NYSED Data Security Audits – How To Be Ready

The New York State Education Department (“NYSED”) is conducting data security reviews/audits of school districts. What does this mean for your district? NYSED will call on selected districts and review your current data security policies and protocols. Pursuant to a memo NYSED issued on January 16, 2024, these reviews will commence this school year.

The memo states that NYSED will rely on National Institute of Standards and Technology (“NIST”) cybersecurity framework (“CSF”) as the framework it has chosen to provide guidance regarding how to attain and maintain a strong data security system and to manage and reduce cybersecurity risks. The NIST CSF 2.0 may be found on NIST’s website and describes the function of CSF in 6 categories: 1) govern (create, establish, communicate, and monitor your policies regarding cybersecurity); 2) identify (understand your cybersecurity risks); 3) protect (safeguards to manage risks); 4) detect (find and analyze possible attacks, and weaknesses); 5) respond (actions to control effects of cybersecurity incidents); and 6) recover (timely restoration of normal operations). When conducting an audit, NYSED will review a district’s current data security controls regarding protecting student, teacher, and principal personally identifiable information stored on district computers.

As part of the review, NYSED will examine policies, including policies on acceptable use for students and staff, procedures to respond to data breaches, recover information, and general data privacy and security.NYSED will review policies or procedures related to passwords (complexity, required changes of passwords, etc.), information regarding cybersecurity that is provided to new employees, procedures designed to ensure cybersecurity when employees leave, privacy and security awareness training provided to students and staff, backups in place in case of a breach, and patch management in case of a breach.NYSED will also look at district contracts with third parties and how those may affect cybersecurity for the district. Such a review could include a review of all Education Law 2-d policies and procedures, a review of what data is shared with third parties, how the data is shared with third parties, and where data is stored by the district, among other things.

If NYSED identifies your district for a cybersecurity review, involve relevant persons in collecting data in advance of the review, including but not limited to the superintendent, director of information technology, the data protection officer, a business official, and perhaps a BOCES/RIC liaison. There also may be times when the inclusion of the district’s attorney would be advisable, particularly if there are a number of third-party contracts. Although NYSED’s memo does not address what may happen if the NYSED information security office determines the district to lack sufficient policies and procedures, it is likely that NYSED will issue a corrective action plan, including dates by which the district will be required to implement necessary policies and procedures and a process by which documentation of the recommended changes is provided to the Information Security Office.

If you have any questions about the process or have been contacted by NYSED’s Information Security Office to arrange for a data security review and have questions or would like assistance, please contact our office.