This year, the number of cybersecurity incidents at K–12 schools has increased by 30 percent, and schools are now the second highest target for cybersecurity attacks. Coupled with the security talent shortage and the proliferation of technology usage, school systems are facing an overwhelming challenge.
The Texas school system has decided to do something about it. Back in 2019, lawmakers began work on Texas Senate Bill 820, and it was officially signed into law in June. SB. 820 became effective in September 2019.
In this post, we’ll share what the law is, how it will affect your school and district, and how you can respond by selecting a security framework to either start or improve upon your security program.
What is the Texas Senate Bill 820 and how can you prepare?
SB 820 requires each Texas school districts to:
- Adopt a cybersecurity policy
- Designate a cybersecurity coordinator (appointed by the superintendent)
- Report cybersecurity incidents to the Texas Education Agency (TEA) and district families
In our recent webcast on Texas Senate Bill 820, Frosty Walker of the Texas Education Agency explained that the cybersecurity policy must be aligned with the Texas Cybersecurity Framework, which aligns to the federal NIST Cybersecurity Framework. Both the Texas Framework and the NIST framework outline how to address critical security functions (described below), as well as specific actions to execute those functions, such as encryption, vulnerability management, user access, password policies, backups, and vulnerability disclosure policies.
This new law will give the Texas school system greater resilience against cyberattacks, provide uniformity and oversight with a standard policy in place, and establish new processes for reporting and metrics.
How to adopt a cybersecurity policy to respond to Senate Bill 820
So, what do districts have to do to meet the requirements of SB 820? The first step is implementing an organization-wide cybersecurity policy. While the law allows districts to adopt any policy they want, it must not conflict with the Texas Cybersecurity Framework (TCF), which is why the federal NIST framework is a good guide to follow, since it aligns so well.
The TCF details the functions and objectives that are designed to protect organizations from a diverse set of threats. It has five functions (or goals), that cover 40 security objectives. These same functions are shared across many cybersecurity frameworks, including the NIST Framework. To provide a sense of what a TCF-aligned cybersecurity policy will require districts to do, here is some more information on those functions and objectives:
This function encompasses 11 of the TCF objectives. An example of an objective under this function is that the organization must conduct a critical information asset inventory. This requires districts to identify and prioritize information assets so they can match the importance of those assets with the appropriate security protections and ensure the highest-priority ones are safeguarded.
This function encompasses 28 objectives, including asset control to ensure any access to servers, databases, etc. are limited to authorized users only.
This function encompasses three objectives, including vulnerability assessment, or the monitoring and patching of vulnerabilities. Considering the volume of device types, operating systems, and applications, managing and patching devices can be a huge challenge to school districts, which is why more than half rely on patch management controls. However, these controls reportedly have a 56% failure rate, and more than one-third of devices require at least one repair per month. With that said, the impact of this function alone is significant.
This function encompasses two objectives, including cybersecurity incident response. It requires the organization to create an incident response program to track, document, and report incidents that occur to the appropriate officials.
This function encompasses one objective: disaster recovery. It requires the organization to have procedures to get systems back up and operational in the event of loss or damage from a cybersecurity incident.
How to use the Texas Cybersecurity Framework Roadmap
The TCF is supplemented by a roadmap, which provides recommended measures for organizations to fulfill each security objective in the TCF. For example, it explains how to fill Objective #35 under the “Detect” function of vulnerability assessment. The roadmap acts as a guide to help organizations take the steps necessary to have a cybersecurity policy that aligns with the TCF.
The roadmap operates through self-assessment, so organizations are able to determine their own level of compliance and fulfillment of the security objectives. The assessment is evaluated on a scale of 0–5:
If you’re on the cybersecurity team of a Texas school district, there are a couple of resources that will help you begin implementing Senate Bill 820: