Cybersecurity and Data Privacy

Data Privacy Policy: Goose Creek CISD has taken action to ensure that all student data is handled securely and in compliance with all state and federal legislation. Through rigorous processes and high standards of compliance, our goal is to not only abide to state and federal law, but to provide students, parents, and our community with the resources and information needed to protect student privacy. This is accomplished by a process of continual improvement of security practices. The district employees the principle of least privilege and role based security to ensure that data is only accessed by those that have a legitimate educational purpose. A multi-layered defense is also employed to ensure that your data remains protected. As the technology landscape is constantly changing, these processes are reviewed at least annually to make sure they are still relevant and provide strong protection. In an effort to achieve these goals, the Goose Creek CISD Technology Department seeks to implement the following programs:

Trusted Learning Environment Seal Program - The CoSN Trusted Learning Environment (TLE) Seal program is the nation’s only data privacy framework for school systems, focused on building a culture of trust and transparency. The TLE Seal was developed by CoSN in collaboration with a diverse group of 28 school system leaders nationwide and with support from AASA, The School Superintendents Association, the Association of School Business Officials International (ASBO) and ASCD. School systems that meet the program requirements will earn the TLE Seal, signifying their commitment to student data privacy to their community. TLE Seal recipients also commit to continuous examination and demonstrable future advancement of their privacy practices.

On May 12, 2022, CoSN awarded the Trusted Learning Environment (TLE) Seal to Goose Creek Consolidated Independent School District (GCCISD). The TLE Seal is a prestigious national distinction that school districts earn for demonstrating a commitment to protecting student data through modern, rigorous policies and practices.
Texas Cybersecurity Framework - The Texas Cybersecurity Framework is a self-assessment to determine cybersecurity risks. While local governments and K-12 organizations are not required to submit a Cybersecurity Plan to the State, using the framework helps to align security goals and practices with other government entities and institutions of Higher Education across the State of Texas.

The district uses data to support a variety of processes throughout the district including supporting student learning, evaluating teachers, improving instructional and operational practices, and complying with various state and federal requirements. For more information on who uses student data, see this infographic.

GCCISD uses many applications to encourage learning through innovation. See this page for more information on approved/denied applications and the process for requesting a free or paid app.

Website Privacy Policy: Goose Creek Consolidated Independent School District (Goose Creek CISD or GCCISD) is committed to respecting and protecting your privacy as a visitor to our websites. This includes the Here, We Grow Giants site. We will only collect, store and use your personal information for defined purposes. Goose Creek CISD values accountability and transparency at all levels including ensuring that student data privacy and security are a top priority. For more information on what data is collected as well as records management, see the Data Governance tab.

Student Data Collection and Security Fact Sheet

Data Governance Guidelines

* Handbooks, procedures and guidelines are reviewed at least annually to provide updates that align with changes in laws/regulations and the constantly changing technology landscape.

Records Management Board Policies

CPC (LEGAL) - OFFICE MANAGEMENT: RECORDS MANAGEMENT

CPC (LOCAL) - OFFICE MANAGEMENT: RECORDS MANAGEMENT

FL (LEGAL) - STUDENT RECORDS

FL (LOCAL) - STUDENT RECORDS

*Board Policy is reviewed regularly to ensure that they align with all current laws and regulations.

Scam of the Week: How Cybercriminals Are Using Monkeypox to Their Advantage

06/21/2022

During the COVID-19 pandemic, cybercriminals used health concerns as easy and effective phishing bait. Now, they're using the recent monkeypox outbreak to continue to prey on your emotions and steal your personal information.

In one such attack, employees received an email with the subject line, “Attention all [Company] Employees - Please Read and Comply.” The email includes information about the recent monkeypox outbreak and cites authorities such as the Centers for Disease Control and World Health Organization. The email also provides a link for “mandatory” monkeypox safety awareness training which requires users to log in.

Unfortunately, if you were to click the link and log in, you would not be met with helpful information about how to stay safe from monkeypox. Instead, you would provide cybercriminals with the entry point they need to steal sensitive information from your organization.

To prevent yourself and your organization from falling victim to similar scams, follow the tips below:

Be wary of emails with alarming or urgent titles, especially emails that ask you to perform an action such as clicking a link or opening an attachment.
Verify any unexpected or suspicious “mandatory” training with a trusted source, such as your organization’s learning team or your manager.
Before you click on a link, hover your mouse over it. Make sure that the link leads to a legitimate, safe website that corresponds with the content in the email.

