Information is power. But, it’s also a responsibility.
Issue 6 | Volume 4 | 2015
Matter
SPOTLIGHT TOPIC - INFORMATION SECURITY
Details
SPOTLIGHT TOPIC - STUDENT TRAVEL
Thank you to the 63 members representing 62 schools that have been part of our platform since its launch earlier this year. It has been our mission to share original and curated content, helping you see that keeping your school community more safe and secure is not only possible, but can be accomplished without totally sacrificing your mission and culture. In short, a comprehensive approach to what is indeed a broad and complicated series of topics is your best defense. I hope that you have found the resources valuable in support. We will return in August with a back-to-school edition, in a somewhat different format. This will most likely involve a consolidation of our three monthly newsletters into one regular release. We will continue to extend this program to schools at no cost as we navigate ways to monetize the site after January 1, 2020. I hope you will see the continued value at that point and continue your participation. I wanted to take a moment to veer away from this month's topic and ask you to engage on the most highly prevalent health issue with children, Child Sexual Abuse. Many of you know by now that Big Back Pack consults with the leading adult education program in existence, the non profit Darkness to Light (www.d2l.org). I have spent much of the last year traveling the country speaking on their behalf and providing teacher training as well as working as a certified trainer for other adults interested in becoming facilitators. With the start of school really not far off and most of you putting the finishing touches on your faculty & staff in-service, now is the time to up your training in this battle by bringing our flagship program, Stewards of Children, to your school. You can learn more by emailing me directly at steve@bigbackpack.org or smandell@d2l.org. Have a peaceful summer and thanks again for your support!
Have you viewed the Jamie Britto Webinar about Information-Security? In addition to being the Chief Information Officer at Collegiate School in Richmond, Jamie is considered one of the nation's top experts in the topic, particularly as it relates to independent schools. CLICK ON THE IMAGE TO THE RIGHT TO WATCH THIS INFORMATIVE SESSION.
ALLISON AIKEN HANNA PARTNER THE TOWER AT 1301 GERVAIS STREET, SUITE 1400 PO BOX 11367 | COLUMBIA, SC 29211
The protection of sensitive or personally identifiable information is of paramount importance for schools and employers alike. Those schools that receive federal monies are bound by the requirements of the Family Educational Rights and Privacy Act (FERPA) and the Individuals with Disabilities in Education Act (IDEA). Most schools, both public and independent, also are bound by the protections of the Americans with Disabilities Act (ADA) and the Family and Medical Leave Act (FMLA), in addition to other federal and state specific laws. Following are some brief considerations for schools to consider when collecting and storing sensitive information. Federal Law: Employment Eligibility Documents - I-9 forms All employers are required to review and maintain certain documents that demonstrate an employee’s authorization to work, which may include social security numbers, passport/travel documents, birth certificates, drivers license numbers, etc. The federal government, through the USCIS, is authorized to audit employers’ I-9 documentation to ensure compliance. As a result, employers should keep all 1-9 documentation in a separate file/location so that during an audit the USCIS reviews only the relevant documents, not other unrelated information such as payroll records, medical records, etc. Additionally, this information typically is exempt from disclosure even if a school is subject to freedom of information act inquiries. Medical Records Consistent with the ADA and FMLA, only certain individuals within an organization may access medical information for specific employees; this typically does not include direct supervisors but rather is limited to administrative level employees. As a result, schools should maintain medical documentation, requests for additional information from physicians and medical excuses in a file separate from the main personnel file. Student Records - IDEA and FERPA It is beyond the scope of this article to address student records retention issues. However, schools should ensure federal and state laws are considered and carefully followed, including state specific records retention laws for all students, not just those with special needs. State Laws: Employee References Most states have specific statutes that provide protections for employers when providing references for current and former employees. For example, the law may state that an employee can provide, in writing, the name, dates of employment, position title, and salary information for a reference without any fear of liability, while other categories of information may be shared with a limited potential for liability. Although it is important for employers to provide forthright and honest information regarding employees seeking other opportunities, it is prudent to research and comply with specific state laws regarding reference protections. (Though outside the scope of this article, false references should be avoided at all times.) In closing, schools should strive to maintain and control access to accurate