2025DPSS

So, how bad could it be?  This engaging keynote session will cover the ins and outs of the August 2019 ransomware attack that impacted 23 local government entities across the state of Texas.  The Lone Star State responded in kind by activating the statewide incident response plan, which had been developed over the prior two years and spot-tested across a number of other incidents and exercises.  

You will hear the good, the bad, and the ugly on how the plan worked and how it was able to clean up this large-scale incident and get operations restored across the board in just 8 days for under $300,000, without paying any ransom. The takeaways will go beyond just what it’s like to respond to a large incident and will show how taking a holistic approach to security enables an organization to not just be more resilient but be better and more effective across the board.

Learn how to be a “Rock Star DPO” for your district. The session will cover Ed Law 2-d Part 121 best practices and the steps DPOs can take to earn “Rock Star” status. The audience for this session can include newly appointed DPOs or DPOs that would like a refresher.

This session provides attendees with a panel of 5 DPO's from around the state that will be discussing the best practices they have put into place for 2024-25.

Learn how to respond quickly and effectively to phishing attempts, with a focus on system responses (with an emphasis on Google) and follow-up actions beyond the system. This session will introduce the FLARE framework (Find, Lock Down, Alert, Review, Evaluate) to guide you through immediate actions during an attack and post-incident improvements.

The 12 Regional Information Centers (RICs) have been working in partnership with NYSED to develop a new centralized and standardized structure to support districts in accessing Data Privacy Agreements (DPAs).  Using this structure, educational agencies will be able to piggyback on existing DPAs with vendors that include terms to address the Family Education Rights and Privacy Act (FERPA), New York State Education Law Section 2-d (Ed Law 2-d), and other data privacy requirements.  Additionally, agencies will be able to submit requests to the RICs to initiate the negotiation of new DPAs.  This panel session will support technology leaders, administrators, and other interested stakeholders in learning more about this structure.

Dr Patrick Kiley-Rendon, Technology Director of West Islip will discuss his district's experience working with CISA and their free Incident Response Tabletop service and will share the good work his team is doing around cybersecurity and data privacy.

Discover how the Data Protection Officer at Honeoye Central School District is working to create a culture of data privacy and security through fun and engaging professional development. Toss out that boring computerized training and discover interactive, gamified approaches that make learning about data privacy both enjoyable and effective. From team challenges to scenario-based simulations, we’ll explore creative ways to keep staff engaged while reinforcing critical privacy practices. Join us to learn how to build a proactive, security-conscious environment where data protection is a shared responsibility and staff is motivated to play their part.

You will learn what Disaster Recovery (DR) is and how it relates to Business Impact Analysis (BIA), Business Continuity Planning (BCP), and Incident Response (IR). This session will explore how these components work together to minimize downtime, protect critical assets, and ensure operational resilience in the face of disruptions.

A gamified cybersecurity tabletop simulation where you roll the dice, battle cyber threats, and defend critical data in this interactive tabletop adventure where strategy and quick thinking determine your fate! 

In today’s digital landscape, educational institutions are increasingly targeted by cyber threats, making it critical to have a well-prepared response plan. This presentation will explore the comprehensive response to the recent PowerSchool data breach, detailing the steps taken to mitigate risks, communicate transparently, and strengthen cybersecurity practices.

This session will provide a real-world case study on navigating cybersecurity challenges in education and will offer actionable strategies for improving response times, vendor accountability, and data security policies. Whether you are a technology leader, administrator, or IT professional, this presentation will equip you with the knowledge and tools to better protect your institution from future cyber threats.

Join us for an in-depth workshop where educators, administrators, and IT professionals come together to navigate the complex landscape of data retention in schools. In an era where data plays a crucial role in decision-making and accountability, understanding what records to keep, which ones to discard, and the potential repercussions of data mismanagement is vital.

During this engaging session, we will cover:
- Essential Records: Identifying the types of data that are legally required to be retained and best practices for storing them securely.
- Data Disposal: Learning about effective methods for safely disposing of data that is no longer needed, and understanding the risks of improper disposal.
- Legal and Ethical Considerations: Exploring the legal obligations and ethical considerations surrounding data retention and how to ensure compliance with relevant regulations.
- Real-World Examples: Examining case studies of schools that faced challenges due to poor data retention policies and what we can learn from their experiences.
- Practical Strategies: Developing actionable strategies for creating a robust data retention policy tailored to your school's unique needs.

