In response to feedback received from various school districts, we have gathered the following information:

The New York State Education Department’s (NYSED) Information Security Office issued an important update impacting school districts throughout the state. Starting this spring, the NYSED Information Security Office will commence a comprehensive review of Local Education Agencies’ (LEAs) current data security controls in place to protect systems, applications, and data within school districts. The ultimate objective of this initiative is to enhance the overall security posture of LEAs in New York State.

Overview of NYSED’s LEA Data Security Review

The NYSED Information Security Office will contact LEAs to schedule virtual appointments for the data security review in January 2024. This timeframe will give LEAs enough time to review their current data security posture and ensure compliance before the review.

The regulatory frameworks guiding this assessment include Education Law § 2-d and Part 121 of the regulations of the Commissioner of Education, which outline what needs to be protected, and the NIST CSF, which provides guidance and measures to achieve a robust data security foundation. In connection with these compliance components, the review will encompass three key areas: Policies, Controls, and Third-Party Oversight. Each of these areas plays a pivotal role in safeguarding sensitive information and maintaining a secure digital environment.

Data Security Areas of Review at a Minimum

Policies

  • Acceptable Use
  • Password
  • Incident Response
  • Disaster Recovery
  • Privacy and Security

Controls

  • Multi-Factor Authentication (MFA)
  • Password Complexity
  • Users On/Off Boarding Process
  • Access Control (i.e., physical and electronic)
  • Privacy and Security Awareness Training
  • Back-ups (i.e., tested)
  • Patch Management

Third-Party Oversight

  • Type of Data Shared
  • How Data is Shared
  • Where Data is Stored
  • Access Controls on Data Sets
  • Configurations in Third-Party Environment

an infographic displaying the three areas of nysed's data security review including policies, controls, and third-party oversight

Potential Impact of the Data Security Review

In the event that questions or concerns arise during the data security review conducted for a given LEA, the NYSED Information Security Office will collaborate with the Superintendent and Data Protection Office. Together, they will formulate a plan of action to rectify and bolster any identified deficiencies.

Recommended Action Items

M.A. Polce’s cybersecurity team recommends the following proactive measures:

Review and Update Policies

  • Ensure that Acceptable Use, Password, Incident Response, Disaster Recovery, and Privacy and Security policies are up-to-date and align with industry best practices.

Enhance Security Controls

  • Strengthen MFA implementation.
  • Enforce robust password complexity standards.
  • Streamline Users On/Off Boarding Process.
  • Regularly review and update access controls.
  • Conduct Privacy and Security Awareness Training for staff.
  • Regularly test and validate backup systems.
  • Implement a robust patch management process.

Third-Party Collaboration

  • Review and document the type, manner, and location of data shared with third parties.
  • Ensure stringent access controls on data sets shared with external entities.
  • Verify and update configurations in third-party environments.

Priority Efforts to Engage

  • Collaborate with a cybersecurity services provider like M.A. Polce to conduct a comprehensive security assessment. This type of assessment will identify and address any potential gaps in your current security infrastructure.
  • Consider enrolling in an ongoing risk and compliance program, such as M.A. Polce’s Managed Risk and Compliance service, which provides a dedicated security roadmap for achieving compliance with applicable compliance frameworks and continuous strengthening of your organization’s security posture.

Preparing for the NYSED LEA Data Security Review

By proactively addressing these action items, your school district can demonstrate a commitment to data security and ensure a smooth review process by the NYSED Information Security Office. Should you require assistance implementing the proper data security controls, please do not hesitate to contact us. We are committed to supporting your school district in maintaining the highest standards of cybersecurity.