The Texas Cybersecurity Framework is a self-assessment to determine cybersecurity risks.  This sample is populated with examples of how to rate yourself based on the 6 levels identified at the bottom of the first tab (SAMPLE TCF).  Once you have rated yourself in all 40 objectives, the graph will help determine highest risks and prioritization for mitigation. The roadmap will help identify processes and documentation needed to reach 3.0 in each objective.

For each Cybersecurity objective, update columns D through I with the agency's self-assessment as to percentage (in whole numbers) of the organization that meets the DIR standard for maturity.

Column K tabulates the entries' "points" and normalizes the 6 grade levels that reflect the maturity score for the Cybersecurity objective.

Column L converts the objectives' points to the CMMI scale.

Summary

Schools have long been targets for cyber thieves and criminals. We are writing to let you know of a new threat, where the criminals are seeking to extort money from school districts and other educational institutions on the threat of releasing sensitive data from student records. In some cases, this has included threats of violence, shaming, or bullying the children unless payment is received.

These attacks are being actively investigated by the FBI, and it is important to note that none of the threats of violence have thus far been judged to be credible. At least three states have been affected.

How to Protect Yourself
The attackers are likely targeting districts with weak data security, or well-known vulnerabilities that enable the attackers to gain access to sensitive data. This may be in the form of electronic attacks against school/district computers or applications, malicious software, or even through phishing attacks against staff or employees.

IT Staff at Schools/Districts are encouraged to protect your organizations by

• conducting security audits to identify weaknesses and update/patch vulnerable systems;
• ensuring proper audit logs are created and reviewed routinely for suspicious activity;
• training staff and students on data security best practices and phishing/social engineering awareness; and
• reviewing all sensitive data to verify that outside access is appropriately limited.

What to Do if This Happens to You
If your organization is affected by this type of attack, it is important to contact local law enforcement immediately. It's not mandatory, but if you are an affected K12 school, please contact us at privacyTA@ed.gov so that we can monitor the spread of this threat. Additionally, the Privacy Technical Assistance Center (PTAC) website contains a wealth of information that may be helpful in responding to and recovering from cyber attacks.

While this new threat has thus far been directed only to K12, institutions of higher education should know that they are required to notify the Office of Federal Student Aid (FSA) of data breaches via email pursuant to the GLBA Act, and your Title IV participation and SAIG agreements.  Additional proactive tools for institutions of higher education are available at our Cybersecurity page on ifap.ed.gov.

The following two exercises ask you to consider the appropriate actions to take in the event of a data breach or personally identifiable information (PII) exposure. After reading each slide, consider your next course of action, and list the steps you'd take. Then, move to the next slide.

If your district is considering moving its data to a cloud provider, there are some basic questions to ask in order to determine if this host environment can safely and effectively store your sensitive data. Click the key words below to learn more.

The EDUCAUSE HEISC assessment tool was created to evaluate the maturity of higher education information security programs using as a framework the International Organization for Standardization (ISO) 27002:2013 "Information Technology Security Techniques. Code of Practice for Information Security Management."

This tool was intended for use by an institution as a whole, although a unit within an institution may also use it to help determine the maturity of its individual information security program. Unless otherwise noted, it should be completed by the chief information officer, chief information security officer or equivalent, or a designee. There are a total of 101 questions. On average it takes about 2 hours for an information security officer or equivalent familiar with their environment to complete this tool.

The self-assessment has been designed to be completed annually or at the frequency your institution feels is appropriate to track maturity. The assessment tool uses the ISO 21827:2008 framework for scoring maturing, which scales from 0 to 5, with 5 being the highest level of maturity:

0. Not Performed
1. Performed Informally
2. Planned
3. Well Defined
4. Quantitatively Controlled
5. Continuously Improving

Answer each question by selecting the appropriate level of maturity, 0–5. Each ISO section will be added up then averaged to provide a maturity assessment for the given section. 

Information Security Acknowledgement and Nondisclosure Agreement

Information Security Policy Template

You can improve your cybersecurity awareness through free educational resources.

Cybersecurity is quickly evolving. Keep your team a step ahead by developing their skills.

Cybrary provides

• access to Cybrary's complete course library with over 2,000+ lessons,
• learning paths for learning outside the classroom, and
• reporting tools to track course completions and site usage.

Visit Cybrary to view the complete topic catalog.

The following Texas Education Agency Correspondence documents have been posted to the TEA website: