Fact Pattern
You have been hired by a Florida public school system as the Risk and Compliance Director for the entire school district. The district uses an education system software which serves as an online platform to track student progress, inform instruction, and provide updates to parents and students as needed.
The Cybersecurity Incident
The school district was contacted and made aware that a verified breach occurred on the education platform.
The breach is estimated to have impacted over one million account holders nationally, 13,000 of whom are students within your school district.
The breach resulted in third-party access to student names and, in some cases, birth dates and email addresses.
The Forensic Expert’s Report
The education system hired an outside cybersecurity forensics expert to investigate. The expert’s report included three key findings:
FIRST FINDING: The data breach occurred after an unauthorized third-party gained access to several school and university accounts on the education system software.
SECOND FINDING: The education system software platform became aware of the incident in September 2022, after the Federal Bureau of Investigation (FBI) notified the education company about the breach. It is to be noted that the incident happened in November 2021.
THIRD FINDING: There is no evidence at this time that student information has been misused.
Assignment: Your Cybersecurity Policy Draft
Based on the fact pattern you have been asked to create a draft cybersecurity policy (the “Draft Policy”) to present to the school board’s five district-level elected board members.
The Draft Policy should include a clearly defined scope and clearly integrate NIST concepts and guidance.:
In doing so, please review A Comprehensive Breakdown of the Roles of School Personnel. Choose 5 types of parties that will be the focus of your Draft Policy, making sure that you choose at least one from each of the three categories:
School Leader
School Faculty
School Support Staff
You should also identify three types of vendors to whom a school district may outsource certain tasks or duties–e.g., accounting firms, food services, school supplies, book publishers, computer manufacturers, software companies, digital yearbook companies, etc.
Scope: Indicate the individuals to whom the Draft Policy applies.
Scope: Under what circumstances does the Draft Policy apply to each of those 5 types of parties?
In doing so, make sure that you identify how different responsibilities and access to data may affect how each of those parties is treated under the Draft Policy.
NIST:
Include the NIST definition of a breach
Standards and metrics–e.g., to enable prioritization of the incidents
Reporting mechanisms
Remediation mechanisms
Feedback mechanisms
Additional Guidance and Readings
Please keep in mind, a part of the preparation for an effective breach response involves evaluating your organization’s legal responsibilities to notify affected parties. Depending on the systems or data that are compromised, there may be legal requirements regarding notification of data owners and/or other stakeholders. Federal laws, including, but not limited to, the Gramm-Leach-Bliley Act, the Federal Trade Commission Act, the Health Information Technology for Economic and Clinical Health (HITECH) Act, and FERPA, all address the importance of protecting sensitive student information and may potentially apply in an event of a breach.
For this exercise, please concentrate on FERPA.
In preparation for writing your Draft Policy, please read
Executive Summary – pp. v – vi
Framework Introduction – pp. 1-5
Overview of the Framework