Equip yourself with the knowledge and tools to make informed decisions about data management and safeguard your school from potential data-related pitfalls. Whether you're looking to update your current practices or establish new protocols, this workshop will provide valuable insights and practical guidance.

Let's demystify data retention and ensure your school's data is managed effectively and responsibly!

I will take my notes, presentations, and questions from DPOs from around the State for the past 4 years and compile them into a concise toolkit comprised of 10 skills a DPO should have: 5 things that are a low bar threshold must-have and 5 things to strive for as best practices. The presentation will focus heavily on 8 NYCRR Part 121 requirements. Group participation encouraged!

We will provide a summary of the data security review and things we recognized the good, the needs improvement, and what's next on the horizon.  We'll discuss some pain points we are seeing in the field and provide some suggestion on different pathways.

Just like in the gym, building strong cybersecurity practices requires consistent training, accountability, and the right workout partners. In this session, we’ll break down how our district approaches data privacy as a team effort—leveraging NIST gap analysis, staff training, incident response planning, and cybersecurity tabletops to build resilience. Learn how to spot risks before they become breaches, develop a training regimen that keeps staff engaged, and flex your security muscles with real-world exercises that strengthen data protection across schools.

This session will provide an overview of the implementation a Student Data Privacy PIN system in the Buffalo Public Schools. We will discuss the overall need for implementing the system, process for creating secure PINs within the SIS, educating staff on use, communicating with stakeholders, and going live with the system to share the opportunities and challenges from our experience to strengthening student data privacy across the district.

In an era where cybersecurity threats are ever-evolving, school leaders play a crucial role in safeguarding their institution's digital assets. This session will empower educational leaders with the knowledge and tools needed to implement the NIST Cybersecurity Framework (CSF) effectively within their schools.

Participants will explore the leadership strategies required to align cybersecurity initiatives with educational goals, foster a culture of security awareness, and ensure compliance with regulatory standards. Through practical insights and actionable strategies, attendees will learn how to lead their institutions in adopting the core functions of the NIST CSF to build a resilient cybersecurity posture.

Key Takeaways:

- The role of leadership in driving cybersecurity initiatives
- Strategic implementation of the NIST CSF in educational environments
- Best practices for fostering a culture of cybersecurity awareness
- Tools and resources to support ongoing security improvements

Join this session to discover how proactive leadership can make cybersecurity an integral part of your school's success.

In a digitally inclusive learning environment, security is paramount to ensure equitable access and safety for all students. Join representatives from NYS School Districts and Arctic Wolf for a comprehensive session on enhancing school security through advanced threat intelligence. This session will explore how K-12 schools can leverage cutting-edge threat intelligence solutions to protect students, staff, and data from increasingly sophisticated cyber threats. Join us in a discussion on best practices, case studies, and effective collaboration between schools and security vendors to create a resilient, inclusive digital learning environment. 

Participants will gain insights into:
- Real-world Threats and Challenges in K-12: Learn about the unique security challenges facing schools and the importance of protecting student data in inclusive digital environments.
- Threat Intelligence Strategies: Discover how Arctic Wolf’s threat intelligence services help identify, prevent, and mitigate cyber threats, providing a proactive stance in safeguarding student data and ensuring safe digital learning experiences.
- Building a Culture of Security Awareness: Explore ways to foster a security-first mindset among staff and students, ensuring everyone plays a role in protecting school digital resources.

The DPO as a Cyber Guardian defends organizations against cyber threats using the NIST Cybersecurity Framework and zero-trust principles. They combat phishing attacks, enforce MFA, and promote continuous monitoring to safeguard sensitive data. Beyond compliance with Ed Law 2d, FERPA, and COPPA, they foster a culture of cybersecurity awareness, ensuring resilience in an evolving threat landscape.

In an effort to integrate security and privacy-focused thought processes throughout everything we do, we introduced a focused "Executive Cybersecurity Tabletop Exercise" format in our Data Protection Officer training sessions this year, which were also presented to district superintendents.  We have found these sessions a great way to fast-track collaborative problem-solving sessions around cybersecurity with experienced IT and leadership professionals.  In this session we will talk about the need for executive tabletop exercises, the protocol for conducting the exercise, and walk the audience through a sample tabletop cybersecurity exercise.

