2025DPSS

Good morning, Cyber Guardians! As we kick off Day 2, grab your coffee and join us for an energizing morning briefing on the present and future of NYS K-12 data privacy and security. Our experts will unpack the biggest challenges districts face, discuss the evolving cybersecurity landscape, and share mission-critical strategies to protect student data.

Whether you're looking for fresh insights or a burst of inspiration to power through the final day, this session will set the tone for a future-ready approach to data protection.

With Louise DeCandia, Chief Privacy Officer of NYSED  
Crystal Wilson, Cyber State Coordinator from CISA  
Ramah Hawley, Director of The Education Cooperative's Student Data Privacy Alliance (TEC SDPA)
Linnette Attai, President of PlayWell, LLC 

Facilitated by Mike Doughty, Ed.D

Protecting your online school accounts is crucial in this day and age. This workshop will approach the issue from a "in the trenches" mentality.

This presentation offers strategies and insights for enhancing security across school districts. Designed for educational leaders, this session emphasizes practical tools and methods to safeguard sensitive data, align with compliance requirements, and foster a secure environment for staff and students alike. The session focuses on upgrading security practices by examining and improving how we manage staff throughout their employment lifecycle. Presentation at esmschools.org/oconnor

Step into the world of cybersecurity response with The Game of CIRP! This interactive tabletop experience takes teams through the key phases of a Cybersecurity Incident Response Plan (CIRP)—from preparation to recovery. Navigate real-world scenarios, tackle unexpected challenges, and make critical decisions that shape your team’s success. Earn points for strong strategies, but beware—some choices come with risks! Learn, strategize, and compete to see who can best manage a cyber incident. Are you ready to play, plan, and protect?

You can't manage PII if you don't know what files in your staff drives contain PII.  Learn with us as we navigate the use of File Sensitivity Labels and DLP (Data Loss Prevention) rules within the Google ecosystem to better manage the sensitive data in your district.  

Once your district has developed a New Software Request Protocol or Process, what are positive and effective strategies for integrating the A4L SDPC Resource Registry into the workflow? Holland Patent Central School District has worked with MORIC to develop and implement a process that leverages the new registry to benefit the requester and the review committee. The process allows for a more efficient and timely turnaround of requests that answer the key questions we all must ask:

- What is the educational value of this resource?
- Who will be the primary users and how will it impact them?
- How will the resource be effectively supported by and for our staff?
- How is this software unique to district-approved software that may have similar functionality?
- What are the procurement options?

The latest version of the NIST CSF--NIST CSF 2.0--was released last year. This presentation will cover all of the changes in the NIST CSF 2.0 and how school leaders can use the framework to make improvements to their cybersecurity programs.

This presentation explores responsible AI implementation in K-12 education, focusing on enhancing learning while protecting student data. Topics include the benefits and risks of AI, best practices for data privacy and security, compliance with legal standards, and practical AI applications that ensure student privacy. Learn how to use AI responsibly to create a safe and effective educational environment.

In today’s digital landscape, safeguarding sensitive data and maintaining secure networks require a collective effort from all stakeholders within an educational agency. This session will explore how Data Protection Officers can conduct departmental security reviews to assess compliance with laws, regulations, and best practices. Attendees will gain insights into effective strategies for evaluating security protocols, identifying vulnerabilities, and fostering a culture of data protection across all departments.

In recent years, there has been an intensified focus on cybersecurity within the K-12 educational sector, driven by local, state, and federal agencies. Notably, between 2023 and 2024, several pivotal reports have been released, offering strategic guidance tailored to the K-12 environment:

- “Protecting our Future: Partnering to Safeguard K-12 Organizations from Cybersecurity Threats” by the US Department of Homeland Security and Cybersecurity and Infrastructure Security Agency (January 2023)
- “K12 Digital Infrastructure: Defensible and Resilient” by the US Department of Education (August 2023)
- “K12 SIX Essential Cybersecurity Protections: 2022-2023/2023-2024” by K12 SIX (Annually)
- “Cybersecurity Guidance for K-12 Technology Acquisitions” by CISA (August 2023)

These documents converge on a set of best practices and core principles for the K-12 cybersecurity landscape. While the recommendations are essential, translating them into practice within diverse organizational cultures and political climates presents challenges.

Our session will outline effective strategies for implementing these recommendations and securing executive-level support to enhance cybersecurity postures. We will share insights from the West Irondequoit Central School District’s journey from policy to practice.

Synopsis: This session will guide attendees through the West Irondequoit Central School District’s transition from theoretical frameworks to actionable cybersecurity measures. We will explore the implementation of key recommendations from seminal reports such as “Protecting our Future” and “K12 Digital Infrastructure,” and discuss their integration with the NIST CSF 2.0 and CISA CPG frameworks.

Participants will leave equipped with immediate and long-term strategies for cybersecurity enhancement. Our discussion will cover:

- MFA Implementation: Overcoming cultural and political hurdles to deploy Multi-Factor Authentication among staff and students.
- Password Policy Evolution: Strengthening security while fostering a cybersecurity-aware culture.
- Backup Systems: Securing executive support for robust backup solutions, including navigating managed backups and testing.
- Network Hardening: Updating network access controls and revising longstanding guest network policies.
- Vulnerability Management: Utilizing CEVs and cybersecurity partnerships to address vulnerabilities and establish a patching schedule.
- Vulnerability Scanning and Penetration Testing: Obtaining leadership backing for Managed Detection and Response (MDR) and penetration testing, with a focus on remediation prioritization.
- Documentation and Drills: Developing and testing Incident Response Plans (IRPs), Disaster Recovery Plans (DRP), RunBooks, Business Continuity Plans (BCP), Business Impact Analyses (BIA), Data Flow Charts, and more.
- Additional Security Measures: Sharing further strategies developed throughout our cybersecurity journey.
This session promises to provide valuable insights and practical approaches for advancing cybersecurity initiatives in the K-12 sector.

The NIST Govern function is one of the six core functions outlined in the NIST Cybersecurity Framework (CSF). It focuses on establishing and maintaining governance structures and processes to manage cybersecurity risks within an organization effectively. Learn how to establish and run a Cybersecurity Governance Committee that formalizes the involvement of your executive team and other stakeholders in the decision-making process.  This committee will help raise awareness of and provide valuable feedback on your policies and practices and will also help to identify and manage all organizational risks.  This awareness and involvement will help to build support for your budgetary needs.

Enhance your organization's resilience by evaluating and strengthening its readiness to tackle a Business Email Compromise (BEC) incident—focusing on swift detection, effective response, and seamless recovery to minimize impact and safeguard critical operations.

Join us for a deep dive into a recent real-world cyber incident where attackers methodically infiltrated a network, established persistence, exfiltrated data, and actively attempted to lock administrators out of their own systems in an attempt to take over an entire network. Join Joshua Becker, Assistant Director at the Central New York Regional Information Center and Paul Marco, Co-Founder TALAS Security for an eye-opening session, tailored for K-12 technology leaders, as we will walk through each phase of the attack, from the initial social engineering scheme to the final extortion attempt, demand and negotiation. Learn critical indicators of compromise related to this particular attack, response actions, and proactive strategies to fortify your district's cybersecurity posture. Don't miss this opportunity to gain firsthand insights from a live breach and actionable steps to protect your network.

RIC One DPSS Conference Bootcamp Registration