employee and student documentation as required by federal and state law. When in doubt, a school should seek advice from its legal counsel or accrediting association before releasing sensitive information and when establishing local policies and systems to safeguard the same. Federal Law: Employment Eligibility Documents - I-9 forms All employers are required to review and maintain certain documents that demonstrate an employee’s authorization to work, which may include social security numbers, passport/travel documents, birth certificates, drivers license numbers, etc. The federal government, through the USCIS, is authorized to audit employers’ I-9 documentation to ensure compliance. As a result, employers should keep all 1-9 documentation in a separate file/location so that during an audit the USCIS reviews only the relevant documents, not other unrelated information such as payroll records, medical records, etc. Additionally, this information typically is exempt from disclosure even if a school is subject to freedom of information act inquiries. Medical Records Consistent with the ADA and FMLA, only certain individuals within an organization may access medical information for specific employees; this typically does not include direct supervisors but rather is limited to administrative level employees. As a result, schools should maintain medical documentation, requests for additional information from physicians and medical excuses in a file separate from the main personnel file. Student Records - IDEA and FERPA It is beyond the scope of this article to address student records retention issues. However, schools should ensure federal and state laws are considered and carefully followed, including state specific records retention laws for all students, not just those with special needs. State Laws: Employee References Most states have specific statutes that provide protections for employers when providing references for current and former employees. For example, the law may state that an employee can provide, in writing, the name, dates of employment, position title, and salary information for a reference without any fear of liability, while other categories of information may be shared with a limited potential for liability. Although it is important for employers to provide forthright and honest information regarding employees seeking other opportunities, it is prudent to research and comply with specific state laws regarding reference protections. (Though outside the scope of this article, false references should be avoided at all times.) In closing, schools should strive to maintain and control access to accurate employee and student documentation as required by federal and state law. When in doubt, a school should seek advice from its legal counsel or accrediting association before releasing sensitive information and when establishing local policies and systems to safeguard the same.
State Laws: Employee References Most states have specific statutes that provide protections for employers when providing references for current and former employees. For example, the law may state that an employee can provide, in writing, the name, dates of employment, position title, and salary information for a reference without any fear of liability, while other categories of information may be shared with a limited potential for liability. Although it is important for employers to provide forthright and honest information regarding employees seeking other opportunities, it is prudent to research and comply with specific state laws regarding reference protections. (Though outside the scope of this article, false references should be avoided at all times.) In closing, schools should strive to maintain and control access to accurate employee and student documentation as required by federal and state law. When in doubt, a school should seek advice from its legal counsel or accrediting association before releasing sensitive information and when establishing local policies and systems to safeguard the same. It's important to always seek out legal advice from your school attorney. This column is not intended to be legal guidance.
Charleston Collegiate (Charleston, SC), a smaller school with a big progressive vision, asked some important questions last summer. The staff was concerned that they were not making the best use of their student management system in regards to information security. Should they rely on the strength of their database partner or also use shared Google folders as a way to share information? What about credit card information? Was their student health information safe even if it had to sometimes be shared with faculty and staff? The school embarked (with the aid of Big Back Pack) on a thorough document review and an examination of these issues. Being the forward thinking, people centered school that they are, Charleston Collegiate under the leadership of Hacker Burr and vision of Academic Dean Liz Boyd, openly and honestly embraced their challenges and worked towards the creation of a sustainable information-security policy as well as tightening up their systems. Kudos to Charleston Collegiate! If you school is interested in undergoing a similar analysis, contact Steve Mandell at steve@bigbackpack.org,
CLICK HERE
Visit the new Member platform to catch-up on content!
What Independent Schools Need to Know about Cybersecurity by Jamie Britto, Chief Information Officer at Collegiate School in Richmond, Virginia.
