School Cybersecurity Resources
A curated list of recent information and resources to help U.S. public K-12 school leaders and policymakers navigate cybersecurity and related issues.
Know a great resource that’s missing from this list? Suggestions welcome.
K-12 Specific Cybersecurity Resources
- The K-12 Cybersecurity Self Assessment (a vendor-neutral, free, quick, useful, private, and anonymous self-assessment – based on NIST CSF – for school district IT leaders created by school district IT leaders)
- The K-12 Security Information Exchange (K12 SIX)
- U.S. Department of Education. “Security Best Practices.” Privacy Technical Assistance Center (PTAC) and the Family Policy Compliance Office (FPCO).
- Cybersecurity and Infrastructure Security Agency (CISA) (Dec 2020). Cyber Threats to K-12 Remote Learning Education.
- Cybersecurity and Infrastructure Security Agency (CISA) (Dec 2020). “Ransomware Reference Materials for K-12.”
- Michigan State Police, Office of School Safety (Dec 2020). Cybersecurity: Recommendations and Best Practices.
- ATLIS (Oct 2020). Cybersecurity Recommendations.
- Multi-State Information Sharing and Analysis Center (MS-ISAC) Toolkit.
- Samberg, M. J. (2020). “Cybersecurity in K-12: An Overview of the Threat Landscape.” Friday Institute for Educational Innovation. http://friday.institute/7721
- U.S. Government Accountability Office (Oct 2020). “Data Security: Recent K-12 Data Breaches Show That Students Are Vulnerable to Harm (GAO-20-644)“.
- NJCCIC (Sept 2020). Navigating New Challenges This Academic School Year: Informational Report.
- Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) (Sept 2020). Ransomware Guide.
- Indiana Executive Council on Cybersecurity (August 2020). Cybersecurity for Education Toolkit.
- The Internet Crimes Against Children Task Force (ICAC) Technology Related Incident Response Tool (IRT) for Schools (developed in partnership with iKeepSafe).
- Consortium for School Networking (CoSN). “Cybersecurity for the Digital District, a CoSN Leadership Initiative” (Note: some resources require log-in to access; others require membership)
- Cybersecurity & Infrastructure Security Agency (CISA) (May 2020). “Cybersecurity Recommendations for K-12 Schools using Video Conferencing Tools and Online Platforms.”
- Cybersecurity & Infrastructure Security Agency (CISA) (May 2020). “Tipsheet: Video Conferencing – Guidelines to Keep You and Your Students Safe.”
- CoSN (Mar 2020). “Cybersecurity Considerations in a COVID-19 World.”
- Michigan Education Technology Leaders (METL) (2019). “Essential Cybersecurity Practices for K-12.”
- New Zealand Ministry of Education (Dec 2019). “Protect your school from cyber-attacks and cyber security breaches.”
- Paakki, Travis. (June 2019). “An Exploration of the Strategies Information Assurance Technologists Need to Improve Information Security Practices in an School District” Colorado Technical University. (Dissertation)
- Texas Association of School Boards (2019). School Cybersecurity: Getting Started. [PDF]
- Center for Democracy and Technology (2019). Balancing the Scale of Student Data Deletion and Retention in Education. [PDF]
- Parent Coalition for Student Privacy and the Badass Teachers Association (October 2018). “Educator Toolkit for Teacher and Student Privacy: A Practical Guide for Protecting Personal Data.” [PDF]
- Utah State Board of Education:
- December 2018. “COPPA in the Classroom.” (video)
- July 2018. “Data Security Basics for the Classroom.” (video)
- July 2018. “Malware Attacks on Schools.” (video)
- Dec 2017. “Top 5 Data Security Tips for Schools.” (video)
- CERT NZ (2018). “Keeping your school network safe.” New Zealand Government.
- National School Boards Association. “2018 NSBA Cyber Risk Report: School Board Communication at Risk.” [PDF]
- Southern Regional Education Board (SREB) (2018). “10 Issues in Educational Technology: Technology Security.”
- Council of Great City Schools (Fall 2017). “Cyber-Security in Today’s K-12 Environment.” [PDF]
- Scott, James. (April 2017). “Sowing the Seeds of U.S. Cyber Talent.” Institute for Critical Infrastructure Technology (ICIT).
- Office of Education Technology (February 2017). “Security Best Practices Guideline for Districts – Version 1.1.” [PDF]. Kentucky Department of Education.
- Czuprynski, Christine N. (January 2017). “Data Security for Schools: A Legal and Policy Guide for School Boards.” [PDF]. National School Boards Association.
- Goran, Ion. (2017). “Cyber Security Risks in Public High Schools.” CUNY Academic Works. (Master’s Thesis)
- National School Safety Alliance/Missouri Center for Education Safety. (March 2016). “Information Technology (IT)/Cyber Security Checklist (v1.4).” [PDF/Google Drive]
- Porterfield, Tony, Siegl, Jim and Fitzgerald, Bill. (March 2016). “Information Security Primer for Evaluating Educational Software.” Common Sense Media.