Security Tips - How to Handle Suspicious Emails

06/19/2022

Learning how to handle suspicious emails is essential to keep your organization safe from cybercriminals. If you don’t correctly handle a suspicious email, you could fall victim to a phishing attack.

Follow the tips below to make sure you correctly handle suspicious emails:

Don't Reply to the Email

If you receive a suspicious email that appears to come from someone you know, you may be tempted to reply to the email to learn more. However, if you reply to the email, you may increase the security risk. If an email account has been compromised, the person who replies back to you probably won’t be who you expect. You could actually be communicating with a cybercriminal.

Don't Forward the Email

The best practice is to never click a link or open an attachment that you were not expecting. However, if you are fooled by a phishing email and you click a malicious link or open a malicious attachment, you may find that the link or attachment will not behave as expected. For example, if you open a suspicious image attachment, the file may actually open an installation window. Or, if you click a malicious link, the link may redirect you to a fake login page.

If the link or attachment is suspicious, you may think about forwarding the email to a coworker for help. However, forwarding the email to a coworker could increase the risk. If you click on a link or open an attachment, consider any unusual behavior as a red flag. Never forward unusual or suspicious emails to other users. If you forward a phishing email, you increase the risk of a security breach because your coworker may click the phishing link as well.

Don't Mark the Email as Spam

Spam emails are typically unwanted advertisements. While spam emails may be annoying, they are usually harmless. However, a phishing attack is a malicious email designed to look like a legitimate message. Phishing emails typically include a call to action, such as clicking a link, opening an attachment, or even transferring money.

If you mark a suspicious email as spam, the email will be moved to a different folder along with any other emails from the same sender. So, if you move the suspicious email to a spam folder, the email will be hidden. However, the problem will not be resolved.

Tips to Stay Safe

The best way to handle a suspicious email is to report the email to your organization. If you report the email, your IT team can assess and mitigate the threat.

When you receive a suspicious email, follow the tips below to stay safe:

Be sure to follow your organization's process for reporting suspicious emails. Following cybersecurity protocols will help keep everyone’s information safe.
If you don’t know how to report the email, leave the email in your inbox and ask a manager or supervisor for help.
If you’re not sure whether an email is spam or a phishing attack, report the email and your IT team handle the situation.

The KnowBe4 Security Team
KnowBe4.com

Scam of the Week: Watch Out for Phishy Facebook Messages

06/15/2022

In a new scam, cybercriminals have been using compromised Facebook accounts to send links to fake login pages. This scam is gaining popularity, with over eight million people viewing just one of the phishing pages so far this year.

In this scam, cybercriminals hack users’ Facebook accounts and then use these accounts to send messages to the users’ Facebook friends. When a user clicks on a link from one of these messages, they are directed to a fake Facebook login page. On this page, the user is asked to enter their email and password to verify their credentials.

If you fall for this scam, any credentials that you share will be delivered directly to the cybercriminals. The cybercriminals could then log in to your Facebook account and send similar links to your Facebook friends. It's important to remember that cybercriminals can also use ad tracking tools to receive money from visits to these pages. They profit from every click!

Follow these tips to stay safe from phishy messages:

Hover your mouse over links before you click. Watch out for links that are suspiciously long or show a domain for a different website than the website you want to visit.
If you receive a suspicious Facebook message, reach out to your Facebook friend by email, text message, phone call, or another app. If they didn’t send you the message, let them know that their account has been hacked and they should change their password immediately. Do not reply to the suspicious message.

Stay informed about the latest scams and how you can stay safe. Information is one of our most powerful tools against cybercriminals.

Scam of the Week: Cybercriminals Use SEO to Target Your Online Search Results

06/01/2022

Search Engine Optimization (SEO) is a technique that helps websites appear more often in search engine results, and rank higher than other websites. Legitimate websites use SEO such as easy-to-remember URLs and relevant keywords. Unfortunately, cybercriminals can also use SEO for their malicious websites.

Some of the ways cybercriminals use SEO is by adding tons of popular keywords to their website and creating multiple links that redirect you to their website. Cybercriminals can also pay third parties to visit their website, which makes the website appear more reputable and popular to search engines. If you visit one of these malicious websites, you may be tricked into downloading a malicious file or providing your personal information.

