network safe.” New Zealand Government.
• National School Boards Association. “2018 NSBA Cyber Risk Report: School Board Communication at Risk.” [PDF]
• Southern Regional Education Board (SREB) (2018). “10 Issues in Educational Technology: Technology Security.”
• Council of Great City Schools (Fall 2017). “Cyber-Security in Today’s K-12 Environment.” [PDF]
• Scott, James. (April 2017). “Sowing the Seeds of U.S. Cyber Talent.” Institute for Critical Infrastructure Technology (ICIT).
• Office of Education Technology (February 2017). “Security Best Practices Guideline for Districts – Version 1.1.” [PDF]. Kentucky Department of Education.
• Czuprynski, Christine N. (January 2017). “Data Security for Schools: A Legal and Policy Guide for School Boards.” [PDF]. National School Boards Association.
• Goran, Ion. (2017). “Cyber Security Risks in Public High Schools.” CUNY Academic Works. (Master’s Thesis)
• National School Safety Alliance/Missouri Center for Education Safety. (March 2016). “Information Technology (IT)/Cyber Security Checklist (v1.4).” [PDF/Google Drive]
• Porterfield, Tony,  Siegl, Jim and Fitzgerald, Bill. (March 2016). “Information Security Primer for Evaluating Educational Software.” Common Sense Media.
• Kentucky Department of Education (September 2015). “Data Security and Breach Notification Best Practice Guide. Version 2.2.” [DOC]
• Kentucky Department of Education (undated). “Top Secret Information and Data Breach Awareness for Teachers 3.0.” {PDF]
• Readiness and Emergency Management for Schools (REMS) Technical Assistance (TA) Center. (undated). Cybersecurity Considerations for K-12 Schools and School Districts. [PDF]
• Readiness and Emergency Management for Schools (REMS) Technical Assistance (TA) Center. (November 2014). Integrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Schools.

---

Select K-12 Cybersecurity Audit Reports

• Oregon Secretary of State, Oregon Audits Division (November 2019). “Oregon Department of Education: Cybersecurity Controls Audit. 2019-39.”
• Office of the Inspector General. (October 2019). “The U.S. Department of Education’s Federal Information Security Modernization Act of 2014 Report For Fiscal Year 2019.” U.S. Department of Education.
• Division of Local Government and School Accountability (October 2019). “Belleville-Henderson Central School District (2019M-128)” Office of the New York State Comptroller.
• Division of Local Government and School Accountability (October 2019). “Evans-Brant Central School District (2019M-121)” Office of the New York State Comptroller.
• Division of Local Government and School Accountability (September 2019). “Charlotte Valley Central School District (2019M-27)” Office of the New York State Comptroller.
• Office of the Inspector General (November 2018). “Office of the Chief Privacy Officer’s Processing of Family Educational Rights and Privacy Act (FERPA) Complaints.” U.S. Department of Education.
• Division of Local Government and School Accountability (November 2018). “Finn Academy: An Elmira Charter School – Information Technology (2018M-141)” Office of the New York State Comptroller.
• Office of Missouri State Auditor (August 2018). Summary of Local Government and Court Audit Findings – Information Security Controls. [PDF]
• Office of the Inspector General (March 2018). “Protection of Personally Identifiable Information in Statewide Longitudinal Data Systems.” U.S. Department of Education.
• Division of Local Government and School Accountability. (February 2018). “Cairo-Durham Central School District: Information Technology. Report of Examination | 2017M-246” Office of the New York State Comptroller.
• Division of Local Government and School Accountability (July 2017). “Security Over Critical Information Systems: State Education Department. Report 2016-S-69.” and follow-up report, 2018-F-17, on implementation status (November 2018). Office of the New York State Comptroller.
• Office of Inspector General. (July 2017). “Protection of Personally Identifiable Information in Indiana’s Statewide Longitudinal Data System.” U.S. Department of Education.
• Nicolaides, Michael. (December 2016). “NC Department of Public Instruction: Public Schools Cybersecurity Study.” NC Department of Public Instruction.
• Galloway, Nicole. (October 2016). “Summary of Audit Findings Cyber Aware School Audits (Report No. 2016-112).” Office of Missouri State Auditor.
• Office of Inspector General. (September 2016). “Protection of Personally Identifiable Information in Oregon’s Statewide Longitudinal Data System.” U.S. Department of Education.
• Office of Inspector General. (July 2016). “Protection of Personally Identifiable Information in the Commonwealth of Virginia’s Longitudinal Data System.” U.S. Department of Education.
• Chavez, Justin (June 2015). “School Data Security.” Wyoming Department of Audit.

---

Other Education-Specific Cybersecurity Resources

• The Future of Privacy Forum’s FERPA|Sherpa maintains a growing list of cybersecurity resources. (Note: resources are not limited only to those targeted or applicable to U.S. K-12 schools.)

---

General Cybersecurity Resources

• Stamatiou, Paul. (Oct 2019). Getting Started with Security Keys.
• Shelton, Martin. (Oct 2019) Current Digital Security Resources.
• Alberti, Tobia (Oct 2019). Precisely Private.
• The Digital First Aid Kit by the RaReNet (Rapid Response Network) and CiviCERT.
• Online Harassment Resources by HeartMob.
• Motherboard. (Nov 2018). How to Tell if Your Account Has Been Hacked
• Motherboard. (Nov 2018). The Motherboard Guide to Not Getting Hacked
• Purdy, Kevin. (April 2018). “The Best Internet Security: Layers of Protection, and Good Habits.” Wirecutter.
• Pagano, Floriana & Cheng, Sage (Apr 2018). A First Look at Digital Security. Access Now.
• Security Planner by the Citizen Lab
• Firefox Monitor/have i been pwned? (check to see if your accounts have been compromised in a data breach)
• Consumer Reports. (February 2017). 66 Ways to Protect Your Privacy Right Now.
• Surveillance Self-Defense and Security Education Companion, both projects of the Electronic Frontier Foundation
• Digital Security Training Resources for Security Trainers, Winter 2017 Edition
• Quintin, Cooper and Okuda, Soraya. (January 2018). How to Assess a Vendor’s Data Security. Electronic Frontier Foundation.
• privacytools.io – encryption against global mass surveillance
• United States Computer Emergency Readiness Team (US-CERT) Cybersecurity Tips.
• European Digital Rights (EDRi). (October 2016). “Your Guide to Digital Defenders vs. Data Intruders – Privacy for kids!” (Note: designed for youth ages 10-14 years)
  

  ---