School Cybersecurity Resources

A curated list of recent information and resources to help U.S. public K-12 school leaders and policymakers navigate cybersecurity and related issues.

Know a great resource that’s missing from this list? Suggestions welcome.

K-12 Specific Cybersecurity Resources

The K-12 Cybersecurity Self Assessment (a vendor-neutral, free, quick, useful, private, and anonymous self-assessment – based on NIST CSF – for school district IT leaders created by school district IT leaders)
The K-12 Security Information Exchange (K12 SIX)
U.S. Department of Education. “Security Best Practices.” Privacy Technical Assistance Center (PTAC) and the Family Policy Compliance Office (FPCO).
Cybersecurity and Infrastructure Security Agency (CISA) (Dec 2020). Cyber Threats to K-12 Remote Learning Education.
Cybersecurity and Infrastructure Security Agency (CISA) (Dec 2020). “Ransomware Reference Materials for K-12.”
Michigan State Police, Office of School Safety (Dec 2020). Cybersecurity: Recommendations and Best Practices.
ATLIS (Oct 2020). Cybersecurity Recommendations.
Multi-State Information Sharing and Analysis Center (MS-ISAC) Toolkit.
Samberg, M. J. (2020). “Cybersecurity in K-12: An Overview of the Threat Landscape.” Friday Institute for Educational Innovation. http://friday.institute/7721
U.S. Government Accountability Office (Oct 2020). “Data Security: Recent K-12 Data Breaches Show That Students Are Vulnerable to Harm (GAO-20-644)“.
NJCCIC (Sept 2020). Navigating New Challenges This Academic School Year: Informational Report.
Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) (Sept 2020). Ransomware Guide.
Indiana Executive Council on Cybersecurity (August 2020). Cybersecurity for Education Toolkit.
The Internet Crimes Against Children Task Force (ICAC) Technology Related Incident Response Tool (IRT) for Schools (developed in partnership with iKeepSafe).
Consortium for School Networking (CoSN). “Cybersecurity for the Digital District, a CoSN Leadership Initiative” (Note: some resources require log-in to access; others require membership)
Cybersecurity & Infrastructure Security Agency (CISA) (May 2020). “Cybersecurity Recommendations for K-12 Schools using Video Conferencing Tools and Online Platforms.”
Cybersecurity & Infrastructure Security Agency (CISA) (May 2020). “Tipsheet: Video Conferencing – Guidelines to Keep You and Your Students Safe.”
CoSN (Mar 2020). “Cybersecurity Considerations in a COVID-19 World.”
Michigan Education Technology Leaders (METL) (2019). “Essential Cybersecurity Practices for K-12.”
New Zealand Ministry of Education (Dec 2019). “Protect your school from cyber-attacks and cyber security breaches.”
Paakki, Travis. (June 2019). “An Exploration of the Strategies Information Assurance Technologists Need to Improve Information Security Practices in an School District” Colorado Technical University. (Dissertation)
Texas Association of School Boards (2019). School Cybersecurity: Getting Started. [PDF]
Center for Democracy and Technology (2019). Balancing the Scale of Student Data Deletion and Retention in Education. [PDF]
Parent Coalition for Student Privacy and the Badass Teachers Association (October 2018). “Educator Toolkit for Teacher and Student Privacy: A Practical Guide for Protecting Personal Data.” [PDF]
Utah State Board of Education:
- December 2018. “COPPA in the Classroom.” (video)
- July 2018. “Data Security Basics for the Classroom.” (video)
- July 2018. “Malware Attacks on Schools.” (video)
- Dec 2017. “Top 5 Data Security Tips for Schools.” (video)
CERT NZ (2018). “Keeping your school network safe.” New Zealand Government.
National School Boards Association. “2018 NSBA Cyber Risk Report: School Board Communication at Risk.” [PDF]
Southern Regional Education Board (SREB) (2018). “10 Issues in Educational Technology: Technology Security.”
Council of Great City Schools (Fall 2017). “Cyber-Security in Today’s K-12 Environment.” [PDF]
Scott, James. (April 2017). “Sowing the Seeds of U.S. Cyber Talent.” Institute for Critical Infrastructure Technology (ICIT).
Office of Education Technology (February 2017). “Security Best Practices Guideline for Districts – Version 1.1.” [PDF]. Kentucky Department of Education.
Czuprynski, Christine N. (January 2017). “Data Security for Schools: A Legal and Policy Guide for School Boards.” [PDF]. National School Boards Association.
Goran, Ion. (2017). “Cyber Security Risks in Public High Schools.” CUNY Academic Works. (Master’s Thesis)
National School Safety Alliance/Missouri Center for Education Safety. (March 2016). “Information Technology (IT)/Cyber Security Checklist (v1.4).” [PDF/Google Drive]
Porterfield, Tony, Siegl, Jim and Fitzgerald, Bill. (March 2016). “Information Security Primer for Evaluating Educational Software.” Common Sense Media.
Kentucky Department of Education (September 2015). “Data Security and Breach Notification Best Practice Guide. Version 2.2.” [DOC]
Kentucky Department of Education (undated). “Top Secret Information and Data Breach Awareness for Teachers 3.0.” {PDF]
Readiness and Emergency Management for Schools (REMS) Technical Assistance (TA) Center. (undated). Cybersecurity Considerations for K-12 Schools and School Districts. [PDF]
Readiness and Emergency Management for Schools (REMS) Technical Assistance (TA) Center. (November 2014). Integrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Schools.