- Kentucky Department of Education (September 2015). “Data Security and Breach Notification Best Practice Guide. Version 2.2.” [DOC]
- Kentucky Department of Education (undated). “Top Secret Information and Data Breach Awareness for Teachers 3.0.” {PDF]
- Readiness and Emergency Management for Schools (REMS) Technical Assistance (TA) Center. (undated). Cybersecurity Considerations for K-12 Schools and School Districts. [PDF]
- Readiness and Emergency Management for Schools (REMS) Technical Assistance (TA) Center. (November 2014). Integrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Schools.
Select K-12 Cybersecurity Audit Reports
- Oregon Secretary of State, Oregon Audits Division (November 2019). “Oregon Department of Education: Cybersecurity Controls Audit. 2019-39.”
- Office of the Inspector General. (October 2019). “The U.S. Department of Education’s Federal Information Security Modernization Act of 2014 Report For Fiscal Year 2019.” U.S. Department of Education.
- Division of Local Government and School Accountability (October 2019). “Belleville-Henderson Central School District (2019M-128)” Office of the New York State Comptroller.
- Division of Local Government and School Accountability (October 2019). “Evans-Brant Central School District (2019M-121)” Office of the New York State Comptroller.
- Division of Local Government and School Accountability (September 2019). “Charlotte Valley Central School District (2019M-27)” Office of the New York State Comptroller.
- Office of the Inspector General (November 2018). “Office of the Chief Privacy Officer’s Processing of Family Educational Rights and Privacy Act (FERPA) Complaints.” U.S. Department of Education.
- Division of Local Government and School Accountability (November 2018). “Finn Academy: An Elmira Charter School – Information Technology (2018M-141)” Office of the New York State Comptroller.
- Office of Missouri State Auditor (August 2018). Summary of Local Government and Court Audit Findings – Information Security Controls. [PDF]
- Office of the Inspector General (March 2018). “Protection of Personally Identifiable Information in Statewide Longitudinal Data Systems.” U.S. Department of Education.
- Division of Local Government and School Accountability. (February 2018). “Cairo-Durham Central School District: Information Technology. Report of Examination | 2017M-246” Office of the New York State Comptroller.
- Division of Local Government and School Accountability (July 2017). “Security Over Critical Information Systems: State Education Department. Report 2016-S-69.” and follow-up report, 2018-F-17, on implementation status (November 2018). Office of the New York State Comptroller.
- Office of Inspector General. (July 2017). “Protection of Personally Identifiable Information in Indiana’s Statewide Longitudinal Data System.” U.S. Department of Education.
- Nicolaides, Michael. (December 2016). “NC Department of Public Instruction: Public Schools Cybersecurity Study.” NC Department of Public Instruction.
- Galloway, Nicole. (October 2016). “Summary of Audit Findings Cyber Aware School Audits (Report No. 2016-112).” Office of Missouri State Auditor.
- Office of Inspector General. (September 2016). “Protection of Personally Identifiable Information in Oregon’s Statewide Longitudinal Data System.” U.S. Department of Education.
- Office of Inspector General. (July 2016). “Protection of Personally Identifiable Information in the Commonwealth of Virginia’s Longitudinal Data System.” U.S. Department of Education.
- Chavez, Justin (June 2015). “School Data Security.” Wyoming Department of Audit.
Other Education-Specific Cybersecurity Resources
- The Future of Privacy Forum’s FERPA|Sherpa maintains a growing list of cybersecurity resources. (Note: resources are not limited only to those targeted or applicable to U.S. K-12 schools.)
General Cybersecurity Resources
- Stamatiou, Paul. (Oct 2019). Getting Started with Security Keys.
- Shelton, Martin. (Oct 2019) Current Digital Security Resources.
- Alberti, Tobia (Oct 2019). Precisely Private.
- The Digital First Aid Kit by the RaReNet (Rapid Response Network) and CiviCERT.
- Online Harassment Resources by HeartMob.
- Motherboard. (Nov 2018). How to Tell if Your Account Has Been Hacked
- Motherboard. (Nov 2018). The Motherboard Guide to Not Getting Hacked
- Purdy, Kevin. (April 2018). “The Best Internet Security: Layers of Protection, and Good Habits.” Wirecutter.
- Pagano, Floriana & Cheng, Sage (Apr 2018). A First Look at Digital Security. Access Now.
- Security Planner by the Citizen Lab
- Firefox Monitor/have i been pwned? (check to see if your accounts have been compromised in a data breach)
- Consumer Reports. (February 2017). 66 Ways to Protect Your Privacy Right Now.
- Surveillance Self-Defense and Security Education Companion, both projects of the Electronic Frontier Foundation
- Digital Security Training Resources for Security Trainers, Winter 2017 Edition
- Quintin, Cooper and Okuda, Soraya. (January 2018). How to Assess a Vendor’s Data Security. Electronic Frontier Foundation.
- privacytools.io – encryption against global mass surveillance
- United States Computer Emergency Readiness Team (US-CERT) Cybersecurity Tips.
- European Digital Rights (EDRi). (October 2016). “Your Guide to Digital Defenders vs. Data Intruders – Privacy for kids!” (Note: designed for youth ages 10-14 years)