K-12 Data Security Tips from PowerSchool’s Chief Information Security Officer

By Rich Gay, Chief Information Security Officer & VP of Development, PowerSchool

No school or district can be 100 percent safe from cybersecurity attacks. Last year alone, there were 122 data security incidents reported at K-12 schools, according to a recent report by the K-12 Cybersecurity Resource Center. And it’s estimated that many more go unreported in districts both large and small.

That’s the reality. The good news is that there are many ways to be proactive and secure your student and staff information. In this blog, I’ll discuss the issue of K-12 data security, what you can do to improve your privacy and security, and how PowerSchool can help.

Impacts of Cyberattacks

The impact of cybersecurity attacks can be small or large. In education, someone can log into the SIS where grades are kept and change grades up or down. Tests and quizzes, including state assessments, can be leaked to the student population, which affects the integrity of all results. We all know that student grades are an important piece of a child’s development.

On a larger scale, employee data can be in a hosted enterprise resource planning (ERP) system within a school district. That’s the system of record for payroll, addresses, dates of birth, social security numbers, and other personally identifiable information (PII) for staff. If the system gets hacked and someone gets that data, they can then get into bank accounts, or put salaries into spurious accounts which impacts districts’ accounts. Critical processes like finances and accounting can be at risk if you don’t have secure systems in place.

Steps to Improve K-12 Data Security

Based on my experience as a chief information security officer, here are my suggestions for making your staff and student data more secure.

1. Conduct security audits. A third-party audit has great value for a district to gain a holistic view of how their technology is laid out and to take appropriate actions when needed. Larger districts are starting to operate like Fortune 500 companies and invest in resources to be more secure. But smaller districts often don’t have that ability. An audit will examine processes, procedures, and infrastructure, and educate the district on training needs and IT infrastructure for resiliency.
2. Adhere to strict criteria when selecting edtech vendors. There are edtech companies of all shapes and sizes. There are large, well-organized companies like PowerSchool that are responsible for safely managing millions of student and educator accounts. And there are small boutiques with a handful of employees who are more focused on building the software and less on its security. It’s important for districts to require security standards and certifications, such as ISO 27001 and use of a Security Operations Center (SOC).
3. Look at these four key areas 1) What is the user’s ability to keep data secure? 2) What’s the infrastructure? 3) What are the applications? 4) What are the processes the district use? An objective assessment of those four things gives insight into what their weaknesses might be.

What PowerSchool Is Doing to Improve K-12 Security

As the largest K-12 edtech company, serving 45 million students, PowerSchool treats every account as a precious information asset. Here are the measures we take to improve your data security and privacy:

• We depend on a Security Operations Center (SOC). In the old days, school districts had their servers and computers in a backroom closet. The people who owned it also managed it and were responsible for maintenance and security. Now, PowerSchool hosts thousands of customers. Security and maintenance responsibilities are on us as the cloud provider, and we take them very seriously. We depend on an SOC, which is a centralized unit that deals with security issues on an organizational and technical level. An SOC outlines audits, tools, and how we configure our network so we can keep information secure.
• We are ISO 27001 certified. The ISO 27001 certification outlines standards with annual, third-party audits that come in and evaluate our processes, trainings, and more.
• We help our customers create standard security audits. This educates them on key questions to ask their vendors. It could be at a network level, browser level, or it could be the underlining choice of technology that the vendor is using. All of these can affect security maturity of the company. We also educate customers on what they should be looking for in highly secure applications.
• We have a Customer Security Advisory Board. PowerSchool collaborates with CIOs and security professionals from select districts. We meet regularly to discuss what’s going on in the data security space, what keeps people up at night, and share what we are doing to improve security.
• We partner with certified companies. When PowerSchool works with hosting vendors like Microsoft Azure and Rackspace, we require them to submit their security specifications. We hold our vendors responsible for maintaining the highest security standards.
• We focus on our internal security. PowerSchool trains 100 percent of our employees on internal security. When we touch data from a support perspective, or deploy new customers, we want every employee to be accountable and certified in best security practices. All 2,000 of our employees are trained and re-trained in security every year.
• Security vulnerability tracking. PowerSchool has formal security vulnerability tracking for any time a vulnerability is reported. We have made significant investments in tools to allow us to attack our own applications to proactively track issues. We perform a dynamic scanning of our code analysis, constantly testing for vulnerabilities. Any time one is reported, we a have formal process for investigating, prioritizing, and addressing those issues – from internal scanning (static and dynamic) or when they’re reported by a customer or entity.

PowerSchool is working hard to lead the industry in edtech security. We have the right security professionals, we have scale, and we want to take the discipline of data security even further. We recognize that compared to other industries like finance, healthcare, airlines, and travel, K-12 education has lagged behind in establishing best practices with digital security. At PowerSchool, we are raising the bar and increasing the security of staff and student data to bring K-12 education digital security into the future.

About Rich Gay

As PowerSchool’s Chief Information Security Officer & VP of Development, Rich is responsible for engineering, quality assurance, and hosting operations. Rich has led the PowerSchool R&D team’s substantial improvements in PowerSchool products over the past decade, including technology stack and hosting operations modernization, internationalization, and ability to scale to handle even the largest school districts.