Cybersecurity and Data Privacy

Data Privacy Policy: Goose Creek CISD has taken action to ensure that all student data is handled securely and in compliance with all state and federal legislation. Through rigorous processes and high standards of compliance, our goal is to not only abide to state and federal law, but to provide students, parents, and our community with the resources and information needed to protect student privacy. This is accomplished by a process of continual improvement of security practices. The district employees the principle of least privilege and role based security to ensure that data is only accessed by those that have a legitimate educational purpose. A multi-layered defense is also employed to ensure that your data remains protected. As the technology landscape is constantly changing, these processes are reviewed at least annually to make sure they are still relevant and provide strong protection. In an effort to achieve these goals, the Goose Creek CISD Technology Department seeks to implement the following programs:

Trusted Learning Environment Seal Program - The CoSN Trusted Learning Environment (TLE) Seal program is the nation’s only data privacy framework for school systems, focused on building a culture of trust and transparency. The TLE Seal was developed by CoSN in collaboration with a diverse group of 28 school system leaders nationwide and with support from AASA, The School Superintendents Association, the Association of School Business Officials International (ASBO) and ASCD. School systems that meet the program requirements will earn the TLE Seal, signifying their commitment to student data privacy to their community. TLE Seal recipients also commit to continuous examination and demonstrable future advancement of their privacy practices.

On May 12, 2022, CoSN awarded the Trusted Learning Environment (TLE) Seal to Goose Creek Consolidated Independent School District (GCCISD). The TLE Seal is a prestigious national distinction that school districts earn for demonstrating a commitment to protecting student data through modern, rigorous policies and practices.
Texas Cybersecurity Framework - The Texas Cybersecurity Framework is a self-assessment to determine cybersecurity risks. While local governments and K-12 organizations are not required to submit a Cybersecurity Plan to the State, using the framework helps to align security goals and practices with other government entities and institutions of Higher Education across the State of Texas.

The district uses data to support a variety of processes throughout the district including supporting student learning, evaluating teachers, improving instructional and operational practices, and complying with various state and federal requirements. For more information on who uses student data, see this infographic.

GCCISD uses many applications to encourage learning through innovation. See this page for more information on approved/denied applications and the process for requesting a free or paid app.

Website Privacy Policy: Goose Creek Consolidated Independent School District (Goose Creek CISD or GCCISD) is committed to respecting and protecting your privacy as a visitor to our websites. This includes the Here, We Grow Giants site. We will only collect, store and use your personal information for defined purposes. Goose Creek CISD values accountability and transparency at all levels including ensuring that student data privacy and security are a top priority. For more information on what data is collected as well as records management, see the Data Governance tab.

Student Data Collection and Security Fact Sheet

Data Governance Guidelines

* Handbooks, procedures and guidelines are reviewed at least annually to provide updates that align with changes in laws/regulations and the constantly changing technology landscape.

Sharing Data with Vendors/Third-Parties

Goose Creek CISD takes the privacy of both student and staff data very seriously. Before procuring services or contracting with a third-party, a security risk assessment is performed. Much like a credit score is used in the lending process, a security risk score can reveal risks that a company would present and the likelihood they would suffer a data breach or other security incident. Goose Creek continuously monitors these third-parties in order to manage any risk that may occur and take appropriate proactive measures to keep district data secure. Secondly, if data will be shared with a vendor/third-party, a signed Data Privacy Agreement MUST be in place before a contract is signed. The current Data Privacy Agreement in use is the TX_NDPA_v1r6.

Records Management Board Policies

CPC (LEGAL) - OFFICE MANAGEMENT: RECORDS MANAGEMENT

CPC (LOCAL) - OFFICE MANAGEMENT: RECORDS MANAGEMENT

FL (LEGAL) - STUDENT RECORDS

FL (LOCAL) - STUDENT RECORDS

*Board Policy is reviewed regularly to ensure that they align with all current laws and regulations.

