Using Reasonable Security Practices in K-12 Schools

04 Feb 2025 8 min read
Eric Muckensturm
Eric Muckensturm
IT Strategy Manager, Cybersecurity, Learning Technology Center
Sam Fishel
Sam Fishel
Digital Content Manager, Learning Technology Center

School districts increasingly rely on technology to deliver instruction, manage student data, and support administrative processes. Given the sensitive data these technologies often collect, this digital transformation has also made schools prime targets for cyberattacks.

Staying ahead of and responding to these digital threats requires comprehensive controls on everything from accounts and email to hardware and networks. Our updated Reasonable Security Practices provide that comprehensive framework through 48 recommended controls – all vetted and aligned with the globally-recognized CIS Controls.

Here’s are just a few reasons this free cybersecurity resource is a must-have for every K-12 technology team in Illinois:

Protecting Sensitive Student Data

Schools collect and store vast amounts of sensitive information, including personally identifiable information (PII), academic records, and financial data. These types of data are prime targets of cyberattacks, including malware and phishing.

To safeguard this information from unauthorized access or breaches, the Reasonable Security Practices emphasize critical measures like data encryption, access control, data retention policies, and secure disposal practices. With it, you can start to build out a data protection plan or supplement an existing plan with up-to-date recommendations.

Compliance with Regulations

Educational institutions must adhere to laws that mandate certain data and digital access controls. Illinois’ Student Online Personal Protection Act (SOPPA), for example, requires schools to implement “practices that…meet or exceed industry standards” and “protect covered information from unauthorized access, destruction, use, modification, or disclosure”.

The Reasonable Security Practices help schools demonstrate compliance while building a strong foundation for data security. Underpinned by the CIS Controls, this resource also provides evidence of adherence to certified cybersecurity best practices.

Alignment with Industry Standards

The Center for Internet Security (CIS) Controls are a set of globally-recognized best practices for securing IT systems and data. They were developed through collaboration with security experts across various industries and sectors. 

The CIS Controls are designed to be comprehensive and prescriptive, helping organizations of all sizes protect themselves against common cyberattacks. This framework is also data-driven, using information from sources like the Multi-State Information Sharing and Analysis Center (MS-ISAC) to identify the most important types of attacks and defensive actions.

Recognizing the value of the CIS Controls in the education sector, the Learning Technology Center developed the Reasonable Security Practices, highlighting the most critical CIS Controls for Illinois school districts to implement. This alignment ensures that the Reasonable Security Practices (now in its second iteration) are adaptable to the specific needs of K-12 institutions. CIS Controls are also aligned with NIST Cybersecurity Framework, so recommendations from this resource can be integrated into a broader risk management strategy.

Mitigation of Cyber Threats

Whether it’s students, teachers, or staff, the education sector faces persistent cyber threats due to the value of the data it handles. Mitigating risk from anticipated threats is key to keeping learning environments safe, secure, and productive.

The CIS Controls prioritize effective, actionable security measures to address common risks, such as phishing, ransomware, and unauthorized access. By adopting these controls via the Reasonable Security Practices, schools can strengthen their cybersecurity posture and reduce vulnerabilities on a day-to-day basis.

Business Continuity

Cyberattacks can disrupt instruction and administrative operations, creating widespread challenges for everyone in a school community.

The Reasonable Security Practices include incident response and data recovery strategies to ensure critical systems and data can be quickly restored, minimizing downtime and ensuring continuity in educational and administrative functions.

Actionable and Community-Driven Guidance

The CIS Controls, which serve as the Reasonable Security Practices’ backbone, provide specific implementation steps and recommended tools to simplify the adoption of effective security measures. With this resource in hand, you can start enhancing your cybersecurity practices now, rather than waiting until after a crisis strikes.

Developed and maintained by a community of cybersecurity experts, these controls also remain up-to-date, evolving alongside emerging threats. That ongoing relevance can provide peace of mind for key stakeholders focused on creating durable cybersecurity procedures.

A Roadmap for Reliable Cybersecurity

Prioritizing the safety and security of student data is a fundamental responsibility for everyone involved in education. The Reasonable Security Practices offer a clear roadmap for school districts to implement effective and actionable cybersecurity measures that keep mission-critical data safe and digital learning environments secure.

By embracing these guidelines, K-12 technology departments can confidently protect the sensitive information entrusted to them and ensure that technology empowers, rather than endangers, the educational journey of every student.

Download this free resource here →

More Cybersecurity Connections

Discover more relevant technology and cybersecurity resources like this one during an upcoming Be Connected event. This online networking series also offers open discussions about pertinent topics within Illinois’ technology and IT community.

Eric Muckensturm
Eric Muckensturm
IT Strategy Manager, Cybersecurity, Learning Technology Center

Eric provides a multitude of services to help Illinois public school districts improve their overall security posture and maturity, including through the implementation of standards, frameworks, and industry best practices.

Sam Fishel
Sam Fishel
Digital Content Manager, Learning Technology Center

Sam leads and supports the execution and growth of LTC services through the development and creation of innovative, impactful, and timely digital content.