Learn about the partnership between Nassau RIC and three local school districts, Plainview-Old Bethpage CSD, Jericho UFSD and Franklin Square UFSD, to implement encrypted email solutions. This presentation showcases how our collaborative approach led to the successful adoption of secure communication tools that protect sensitive data while meeting the needs of all stakeholders.

A panel of three districts and a RIC will discuss how they use four different cybersecurity solutions to improve their security posture, simplify day-to-day IT management and stay within limited budgets.  We plan to spend roughly ten minutes on each topic... there will be useful tidbits for all security and IT people.

Richard Fisher - Highland CSD - Secure Networking - managing a security environment and wired/wireless network as a single converged infrastructure

David Kajdasz - WNYRIC - hear how WNYRIC protects roughly 70 districts and 100,000 mailboxes (email is still the #1 attack vector)

David Hines - Shenendehowa CSD - He'll discuss his experience and the value of implementing a SIEM to help protect a district of almost 10,000 students

Michelle Kreiger - Lake Shore CSD - Security Awareness Training - this is a *FREE* 3-year service Fortinet provides to K-12

Good morning, Cyber Guardians! As we kick off Day 2, grab your coffee and join us for an energizing morning briefing on the present and future of NYS K-12 data privacy and security. Our experts will unpack the biggest challenges districts face, discuss the evolving cybersecurity landscape, and share mission-critical strategies to protect student data.

Whether you're looking for fresh insights or a burst of inspiration to power through the final day, this session will set the tone for a future-ready approach to data protection.

With Louise DeCandia, Chief Privacy Officer of NYSED  
Crystal Wilson, Cyber State Coordinator from CISA  
Ramah Hawley, Director of The Education Cooperative's Student Data Privacy Alliance (TEC SDPA)
Linnette Attai, President of PlayWell, LLC 

Facilitated by Mike Doughty, Ed.D

Protecting your online school accounts is crucial in this day and age. This workshop will approach the issue from a "in the trenches" mentality.

This presentation offers strategies and insights for enhancing security across school districts. Designed for educational leaders, this session emphasizes practical tools and methods to safeguard sensitive data, align with compliance requirements, and foster a secure environment for staff and students alike. The session focuses on upgrading security practices by examining and improving how we manage staff throughout their employment lifecycle. Presentation at esmschools.org/oconnor

Step into the world of cybersecurity response with The Game of CIRP! This interactive tabletop experience takes teams through the key phases of a Cybersecurity Incident Response Plan (CIRP)—from preparation to recovery. Navigate real-world scenarios, tackle unexpected challenges, and make critical decisions that shape your team’s success. Earn points for strong strategies, but beware—some choices come with risks! Learn, strategize, and compete to see who can best manage a cyber incident. Are you ready to play, plan, and protect?

You can't manage PII if you don't know what files in your staff drives contain PII.  Learn with us as we navigate the use of File Sensitivity Labels and DLP (Data Loss Prevention) rules within the Google ecosystem to better manage the sensitive data in your district.  

Once your district has developed a New Software Request Protocol or Process, what are positive and effective strategies for integrating the A4L SDPC Resource Registry into the workflow? Holland Patent Central School District has worked with MORIC to develop and implement a process that leverages the new registry to benefit the requester and the review committee. The process allows for a more efficient and timely turnaround of requests that answer the key questions we all must ask:

- What is the educational value of this resource?
- Who will be the primary users and how will it impact them?
- How will the resource be effectively supported by and for our staff?
- How is this software unique to district-approved software that may have similar functionality?
- What are the procurement options?

The latest version of the NIST CSF--NIST CSF 2.0--was released last year. This presentation will cover all of the changes in the NIST CSF 2.0 and how school leaders can use the framework to make improvements to their cybersecurity programs.

This presentation explores responsible AI implementation in K-12 education, focusing on enhancing learning while protecting student data. Topics include the benefits and risks of AI, best practices for data privacy and security, compliance with legal standards, and practical AI applications that ensure student privacy. Learn how to use AI responsibly to create a safe and effective educational environment.

