Education Law 2-D/Part 121 Compliance Management Solution
The Monroe Regional Information Center (Monroe RIC) was seeking a solution to help streamline the implementation and management of regulatory mandates to protect student and faculty data privacy for itself and its component districts.
Challenge
Education Law 2-D and the adoption of its implementation regulation 8 NYCRR Part 121 represents challenges for New York state school districts to both meet the expectation of the mandate and demonstrate ongoing compliance with the law. Defining policy and identifying controls to fulfill the law is difficult and potentially costly. Additionally, the process of continually demonstrating compliance takes signficant time and resources. Left unguided, each district may struggle with a highly unstructured and inefficient approach to compliance
Monroe RIC wanted to provide a solution that would create a standard compliance program for districts throughout the region while allowing for individual district customization. Understanding that supporting 21 unique compliance programs created significant operational challenges, Monroe RIC sought a software platform that could facilitate the definition, documentation and assessment of Ed Law 2-D programs based on industry standards. They also envisioned tying this software platform to services the RIC could embed into a CO-SER-based data security offering. Once the districts accepted the strategy, Monroe RIC began to evaluate options to achieve this solution.
Solution
Caetra.io’s CyMetric software platform is uniquely positioned to address all of the challenges of Education Law 2-D while supporting the vision of Monroe RIC:
- Defines policies and controls that meet not only the legal requirements of various laws but also recommends the required NIST-based technical functions and procedures needed to protect information assets, including the additional controls addressing vendor management and individual participation and privacy
- Provides the mechanism to assess controls to measure the progress and status of the compliance program
- Monitors changes to the law’s requirements issued by the state
- Presents a vehicle through which Monroe RIC can directly engage with its districts’ programs, ensuring their compliance
Implementation
Executive personnel from Monroe RIC initiated the process by downloading a software inventory list from a tool provided by RIC ONE. Additionally, a team of district Data Protection Officers evaluated these software titles and defined a list of protected data elements that could reside in any of those software platforms as defined by the law. To support the Ed Law 2-D mandate, they also assigned risk profiles to the data elements in terms of confidentiality, integrity and availability. This software inventory and data mapping process would serve as the foundation for the buildout of the program and be distributed to all the component districts in the region to define their own respective environments. Each district selects the software titles they use in their schools; and those titles are imported into their specific instances of the CyMetric platform. Through this process, hundreds of hours of data entry are eliminated, expediting the onboarding process and the delivery of the required program elements to meet the October 1 state-imposed deadline for program definition. With the first wave of schools embracing this model in 2020, future districts that come on board to the CyMetric platform will enjoy the benefit of this streamlined setup and program establishment.
Executive personnel from Monroe RIC initiated the process by downloading a software inventory list from a tool provided by RIC ONE. Additionally, a tComplementing the CyMetric software platform are services that are delivered via Monroe RIC and the BOCES that they support; along with a third-party professional services firm specializing in data security and corresponding professional development. Both the BOCES and the third-party vendor are conversant in the CyMetric platform, providing support services and implementation assistance when needed. The goal is to leverage specialized assets to launch district programs while empowering them to be self-sufficient as their experience levels increase. Districts receive a fixed set of consultative hours and professional development from the third-party vendor as a part of the CO-SER program acquired via the BOCES. Districts are free to leverage other service providers for supplemental support as they deem appropriate, so they are not specifically tied to the vendor the BOCES has selected.eam of district Data Protection Officers evaluated these software titles and defined a list of protected data elements that could reside in any of those software platforms as defined by the law. To support the Ed Law 2-D mandate, they also assigned risk profiles to the data elements in terms of confidentiality, integrity and availability. This software inventory and data mapping process would serve as the foundation for the buildout of the program and be distributed to all the component districts in the region to define their own respective environments. Each district selects the software titles they use in their schools; and those titles are imported into their specific instances of the CyMetric platform. Through this process, hundreds of hours of data entry are eliminated, expediting the onboarding process and the delivery of the required program elements to meet the October 1 state-imposed deadline for program definition. With the first wave of schools embracing this model in 2020, future districts that come on board to the CyMetric platform will enjoy the benefit of this streamlined setup and program establishment.
Caetra.io positioned the development of “phased” approach to implementing the Ed Law 2-D mandate. By adopting this approach, districts are able to set achievable short and medium term goals for their implementation of the Ed Law 2-D mandate with the long-term objective of full implementation. A team of DPOs and technical personnel from BOCES participated in a process to segment NIST CSF controls into groupings that should be prioritized under the overall security hygiene of the district programs. The process yielded four phases that can be integrated at the appropriate pace and discretion of each district. The control sets were also evaluated by the security services firm for their input and validation. Caetra.io has incorporated these defined control sets as unique objectives into the CyMetric platform so districts can use the tool for phase management, reporting and accountability while working toward the long term goal of implementing the full CSF and Part 121 controls.
Conclusion
Caetra.io positioned the development of “phased” approach to implementing the Ed Law 2-D mandate. By adopting this approach, districts are able to The initial success of the model has allowed DPOs and Tech Directors to meet the October 1 Ed Law 2-D requirement, sparing district resources and saving money while achieving both compliance and peace of mind in a challenging year.set achievable short and medium term goals for their implementation of the Ed Law 2-D mandate with the long-term objective of full implementation. A team of DPOs and technical personnel from BOCES participated in a process to segment NIST CSF controls into groupings that should be prioritized under the overall security hygiene of the district programs. The process yielded four phases that can be integrated at the appropriate pace and discretion of each district. The control sets were also evaluated by the security services firm for their input and validation. Caetra.io has incorporated these defined control sets as unique objectives into the CyMetric platform so districts can use the tool for phase management, reporting and accountability while working toward the long term goal of implementing the full CSF and Part 121 controls.
Next steps
Caetra.io positioned the development of “phased” approach to implementing the Ed Law 2-D mandate. By adopting this approach, districts are able to The initiTo evaluate the programs’ implementation, CyMetric automates assembly of controls and enables effective documentation of the status of the security program. Identified gaps and findings are outputted in a Plan of Action and Milestone report that assists districts in prioritizing and allocating the proper assets to remediate the findings and reduce the overall risk of their programs.al success of the model has allowed DPOs and Tech Directors to meet the October 1 Ed Law 2-D requirement, sparing district resources and saving money while achieving both compliance and peace of mind in a challenging year.set achievable short and medium term goals for their implementation of the Ed Law 2-D mandate with the long-term objective of full implementation. A team of DPOs and technical personnel from BOCES participated in a process to segment NIST CSF controls into groupings that should be prioritized under the overall security hygiene of the district programs. The process yielded four phases that can be integrated at the appropriate pace and discretion of each district. The control sets were also evaluated by the security services firm for their input and validation. Caetra.io has incorporated these defined control sets as unique objectives into the CyMetric platform so districts can use the tool for phase management, reporting and accountability while working toward the long term goal of implementing the full CSF and Part 121 controls.