Holiday ransomware attacks hit education hardest

11/29/2022

The education sector is especially vulnerable to ransomware attacks over holidays and weekends, according to a global survey by cybersecurity firm Cybereason. Over half (54%) of education information technology professionals surveyed said “it took us longer to assess the scope of the attack” over a holiday or weekend, while 42% said they take longer to respond to and stop holiday and weekend incidents compared to those on weekdays. The same percentage (42%) reported greater financial losses from holiday and weekend cyberattacks. Schools are also more likely than other sectors to spend more time recovering from a ransomware attack, Cybereason found. On average, 16% of cybersecurity professionals across industries, compared to 25% of those in education, reported taking one to two days to recover. While 13% of all industry cybersecurity professionals recovered in three to six days on average, 28% of school professionals said they needed that amount of time. To better protect schools from cyberattacks, experts have recommended districts vet new technologies, collaborate with instructional leaders, phase in multi-factor authentication and create a security team.

Security Tips - Badge and Identification (ID) Security

11/16/2022

You've probably seen employees wearing security badges at their organization's offices. Can you think of how many different organizations' badges you can recognize? Can you recall the details of the badges you've seen?

There are several different details on badges that cybercriminals look for, such as an employee’s picture, the employee's name, and the color of the badge. As technology has advanced and image editing software has become more popular, cybercriminals can use these details to easily replicate the look of security badges.

Within hours, cybercriminals could recreate your badge with their own names and pictures. They can then use the badge to gain access to your organization's offices or buildings.

How to Protect Your Security Badge or ID

It's important that you are responsible for your security badge and that you practice proper badge use. If your organization has a formal policy about proper badge use, please refer to that policy.

Follow the tips below to protect your security badge or ID:

Wear your badge at all times when you're inside of your organization's offices or buildings.
Don't wear your badge while you are in a public place. When you wear your badge in a public place, you are also showing people where you work. If cybercriminals know your name and where you work, they can target you or your organization.
If you've lost your badge or believe your badge has been stolen, immediately report it as missing.
Never let other people use your badge, even if they have forgotten their own badge at home.

Next time you leave for a lunch break or leave your office, put your badge in your purse or pocket so that other people can't easily read the information on your badge.

Security Tips - Stay Safe from Password Spraying

11/03/2022

Passwords have become an integral part of our daily lives. We use passwords to check our social media feeds, access our bank accounts, and log in to our work computers. In fact, studies have shown that the average person can have up to 100 different online accounts.

That’s a lot of passwords to remember! With so many login credentials to remember, you may be tempted to come up with short and simple passwords. Using a password such as “password1234” or “QWERTY” may not seem like a big deal, but a weak password can put you at risk of a cyberattack called "password spraying."

What Is Password Spraying?

Password spraying is a cyberattack that tests common weak passwords across multiple user accounts. By cycling through multiple accounts, cybercriminals can avoid being locked out of a single account due to failed login attempts. The process is usually automated and often goes undetected for a long time. Once cybercriminals gain access to a user’s account, they can steal sensitive information and plant malware.

The password spray attack isn't new, but it remains an effective hacking method that allows cybercriminals to gain access to organizations’ networks. In recent years, cybercriminals have modified the password spraying technique, attacking single sign-on (SSO) services and other cloud platforms. Due to these attacks, you may need more than just a password to keep your sensitive information secure.

How Can I Keep My Account Safe?

Follow the tips below to help protect your accounts and your organization’s network from password spraying attacks:

Use multi-factor authentication (MFA) to add an extra layer of security to your account. MFA requires you to provide extra verification before logging in to an account, making it more difficult for cybercriminals to hack your account.
Try safe passwordless authentication options, such as biometric authentication, voice recognition, or facial recognition technology.

Make sure that the passwords you use are unique and strong. Try using longer passphrases that you can remember, and don't use the same passwords for multiple accounts.

Scam of the Week: Email Scams from University Domains

11/02/2022

Most universities provide students with email addresses from the university’s official domain. For example, a student's email address could be firstname[at]harvard[dot]edu. Since these email addresses use real university domains, cybercriminals try to gain access to student email accounts so they can use them for their own malicious purposes.

To start the scam, cybercriminals use social engineering to gain access to a student's email account. If they are successful, the cybercriminals will send you a phishing email from the stolen email address. The university email address makes the email appear more legitimate. The email states that some messages are being blocked from your inbox and provides a link to a spoofed login page. If you click this link and enter your login credentials, cybercriminals can use your login credentials to access your sensitive information.