In today’s digital landscape, safeguarding sensitive data and maintaining secure networks require a collective effort from all stakeholders within an educational agency. This session will explore how Data Protection Officers can conduct departmental security reviews to assess compliance with laws, regulations, and best practices. Attendees will gain insights into effective strategies for evaluating security protocols, identifying vulnerabilities, and fostering a culture of data protection across all departments.

In recent years, there has been an intensified focus on cybersecurity within the K-12 educational sector, driven by local, state, and federal agencies. Notably, between 2023 and 2024, several pivotal reports have been released, offering strategic guidance tailored to the K-12 environment:

- “Protecting our Future: Partnering to Safeguard K-12 Organizations from Cybersecurity Threats” by the US Department of Homeland Security and Cybersecurity and Infrastructure Security Agency (January 2023)
- “K12 Digital Infrastructure: Defensible and Resilient” by the US Department of Education (August 2023)
- “K12 SIX Essential Cybersecurity Protections: 2022-2023/2023-2024” by K12 SIX (Annually)
- “Cybersecurity Guidance for K-12 Technology Acquisitions” by CISA (August 2023)

These documents converge on a set of best practices and core principles for the K-12 cybersecurity landscape. While the recommendations are essential, translating them into practice within diverse organizational cultures and political climates presents challenges.

Our session will outline effective strategies for implementing these recommendations and securing executive-level support to enhance cybersecurity postures. We will share insights from the West Irondequoit Central School District’s journey from policy to practice.

Synopsis: This session will guide attendees through the West Irondequoit Central School District’s transition from theoretical frameworks to actionable cybersecurity measures. We will explore the implementation of key recommendations from seminal reports such as “Protecting our Future” and “K12 Digital Infrastructure,” and discuss their integration with the NIST CSF 2.0 and CISA CPG frameworks.

Participants will leave equipped with immediate and long-term strategies for cybersecurity enhancement. Our discussion will cover:

- MFA Implementation: Overcoming cultural and political hurdles to deploy Multi-Factor Authentication among staff and students.
- Password Policy Evolution: Strengthening security while fostering a cybersecurity-aware culture.
- Backup Systems: Securing executive support for robust backup solutions, including navigating managed backups and testing.
- Network Hardening: Updating network access controls and revising longstanding guest network policies.
- Vulnerability Management: Utilizing CEVs and cybersecurity partnerships to address vulnerabilities and establish a patching schedule.
- Vulnerability Scanning and Penetration Testing: Obtaining leadership backing for Managed Detection and Response (MDR) and penetration testing, with a focus on remediation prioritization.
- Documentation and Drills: Developing and testing Incident Response Plans (IRPs), Disaster Recovery Plans (DRP), RunBooks, Business Continuity Plans (BCP), Business Impact Analyses (BIA), Data Flow Charts, and more.
- Additional Security Measures: Sharing further strategies developed throughout our cybersecurity journey.
This session promises to provide valuable insights and practical approaches for advancing cybersecurity initiatives in the K-12 sector.

The NIST Govern function is one of the six core functions outlined in the NIST Cybersecurity Framework (CSF). It focuses on establishing and maintaining governance structures and processes to manage cybersecurity risks within an organization effectively. Learn how to establish and run a Cybersecurity Governance Committee that formalizes the involvement of your executive team and other stakeholders in the decision-making process.  This committee will help raise awareness of and provide valuable feedback on your policies and practices and will also help to identify and manage all organizational risks.  This awareness and involvement will help to build support for your budgetary needs.

Enhance your organization's resilience by evaluating and strengthening its readiness to tackle a Business Email Compromise (BEC) incident—focusing on swift detection, effective response, and seamless recovery to minimize impact and safeguard critical operations.

Join us for a deep dive into a recent real-world cyber incident where attackers methodically infiltrated a network, established persistence, exfiltrated data, and actively attempted to lock administrators out of their own systems in an attempt to take over an entire network. Join Joshua Becker, Assistant Director at the Central New York Regional Information Center and Paul Marco, Co-Founder TALAS Security for an eye-opening session, tailored for K-12 technology leaders, as we will walk through each phase of the attack, from the initial social engineering scheme to the final extortion attempt, demand and negotiation. Learn critical indicators of compromise related to this particular attack, response actions, and proactive strategies to fortify your district's cybersecurity posture. Don't miss this opportunity to gain firsthand insights from a live breach and actionable steps to protect your network.

RIC One DPSS Conference Bootcamp Registration