G+-+Parlor+B+-+IT+Governance+FERPA,+HIPA,+Cybersecurity+Compliance+&+Insurance

Convened by: Ahsan Karim, Director of Technology, The Buckley School Notes coming soon!

Jim Anderson / Packer Paul Lee / Gateway Kyle Vitali / ISB Rob Shin /Riverdale David Lang / St. Davids Sarah / Atlis Ashan / Buckley Jeremy / Hewitt Charles Plizano / Poly Prep
 * Attending:**

Kyle (ISB) Purchased a Traveler’s Cyber security policy because of a concern from the board.
 * 1) 1. Policy required installing intrusion protection
 * 2) a. Currently looking at Fortegate (also looked at Cisco, but was too pricey)
 * 3) b. Buckley & Packer are using Palo Alto
 * 4) 2. Server audit’s (access) are required
 * 5) a. Tons of logs
 * 6) b. Who monitors?
 * 7) 3. The above components enable a forensic audit if there’s an issue
 * 8) 4. Does it protect all services for third-party provided services? (NO)

Policies also provide a benefit if there is a data breach to:
 * 1) 1. Contact users whose data was compromised
 * 2) 2. Meet mandated reporting and support requirements related to a breach

Austin & Co. provided the Traveler’s policy to Poly, Hewitt and Packer too.

Hewitt has scrubbed all SSNs from all their databases (no longer required…)

FAF Forms (??)

Poly found a surprising instances of data squirreled away

Poly suggests PaperTrail (cloud based log parsing)

Many school’s use Magnus for student health data

St. David’s hasn’t communicated their efforts to the wider community. It’s happening organically.

Jim / Packer will provide names of consultancies who have supplied Packer with security audit proposals.

Locking down laptops (no admin privs):
 * Poly phishes their own and leaves thumb drives around the school with self-written viruses as way to educate users
 * Sharing info about their one ransomware attack helped raise awareness of risks
 * The group expressed concern around third-party solutions which provide apps onto personal devices.
 * The community responded pretty positively (until they can’t do something). Perhaps it’s better to ask forgiveness and just take away admin rights…

More data management is becoming statutory. The software company is only liable for what you owe them for the year. Rubicon Atlas is looking at developing a certification process for cloud apps (like theirs) that would certify the solution.

Getting users to use 2-factor auth has been very difficult.
 * Schools are in a wide variety of places with 2-factor requirement
 * No one has required it of students
 * Explaining to users that other users accounts have been compromised helps (ISB)
 * Poly just turned it on and it wasn’t such a big deal

COPPA
 * St. David’s uses a blanket form
 * Hewitt keeps domain only email through 7th grade
 * Buckley provides email at 6th and limit 6/7 to school only
 * o Allowing retrieval of cloud passwords is a pain!

The conversation steered to the challenges about the challenges around what parents expect of schools to provide in terms of limiting student access to the internet. All agreed that student cell phones were a big challenge for schools and parents.

Poly has published videos made with the Academic Dean about “parental control” strategies for parents. Charles said that has been well received by parents.

Packer has published a [|Resources for Parents] page on their website.