Posted Date: 01/20/2022
Members of the Senate Education Committee on Thursday said they want to hear from KASB and other education organizations about what school districts are doing about computer security.
The call for more information followed a briefing on a state audit that found many school districts haven’t implemented basic security controls on their information technology.
“Everyone needs to be on the same page,” said Education Committee Chair Molly Baumgardner, R-Louisburg.
Sen. Gene Suellentrop, R-Wichita, said the audit was a “damning report.” He asked what KASB was doing about it.
Baumgardner suggested holding a followup meeting and inviting KASB, United School Administrators of Kansas, the Kansas State Department of Education and others to discuss how schools are improving their computer security.
Since the audit was released in October, schools districts and officials from KSDE and the Division of Legislative Post Audit have met to discuss ways to tighten security.
LPA Principal Auditor Heidi Zimmerman said schools have heard about the audit results “and were taking it seriously.”
No date was specified for the followup meeting.
Schools maintain sensitive data, such as student grades, disciplinary actions, medical and mental health records and financial information.
Protecting computer information has become more difficult in recent years with IT security incidents at school districts increasing by 18% since last year, according to the K-12 Cybersecurity Resource Center.
To do the audit, LPA staff sent a survey to all Kansas school districts and received responses from 51% of them.
Auditors said many school districts have not implemented basic IT security controls to protect computers or computer networks against unauthorized use or access.
Of those districts that responded:
— 58% do not require security awareness training for their staff at any time;
— 59% do not require confidential data to be encrypted when sending it outside the district’s network;
— 65% do not scan their computer systems for vulnerabilities as often as standards suggest;
— 69% do not have an incident response plan.
Some districts said a lack of funding was keeping them from implementing safeguards, but legislators noted that in addition to increases in state funding, schools also are receiving significant amounts of federal dollars related to COVID-19, although it wasn’t clear if those federal funds could be used for computer security.
Recently, KSDE announced collaborating with districts and development of the publication, “Cybersecurity Guidance and Recommendations for Kansas School Districts.” A K-12 Technology Council is being formed and will be chaired by IT directors who can help provide professional development to all district technology staff members.
KSDE also has developed a security policy template and an example of an acceptable use template. The agency also is developing IT security and data privacy training that will be available to Kansas districts and is in the process of creating a KSDE K-12 Technology webpage.
A video wrap-up of Thursday’s events is here.