The Region 3 Education Service Center will provide Cybersecurity services to districts as described in this agreement. The delivery of these services, as described, is contingent upon sufficient funds from contracting school districts. One of the biggest challenges facing IT today is incorporating reliable and effective cybersecurity services, along with the right expertise to ensure end-to-end security. It is important to note; however, that due to the human element, security risks can never be fully mitigated. Due to this fact, the challenge includes finding the right balance in authorizing user access while ensuring no relevant information is made visible. Deploying the full package of Region 3 ESC’s Cybersecurity Services, will assist districts in preventing data integrity risks for the sake of convenience in user access. Our Cybersecurity Services can aid in creating a roadmap for districts, offering various models that optimally use solutions to achieve maximum protection against data breaches. Our Cybersecurity Services are flexible enough to accommodate varied sizes of IT infrastructures and district demands.
Districts expressly agree that use of the service is at district’s sole risk. Neither Region 3 Education Service Center nor any of its licensors, employees, or agents warrant that the service will be error free; nor Region 3 Education Service Center or any of its licensors, employees or agents make any warranty as to the results to be obtained from use of the service. The service is made available on an “as is” basis without warranties of any kind, either expressed or implied, including but not limited to warranties of title or implied warranties of merchantability, non-infringement or fitness for a particular purpose, other than those warranties which are implied by and incapable of exclusion, restriction, or modification under the laws applicable to this agreement. Neither Region 3 Education Service Center nor anyone else involved in creating, delivering or maintaining the service shall be liable for any direct, indirect, incidental, special, exemplary or consequential damages arising out of use of the service or inability to use the service or out of any breach of any warranty. In no event will Region 3 Education Service Center’s liability for any claim, whether in contract, tort or any other theory of liability, exceed the amounts paid by district, if any, for the service for the twelve month period preceding the event forming the basis of the claim.
SERVICES FOR CONTRACTING DISTRICTS
Roles and Responsibilities of the School District:
- Designate a contact person in each district/other entity Agree to pay the Region 3 Education Service Center the appropriate yearly fee for any options selected by the district
- At their sole discretion, implement policies and procedures adopted as the result of participation of this service
- Provide release time for identified teachers and/or administrators to participate in professional development activities, training, required program planning and/or implementation
- Agree to utilize services in accordance with Region 3 ESC’s acceptable use policies
- Provide physical and password access to all equipment related to this contract
Roles and Responsibilities of the Education Service Center:
- Provide the contractually appropriate resources, professional development and/or consulting services to participating districts.
Security Awareness and Online Training – Fully Managed Service
The most effective foundation to information security is a comprehensive security awareness and education program. Because end-users are a district’s first line of defense, it is crucial all end-users understand the importance of security awareness
- PhishSim – 200+ frequently updated, real-world phishing templates. Phishing attach simulations include drive-by, data entry, and attachment.
- AwareEd Training Library – Secure LMS with interactive, gamified learning and quizzes, 130+ frequently updated AwareEd training modules, science-backed educational methods, customizable role- and industruct-based modules. Module topics include, but are not limited to: Phishing, Malware, Rransomware, Safe Browsing, Mobile Security, Password Security, Privacy and PII, and FERPA.
COST: $4.12 per Learner
Through regular scanning, vulnerabilities can be identified, and recommendations made to assist in the remediation of critical and high priority vulnerabilities. Also, PCI Security Standards dictate that a vulnerability management program be in place for any organization processing credit card information.
- Region 3 will provide any hardware and software necessary to conduct the internal scans.
- Region 3 will provide vulnerability scanning for servers and devices that are accessible over the network, bi-annually, to identify critical and high priority threats.
- Region 3 will provide analysis reports with recommended remediation.
- Region 3 will immediately communicate any critical threats with recommendations for remediation.
District Information Security Policy Development
Texas Senate Bill 820 requires each school district to have an information security policy.
Having set policies/procedures in place can serve to address threats to a network and data; engage all employees by making them active participants in the protection of a network and data; help provide insight into who does what, when, and why; clearly establishes who gets access to what in order ensure need-to-know; and clearly establishes the consequences for failing to abide by policy/procedure.
Region 3 will provide a policy template and expertise in evaluation of existing policies and procedures to ensure best practice.
Region 3 will work with district’s administration and technology staff to create a complete Information Security Policy and will assist in a school board presentation if requested.
Areas covered in completed policy:
- Acceptable Use
- Data Classification
- Network Access
- Portable Computing Devices
- Security Awareness Training
- Backup/Disaster Recovery
- Incident Management
- Software Licensing
- Physical Access Security
Information Security Policy – Annual Review
Periodic review of policy is necessary to ensure policy is current. This is especially true with Information Security Policy, as technology changes rapidly. Review of existing policy is also necessary to assess current compliance with policy, and to improve on security practices required by policy.
For districts that have completed the District Information Security Policy Development service with Region 3, this annual review will help ensure that district procedures and processes are meeting policy requirements, as well as improving and updating existing policy to meet current Information security needs and address constantly changing issues.
Region 3 will provide current expertise and experience in Information Security Policy to assist the district’s administration and technology staff in reviewing and updating the district’s policy.
Prerequisite: District Information Security Policy Development Service
Information Technology Risk Assessment Service
Risk assessment is a critical function of Information Security. Resources should be directed at protecting the most critical and valuable information assets of an organization.
Region 3 will assist districts in evaluating and ranking the risk of their various Information Technology resources. Region 3 will provide a Risk Assessment Template and expertise in completing the template to help assess the risk level of each component.
Information Technology Risk Assessment – Annual Review
Information Technology resources and priorities are constantly changing. An annual review of a district’s risk assessment is important to re-evaluate and update risk assignments to components of a district’s IT infrastructure and data assets.
For districts that have completed the Information Technology Risk Assessment Service with Region 3, this annual review will help ensure that the district’s risk assessment is current and correct. Region 3 will provide expertise and experience in re-assessing the criticality and importance of each part of a district’s information technology environment.
Prerequisite: Information Technology Risk Assessment Service
Data Classification Consultation
Data Classification is an important step in heightening a district’s security posture. Classifying data is the process of organizing or categorizing data based on the level of impact loss of data would have on the district. Once this process is completed, decisions about storage and transmission of data can be made.
- Region 3 will provide a template for Records and Data Handling Procedures.
- Region 3 will provide Data Classification Catalogs based on the Texas State Library and Archives Commission’s Retention Schedule.
- Region 3 will assist district in implementation and creating training materials.
Customization for bundling available options.