The severity and frequency of cyberattacks continue to increase across industries and around the globe. From Target’s breach in 2013 to Equifax in 2017 to the City of Atlanta’s ransomware shutdown in 2018, criminals have become more and more sophisticated at stealing our data and disrupting our lives. These threats are also increasing in frequency and severity at independent schools. Consider these three recent examples. An email account belonging to an admission office staff member was accessed by hackers. Within the account the hackers identified applicants on the school’s wait list. The hackers then emailed those families a fake acceptance letter along with a phony link to pay a “deposit.” A head of school was tricked into giving out his account username and password. Once in the account, the hackers watched the ebb and flow of emails for several weeks before acting. Impersonating the head and sending emails from his actual account, the thieves emailed the school’s bank and set up a fictitious account and then started to transfer money from the school to this new account. A spreadsheet with students’ sensitive medical information was mistakenly sent to parents. The spreadsheet initially was sent to teachers by the school nurse. One faculty member, however, then forwarded it to families asking them to update their students’ information. Within hours of the email being sent to families, the school was sued by an anonymous parent. As the school year started, the email accident and lawsuit made the local newspaper. Over the past two years, the Association of Technology Leaders of Independent Schools (ATLIS) has conducted four surveys of independent schools and its annual member survey, and found that more than half of respondents had suffered some sort of damage from a cyberattack. The most recent data reveals that 60 percent of schools said they had suffered an email attack, 40 percent had their email systems wrongfully accessed, 27 percent fell prey to a ransomware attack, and 7 percent reported that their networks had been breached. “What concerns me even more than the number of incidents,” says Sarah Hanawald, executive director of ATLIS, “is the schools that tell me they have no problem. Too often, this means that they have no way of detecting attacks until the ransom note appears.” Schools and Leaders as Targets One of the things that surprises school leaders most often when I talk about this topic is that scam artists around the world know who you are and what you do at your school. They research your leadership teams by looking at your website and scouring social media sites to learn about your friends and the way you communicate. According to Bob Olsen, director of information security at Navigant, a global consulting firm based in Chicago, “Social media accounts provide a wealth of information that can be used to draft compelling and highly successful phishing emails.” Once scammers have a dossier on you, they typically try to exploit it through email. The most common attack is to send you and your school leaders a phishing email that tries to trick you into giving them your account name and password. If they’re successful in getting into your account, they will observe the flow of information and figure out a way to use it to steal from you—and they can be extremely patient and resourceful in doing so. “This type of attack is common and one that hackers use to target organizations that they believe are likely to have only minimal security controls in place,” Olsen says.
Immediate Action According to the 2017 Verizon Data Breach Investigation report, more than 80 percent of cyberattacks involve the use of email. Fortunately, there is a simple and straightforward way to stop many of these email attacks: two-factor authentication. Two factor authentication frequently takes the form of receiving a special code via text message when someone logs into an account with a username and password. “Two-factor authentication is one of the most effective security controls that an organization can implement,” Olsen says. “We helped clients address more than 600 cybersecurity incidents last year, more than half of which would have likely been prevented with two-factor authentication.” Independent schools need to use this control more widely. Anyone at a school who sends, receives, or stores sensitive or protected information in their Google or Microsoft 365 email account (which includes most faculty and staff members) should be required to use two-factor authentication. Unfortunately, only 20 percent of schools meet that standard, according to ATLIS survey data. The data also suggest that an additional 30 percent have enabled it only for some users, and an alarming 50 percent of schools don’t use this safeguard at all. If you are among those not using it, you should call your tech director to configure it right now. CLICK HERE to read this complete article, published on the NAIS website in the Fall of 2018.
Here’s What Independent Schools Should Know About Cyber Security Regulations (DiversityIS) Cybersecurity Recommendations for Independent Schools (ATLIS) Cybersecurity in Independent Schools: Data Breach Threats and Prevention Techniques (NAIS)
Educational Collaborators offers a low cost Cybersecurity Assessment aligned with the ATLIS Cybersecurity Recommendations. Have your cybersecurity profile evaluated by the people that created the recommendations for ATLIS. School data systems have become both increasingly complex and isolated. However, data has never been more important! Their experienced school data experts will help develop a road map to consolidate, automate, and analyze data so your school is more accurate, efficient, and empowered. Teachers, administrators and staff are often at very different places with regard to their comfort with technology. As a result, one-shot professional learning is often ineffective. They take an informed approach, leveraging resources you have to meet your varied learning needs. Visit Educational Collaborators’ website to learn more - https://www.educollaborators.com/