Select K-12 Cybersecurity Audit Reports

Oregon Secretary of State, Oregon Audits Division (November 2019). “Oregon Department of Education: Cybersecurity Controls Audit. 2019-39.”
Office of the Inspector General. (October 2019). “The U.S. Department of Education’s Federal Information Security Modernization Act of 2014 Report For Fiscal Year 2019.” U.S. Department of Education.
Division of Local Government and School Accountability (October 2019). “Belleville-Henderson Central School District (2019M-128)” Office of the New York State Comptroller.
Division of Local Government and School Accountability (October 2019). “Evans-Brant Central School District (2019M-121)” Office of the New York State Comptroller.
Division of Local Government and School Accountability (September 2019). “Charlotte Valley Central School District (2019M-27)” Office of the New York State Comptroller.
Office of the Inspector General (November 2018). “Office of the Chief Privacy Officer’s Processing of Family Educational Rights and Privacy Act (FERPA) Complaints.” U.S. Department of Education.
Division of Local Government and School Accountability (November 2018). “Finn Academy: An Elmira Charter School – Information Technology (2018M-141)” Office of the New York State Comptroller.
Office of Missouri State Auditor (August 2018). Summary of Local Government and Court Audit Findings – Information Security Controls. [PDF]
Office of the Inspector General (March 2018). “Protection of Personally Identifiable Information in Statewide Longitudinal Data Systems.” U.S. Department of Education.
Division of Local Government and School Accountability. (February 2018). “Cairo-Durham Central School District: Information Technology. Report of Examination | 2017M-246” Office of the New York State Comptroller.
Division of Local Government and School Accountability (July 2017). “Security Over Critical Information Systems: State Education Department. Report 2016-S-69.” and follow-up report, 2018-F-17, on implementation status (November 2018). Office of the New York State Comptroller.
Office of Inspector General. (July 2017). “Protection of Personally Identifiable Information in Indiana’s Statewide Longitudinal Data System.” U.S. Department of Education.
Nicolaides, Michael. (December 2016). “NC Department of Public Instruction: Public Schools Cybersecurity Study.” NC Department of Public Instruction.
Galloway, Nicole. (October 2016). “Summary of Audit Findings Cyber Aware School Audits (Report No. 2016-112).” Office of Missouri State Auditor.
Office of Inspector General. (September 2016). “Protection of Personally Identifiable Information in Oregon’s Statewide Longitudinal Data System.” U.S. Department of Education.
Office of Inspector General. (July 2016). “Protection of Personally Identifiable Information in the Commonwealth of Virginia’s Longitudinal Data System.” U.S. Department of Education.
Chavez, Justin (June 2015). “School Data Security.” Wyoming Department of Audit.

Other Education-Specific Cybersecurity Resources

The Future of Privacy Forum’s FERPA|Sherpa maintains a growing list of cybersecurity resources. (Note: resources are not limited only to those targeted or applicable to U.S. K-12 schools.)

General Cybersecurity Resources

Stamatiou, Paul. (Oct 2019). Getting Started with Security Keys.
Shelton, Martin. (Oct 2019) Current Digital Security Resources.
Alberti, Tobia (Oct 2019). Precisely Private.
The Digital First Aid Kit by the RaReNet (Rapid Response Network) and CiviCERT.
Online Harassment Resources by HeartMob.
Motherboard. (Nov 2018). How to Tell if Your Account Has Been Hacked
Motherboard. (Nov 2018). The Motherboard Guide to Not Getting Hacked
Purdy, Kevin. (April 2018). “The Best Internet Security: Layers of Protection, and Good Habits.” Wirecutter.
Pagano, Floriana & Cheng, Sage (Apr 2018). A First Look at Digital Security. Access Now.
Security Planner by the Citizen Lab
Firefox Monitor/have i been pwned? (check to see if your accounts have been compromised in a data breach)
Consumer Reports. (February 2017). 66 Ways to Protect Your Privacy Right Now.
Surveillance Self-Defense and Security Education Companion, both projects of the Electronic Frontier Foundation
Digital Security Training Resources for Security Trainers, Winter 2017 Edition
Quintin, Cooper and Okuda, Soraya. (January 2018). How to Assess a Vendor’s Data Security. Electronic Frontier Foundation.
privacytools.io – encryption against global mass surveillance
United States Computer Emergency Readiness Team (US-CERT) Cybersecurity Tips.
European Digital Rights (EDRi). (October 2016). “Your Guide to Digital Defenders vs. Data Intruders – Privacy for kids!” (Note: designed for youth ages 10-14 years)

The K-12 Cybersecurity Resource Center

School Cybersecurity Resources

Breaking News: Cybersecurity Vulnerabilities and Threats