Don’t let a university email scam trick you. Follow the tips below to keep your sensitive information safe:

Even if the sender’s email address is from a trusted domain, the email could be fake. Cybercriminals can gain access to trusted domains to make their scams more believable.
When you receive an email, stop and look for red flags. For example, watch out for emails that were sent outside of business hours and emails that contain spelling or grammatical errors.
Never click a link in an email that you aren’t expecting. If the email claims that you have an account issue, log in to the organization’s website directly to verify the claim.

Privacy & Security Discussion Topic Ideas

Phishing Emails
- Have you noticed any phishing emails to share with others? What clues did you notice that made you aware that it was not legitimate? How should these emails be reported? Should general SPAM be reported as Phishing?

Social Engineering
- Have you received phone calls using social engineering techniques trying to get you to give information to someone that you do not know? What did you do to verify their identity before sharing information?

Current Events
- What are some recent cyber attacks or data breaches in K-12 from news sources? How we can better be prepared to prevent a similar attack at Goose Creek CISD?
- What recent cybersecurity/data privacy news have you seen and how could it impact us?
- What are upcoming/recent laws or regulations around privacy and cybersecurity that would impact Goose Creek CISD?

Applications & 3rd Party Systems
- Have you used a new app, program, or website lately? Did you make sure you knew what data is being collected/transmitted and if it is being protected? How did you verify?
- Why is it important to vet our applications for security, privacy, or content concerns?
- Thinking about using a new app? Discuss the vetting process and assign someone to submit it for review.

Data Privacy Webpage
- What data do you collect on students? Review the Data Fact Sheet.
- Review resources on Data Privacy site

Data Breach Notice
- If you became aware of a potential data breach, who would you notify?
- What is the role of the District's cybersecurity coordinator? Who is this at Goose Creek CISD?

Data Privacy Curriculum
- How are you implementing data privacy in your classrooms?
- How do you integrate the Digital Citizenship Curriculum in your classrooms?
- What discussions have you had with students, parents, teachers, or staff about privacy/security?

Disaster and Recovery
- How do we protect data when in a disaster (fire, flood, hurricane, cyber attack, school shooting, etc)?
- How would we recover from a disaster and is that documented?

Cybersecurity and Privacy Training
- Has everyone completed the required trainings on Cybersecurity and Privacy?
- What is something each person learned from the Texas Cybersecurity training.
- What is Board Policy CQB and why is it important?

Handbooks

Employee Handbook

Student Handbook (English)

Student Handbook (Spanish)

* Handbooks, procedures and guidelines are reviewed at least annually to provide updates that align with changes in laws/regulations and the constantly changing technology landscape.

Board Policy

CQB - Cybersecurity

*Board Policy is reviewed regularly to ensure that they align with all current laws and regulations.

Laws/Regulations

FERPA - Family Education Rights and Privacy Act

PPRA - Protection of Pupil Rights Amendment

COPPA - Children's Online Privacy Protection Act

CIPA - Children's Internet Protection Act

GCCISD Resources

Agenda Discussion Topics

Security Access Procedure

GCCISD Digital Safety

Digital Citizenship Curriculum

Are you considering an application?

Is the app already approved or denied?

Check the Student Data Privacy Consortium (SDPC) Database
Check the Goose Creek Approved & Denied App List

You must follow the approval process to request apps for student use. Teachers may research apps they wish to use. Consider the resources below before using a third-party application (website or app). If you feel the app is a good candidate, please follow the approval process listed below or on the Ed Tech webpage.

First ask yourself these questions:
Checklist for Choosing Tools Worth Your (and Your Students') Time
Educational App Evaluation Checklist
Second make sure you understand how the data is being used. To protect student data as well as the security of other district systems, you need to understand the importance of App Vetting. Things to look at are the privacy policy, is the data encrypted, can you request deletion of data, is the data strictly used for educational purposes, is the data protected, is the app appropriate for the targeted age group, etc.
What is App Vetting and Why is it Important?
Vetting Apps Across the District (RED FLAGS to watch out for)

Vetting Process

iPad App Approval Process

iPad App Approval Workflow

Data Privacy

Educator's Guide to Student Data Privacy

Protecting Student Privacy While Using Online Educational Resources

Privacy Basics - Facebook

Privacy Basics - Twitter

Laws, Regulations and Standards

COPPA 101

FERPA 101

ISTE Standards for Modeling Digital Citizenship