K-12 Administrator guide to evaluating edtech vendor security
Discover key steps to select edtech vendors with a cybersecurity focus, bolstering your school’s protection of student data.
In today’s educational landscape, safeguarding student data is paramount. While internal defenses in districts are key, it is also critical to consider how the edtech vendors you work with are prioritizing security measures to protect students and faculty.
The crucial role of edtech vendor security in schools
Edtech vendors play a key role in supporting comprehensive school security. However, for K-12 administrators—particularly those managing tech responsibilities alone—vetting vendors for data security can pose a challenge. Engaging with vendors who struggle to grasp the school’s stringent requirements often leaves administrators hunting for transparent insights into encryption and data storage within complex policies.
To support administrators in this process, this guide offers steps to vet and select vendors with a cybersecurity-focused mindset.
Latest insights into edtech vendor security
Vendor security is an integral part of any school district’s security strategy. Our recent Cybersecure report reveals a new trend: 55% of districts have updated their vendor security requirements in the past two years, with an additional 65% expecting further changes in the coming year. Regular audits and detailed vendor reports greatly bolster a strong cybersecurity approach.
Key steps for evaluating edtech vendors on security protocols
When seeking secure edtech partners, school leaders should prioritize the following essential steps:
Establish clear vetting standards tailored to your school’s policies and priorities.
Rigorously evaluate each vendor against your organization’s benchmarks for the data they are handling.
- Define specific security benchmarks: Develop a comprehensive list of security benchmarks that align with your school’s unique policies and priorities. Consider aspects such as data encryption standards, access controls, incident response protocols, and disaster recovery plans.
- Prioritize compliance requirements: Ensure that the vetting standards address compliance needs, including local, state, and federal regulations related to student data privacy. Align these requirements with the vetting criteria for potential edtech vendors.
- Evaluate vendor capabilities against school policies: Rigorously assess each potential vendor against the established benchmarks. Analyze how well their security practices align with your school’s policies and priorities, emphasizing transparency and accountability in handling sensitive data.
- Customize assessments for different types of data: Tailor the vetting standards to accommodate various types of data handled by vendors. Consider demographic information, academic records, personally identifiable data, and any other sensitive information shared with the vendor.
It is important for every school district to develop policies and priorities that best suit your district. We recommend using rubrics created by neutral third parties, such as:
- CoSN: K-12CVAT: K-12 Community Vendor Assessment Tool
- CoSN: Cybersecurity toolkit on authentication management
- CoSN: NIST Cybersecurity Framework Resources Alignment for K-12
- CoSN + CISA: Online Cybersecurity Toolkit
- CISA: Online Toolkit: Partnering to Safeguard K-12 Organizations from Cybersecurity Threats
Clever has a close partnership with CoSN and we’ll continue to support the creation of neutral third-party rubrics to provide districts with unbiased evaluation sources.
Vetting vendors for data security has proven difficult, as many don’t understand our requirements and we struggle to get clear answers about encryption and where data is kept. Vendors need to simplify this information rather than hide it in lengthy policies. It’s time for edtech companies to step up and share the responsibility for protecting student data.– Geoff Jones, Director of Technology, River Valley School
Close examination of vendor privacy security protocols.
Ask detailed questions about data encryption, access controls, breach responses, logical segregation and other safeguards.
- Data encryption: Do you encrypt data both at rest and during transit? What specific encryption methods do you employ for data at rest? Additionally, what measures do you have in place for data during transit, and do you exclusively use HTTPS across your platform?
- Security practices and audits: Can you provide detailed insights into your security practices? Do you have any external audit reports available for us to review? Additionally, could you elaborate on your vulnerability disclosure program and its specific details? Furthermore, do you conduct an annual penetration test, and would it be possible for us to access the latest version?
- Incident response and recovery plans: What protocols do you have in place for incident response? Could you outline your disaster recovery plan? Moreover, how swiftly do you notify clients in the event of an incident?
Here at Clever, we’re committed to supporting a secure, interoperable digital learning ecosystem. Learn more about our comprehensive security program.
Key insight: According to our latest report Cybersecure 2024, the most common cybersecurity district requirements of vendors include multi-factor authentication (50.5%), data encryption (39%), and role-based access controls (36%).
Conduct ongoing monitoring, reassessing vendor relationships at least annually.
As part of ongoing vigilance in assessing vendor reliability, it’s essential to conduct regular checks, data audits, and control verifications to adapt to evolving risks. Consider the following questions:
- Assessing organizational changes: Has our organization’s tolerance for security incidents regarding student or teacher data changed? Are we increasingly utilizing Software-as-a-Service (SaaS) tools that store data outside our network? Have there been alterations in the type of data we share with vendors, especially concerning demographic data shared with multiple vendors?
- Reviewing edtech vendor security practices and changes: Has the vendor significantly modified how or where they store data? How has the frequency of the vendor’s incident response changed in the last year—has it improved or deteriorated? Have there been notable additions to the vendor’s security features at an accelerated pace?
- Adapting to regulatory and compliance requirements: Have there been alterations in the data protection requirements mandated by local, state, or federal regulations? Additionally, have our cyber security insurance prerequisites for data protection changed?
Empowering school leaders: Collaborative responsibility for edtech vendor security
Safeguarding student data is a collective responsibility, not solely incumbent upon school leaders. Edtech vendors must embrace a transformative shift by implementing simple and transparent security protocols to safeguard student information.
By adhering to these crucial steps and advocating for transparent security measures from edtech vendors, school leaders can significantly enhance their school’s security posture and ensure the robust protection of sensitive student data in today’s ever-evolving digital landscape.
More to read
January 22, 2024Implementing school security tools with a team of one
Clever IDM revolutionizes school security by simplifying password management, reducing IT support tickets, and streamlining operations. This partnership empowers a K-12 leader in Wisconsin to efficiently implement changes, boost security, and confidently embrace broader technology initiatives.
November 29, 2023Layered security and LMS interoperability advancements announced at Clever CIO event
Product updates to Clever to support K-12 education technology leaders in planning, budgeting, and making decisions about educational technology.
October 12, 2023Canva for Education partnership: Elevating classroom creativity together
Canva for Education, the leading classroom design and creation platform, is now integrated with Clever for rostering and single sign-on (SSO).