Follow these tips to keep yourself safe from malicious search results:

Always hover your cursor over a link before you click, even when using a search engine. Look for spelling mistakes and overly long URLs that can hide a website's true domain.
Avoid search results that include a long list of random or repeated words and phrases. That website could be using excessive keywords to draw in traffic.
Visit trusted websites directly by entering the URL in your browser's address bar, instead of using a search engine to find the website.

Privacy & Security Discussion Topic Ideas

Phishing Emails
- Have you noticed any phishing emails to share with others? What clues did you notice that made you aware that it was not legitimate? How should these emails be reported? Should general SPAM be reported as Phishing?

Social Engineering
- Have you received phone calls using social engineering techniques trying to get you to give information to someone that you do not know? What did you do to verify their identity before sharing information?

Current Events
- What are some recent cyber attacks or data breaches in K-12 from news sources? How we can better be prepared to prevent a similar attack at Goose Creek CISD?
- What recent cybersecurity/data privacy news have you seen and how could it impact us?
- What are upcoming/recent laws or regulations around privacy and cybersecurity that would impact Goose Creek CISD?

Applications & 3rd Party Systems
- Have you used a new app, program, or website lately? Did you make sure you knew what data is being collected/transmitted and if it is being protected? How did you verify?
- Why is it important to vet our applications for security, privacy, or content concerns?
- Thinking about using a new app? Discuss the vetting process and assign someone to submit it for review.

Data Privacy Webpage
- What data do you collect on students? Review the Data Fact Sheet.
- Review resources on Data Privacy site

Data Breach Notice
- If you became aware of a potential data breach, who would you notify?
- What is the role of the District's cybersecurity coordinator? Who is this at Goose Creek CISD?

Data Privacy Curriculum
- How are you implementing data privacy in your classrooms?
- How do you integrate the Digital Citizenship Curriculum in your classrooms?
- What discussions have you had with students, parents, teachers, or staff about privacy/security?

Disaster and Recovery
- How do we protect data when in a disaster (fire, flood, hurricane, cyber attack, school shooting, etc)?
- How would we recover from a disaster and is that documented?

Cybersecurity and Privacy Training
- Has everyone completed the required trainings on Cybersecurity and Privacy?
- What is something each person learned from the Texas Cybersecurity training.
- What is Board Policy CQB and why is it important?

Handbooks

Employee Handbook

Student Handbook (English)

Student Handbook (Spanish)

* Handbooks, procedures and guidelines are reviewed at least annually to provide updates that align with changes in laws/regulations and the constantly changing technology landscape.

Board Policy

CQB - Cybersecurity

*Board Policy is reviewed regularly to ensure that they align with all current laws and regulations.

Laws/Regulations

FERPA - Family Education Rights and Privacy Act

PPRA - Protection of Pupil Rights Amendment

COPPA - Children's Online Privacy Protection Act

CIPA - Children's Internet Protection Act

GCCISD Resources

Agenda Discussion Topics

Security Access Procedure

GCCISD Digital Safety

Digital Citizenship Curriculum

Are you considering an application?

Is the app already approved or denied?

Check the Student Data Privacy Consortium (SDPC) Database
Check the Goose Creek Approved & Denied App List

You must follow the approval process to request apps for student use. Teachers may research apps they wish to use. Consider the resources below before using a third-party application (website or app). If you feel the app is a good candidate, please follow the approval process listed below or on the Ed Tech webpage.

First ask yourself these questions:
Checklist for Choosing Tools Worth Your (and Your Students') Time
Educational App Evaluation Checklist
Second make sure you understand how the data is being used. To protect student data as well as the security of other district systems, you need to understand the importance of App Vetting. Things to look at are the privacy policy, is the data encrypted, can you request deletion of data, is the data strictly used for educational purposes, is the data protected, is the app appropriate for the targeted age group, etc.
What is App Vetting and Why is it Important?
Vetting Apps Across the District (RED FLAGS to watch out for)

Vetting Process

iPad App Approval Process

iPad App Approval Workflow

Data Privacy

Educator's Guide to Student Data Privacy

Protecting Student Privacy While Using Online Educational Resources

Privacy Basics - Facebook

Privacy Basics - Twitter

Laws, Regulations and Standards

COPPA 101

FERPA 101

ISTE Standards for Modeling Digital Citizenship