Budget-Friendly Cybersecurity Annex Compliance Resources

On Sept. 23, 2024, the Texas School Safety Center (TxSSC) will open the online portal for school districts to submit their EOP Basic Plan and Cybersecurity Annex for review. Both annexes must be submitted by October 23. The annex is a new requirement, and we understand school staff might have questions. This is the third in a three-article series that offers guidance and resources to help members comply.

• The first article provides an overview of the cybersecurity annex requirement.
• If your district is early in the process of creating its annex, see our second article for guidance on prioritizing your work.
• In this article, we share free and low-cost resources that will help you create a compliant cyber annex without breaking the bank.

Prevention

These checklist items describe actions taken to prevent a cybersecurity incident.

Conduct annual training for the district cybersecurity coordinator – CS6 (D)

Elected and appointed officials and the designated district cybersecurity coordinator must complete annual cybersecurity awareness training. The board and the coordinator may also choose staff members who need to complete the same training.

These courses meet the state’s cybersecurity training requirement:

• Fund members with Liability coverage have access to our on-demand Texas Cybersecurity Awareness for Employees course through Vector Solutions.
• The Texas Department of Information Resources (DIR) offers an online training program in English and Spanish. The DIR also provides a list of certified training programs offered by other providers.
• Districts can take advantage of Amazon’s no-cost online cybersecurity awareness training recommended by the Cybersecurity and Infrastructure Security Agency (CISA).

Note: Cybersecurity awareness training is not required for everyone, but the Fund recommends districts train all employees.  

Conduct a cyber risk assessment – CS7 (ND)

Cyber risk assessments help districts uncover and address gaps in their digital defenses. The Texas Education Agency (TEA) and DIR can provide a cyber risk assessment at low or no cost.

Install and configure host-based firewalls – CS8 (ND)

A firewall monitors incoming and outgoing network traffic and prevents unauthorized access. DIR offers low-cost managed Firewall and Nex-Gen Firewall (NGFW) services.

Endpoint detection and response (EDR) software – CS 9 (ND)

EDR allows for swift detection of and response to suspicious activity by continuously monitoring and analyzing endpoint devices in real time. If your organization has an enrollment of less than 15,000 students, you are eligible for no-cost EDR through TEA and DIR. You should initially target servers and devices used by central office staff. Distribute remaining EDR licenses among other staff devices that have access to sensitive data.

Employ backup solution – CS10 (ND)

Backups protect against data loss due to hardware failures, cyberattacks, and natural disasters. By regularly creating copies of critical data and systems, organizations can quickly restore systems and minimize downtime in the event of an incident. DIR offers a low-cost backup solution. CISA recommends considering no-cost options such a Windows Auto-Backup or Google Backup & Sync.

Test the backup solution – CS11 (ND)

Testing verifies that backup processes are working correctly, and that data can be restored promptly in the event of an incident. If you lack staff resources to test your backups, consider low-cost options available through the DIR managed security services program (MSS).

Mitigation

These checklist items describe actions taken to eliminate or reduce the loss of life or property from a cybersecurity incident.

Conduct continuous vulnerability scans on Local Education Agency (LEA)- owned devices – CS12 (ND)

If your organization has an enrollment of less than 15,000 students, you are eligible for free EDR through TEA and DIR. This service meets the requirement for continuous vulnerability scans. Additionally, the Multi-State Information Sharing and Analysis Center operates offers continuous scanning at no cost through its 24x7x365 security operations center (SOC).

Provide updates on LEA-owned systems – CS13 (ND)

Updates can be managed in a variety of ways. You could assign manual updating to an in-house member of your IT team, automate your updates via a patch/update server, or turn them over to a managed security provider. If you lack the capability to update systems in-house, consider using a discounted provider through the DIR MSS portal.

Separate student networks – CS14 (ND)

Some districts have a unified network that does not separate sensitive information from student networks or public Wi-Fi, including public-facing wall ports. Your IT team should be able to easily segment your network and configure port security on public-facing wall ports. Fund members with cybersecurity coverage can reach out to us with questions.

 Apply the Principle of Least Privilege (PoLP) for employees – CS15 (ND)

The PoLP means employees should only have access to the data, resources, and applications they need to do their jobs. Following the PoLP helps prevent employees from installing malicious software. Leverage these trainings and resources to manage privileges in your network.

Require authentication tools - CS16 (ND)

Multi-factor authentication (MFA) is one of the most critical components of your organization’s cybersecurity. In fact, it is increasingly common for coverage providers to consider whether an organization has MFA when evaluating whether to offer coverage or increase coverage limits. Most operating systems have built-in, no-cost MFA capability. If you are a Fund member with cybersecurity coverage and your need help configuring MFA, please contact us.

 Close or block network ports that are not in use – CS17 (ND)

Open ports can serve as entry points for cybercriminals to exploit vulnerabilities and gain unauthorized access to systems. By closing ports that are not in use, your district makes it harder to breach the network. DIR can provide low-cost port-scanning services. Similarly, CISA provides free port scanning via their Cyber Hygiene Services, which can help your organization close unused ports as well as ports serviced by accounts using default usernames and passwords.

Preparedness

These checklist items describe actions taken to increase the level of readiness for a cybersecurity incident.

Annual cybersecurity training plan for employees and students – CS18 (ND)

Cybercriminals often target employees who have the least technical expertise. Though the state only requires your cybersecurity coordinator and elected and appointed officials to complete annual training, it is highly recommended that all staff members attend cybersecurity awareness training.

Cyber incident response plan - CS19 (ND)

A cyber incident response plan provides a structured approach to identifying, containing, and eliminating threats, and ultimately minimizing damage and downtime. Clearly defined roles, responsibilities, and procedures facilitate a swift and coordinated response, reducing confusion and delays. If your organization lacks the resources to develop its own cyber incident response plan and you do not have coverage with the Fund, DIR has a CIRT that can provide you with no-cost support.

Test and update incident response plans – CS21 (ND)

Having a response plan is a strong first step. Testing the plan ensures all stakeholders know their role and are ready to respond during an emergency. Tabletop exercises (TTXs) are a great way to ensure your plan addresses the universe of emergencies the district could face. Fund members can reach out to us for more information and support in conducting a TTX. Districts can also get support from CISA.

Network use agreement – CS22 (ND)

A network use agreement or acceptable use policy (AUP) can go a long way to ensure staff and students use technology appropriately. DIR offers a free template you can use or refer to if you haven’t developed your own.

Business continuity plans for essential departments – CS23 (ND)

A business continuity plan (BCP) provides a framework for responding to disruptions such as natural disasters, cyberattacks, and system failures. BCPs help your organization minimize downtime by outlining procedures for emergency response, communications, and recovery. FEMA has a no-cost training video and template to help your organization learn more and create a BCP to manage crises.

Questions

By leveraging these available low-cost and no-cost resources, organizations can meet the requirements of the cyber annex while adopting best practices to safeguard data and networks.

As always, Fund members with Privacy and Information Security coverage can count on support from our team. Contact TASB Privacy and Cyber Risk Consultant Lucas Anderson at 800-482-7276, x2893 or lucas.anderson@tasb.org.