What is the Global Education Security Standard (GESS) and How Can Schools Use It?

Cybersecurity awareness has never been better in large organizations, but there has been a noticeable gap in establishing clear security benchmarks for educational technology (EdTech) providers. 

This gap has resulted in confusion regarding expectations, inconsistency in applied frameworks, and challenges in holding EdTech providers accountable for security obligations.

The Global Education Security Standard (GESS) is a voluntary initiative aimed at addressing the lack of coherent security standards and guidelines for EdTech providers. 

GESS synthesizes security and privacy requirements from various regions, including the USA, Europe, New Zealand, and Australia to develop a comprehensive set of controls that can be adopted and complied with by EdTech providers globally. Let’s take a closer look at what GESS is, and how your school—whether it’s a preschool or university—can benefit from it. 

What is GESS?

The Global Education Security Standard (GESS) is a framework aimed at providing a unified set of security controls for educational institutions, covering data protection, privacy, cybersecurity, and other related areas. 

GESS is essentially a matrix or crosswalk of all existing security frameworks relevant to the education sector. It consolidates these frameworks into a common set of controls applicable to PK-20 (pre-kindergarten through higher education providers) data environments. It greatly benefits the international EdTech community.

There are so many technical, functional, and regulatory requirements in the education sector that many schools and EdTech providers struggle to comply. GESS aims to streamline this process by providing a standardized set of security controls that can be easily referenced and applied across the globe. 

GESS identifies and deals with security controls that are most relevant and applicable to educational technology products and environments. It’s developed collaboratively by a working group consisting of educational departments, leading vendors, academics, and other stakeholders.

By joining GESS, subscribers contribute to the movement towards standardizing security controls across the EdTech industry. This helps avoid the need to prove certification in multiple frameworks and promotes consistency in security measures across schools and districts.

In regions such as the US, GESS is becoming integrated into national data privacy agreements and frameworks. The next version of the National Data Privacy Agreement in the US will include GESS as an approved control framework. Similarly, in Australia and New Zealand, the preexisting ST4S controls are embedded within GESS.

Differences between GESS and GEPS

While both GESS and the Global Education Privacy Standard (GEPS) aim to enhance security and privacy in educational environments, they focus on different aspects of cybersecurity:

• GESS (Global Education Security Standard) focuses on cybersecurity measures and controls aimed at protecting against security threats and breaches in educational technology environments. It provides guidelines and standards for implementing technical security measures, like encryption, access controls, and incident response protocols. It addresses the broader spectrum of cybersecurity concerns, including data breaches, malware attacks, and network security.
  
• GEPS (Global Education Privacy Standard), on the other hand, focuses on student data privacy obligations and protection within educational settings, particularly concerning the handling of sensitive student information. It provides guidelines and standards for collecting, storing, and sharing student data in compliance with privacy laws and regulations and addresses concerns related to data privacy, consent, transparency, and accountability in educational data practices.

You should refer to GESS when your primary concern is protecting against cyberattacks and breaches that could compromise sensitive information or disrupt school operations.

Use GEPS when your primary concern is complying with data privacy regulations, data security and data protection or if you need guidance on how to collect, store, and share student data responsibly and ethically.

Leveraging GESS to Improve Security

GESS is still evolving, but it takes key learnings from frameworks like ISO27001, the NIST-CSF, and CIS controls, all of which can have a big impact on cybersecurity at your school. Here’s how to get started: 

Familiarize Yourself with GESS

Begin by familiarizing yourself with the GESS framework. Understand its objectives, principles, and the controls it outlines. This will provide you with a foundational understanding of how GESS can help improve cybersecurity in your school. 

Assess Current Cybersecurity Practices

Conduct a thorough assessment of your school’s current cybersecurity practices. Identify strengths, weaknesses, and areas for improvement. This assessment will serve as a baseline against which you can measure progress after implementing GESS controls. GESS provides a useful self-assessment tool you can use. 

Identify Applicable Controls

Review the GESS controls and identify those that are most relevant to your school’s environment and needs. Consider the  types of educational technology used, the size of your school, and any specific cybersecurity challenges you face.

GESS controls include: 

• Governance and risk management
• Asset management
• Vulnerability management 
• Network security
• Incident response
• Training and awareness
• Physical and environmental security
• Disaster Recovery, and more. 

Use GESS controls as a reference to evaluate your current cybersecurity practices and identify existing gaps. Analyze your data security, vulnerability management, incident response protocols, and privacy compliance based on the framework and prioritize vulnerabilities and weaknesses based on impact and likelihood, focusing on critical areas first.

Implement Controls and Policies

Select and implement relevant GESS controls based on your assessment and risk profile. This might involve securing network perimeters, encrypting data, training staff, and establishing data deletion procedures. Develop security policies and procedures aligned with GESS principles to guide data handling, access control, and incident response.

Raise Awareness and Training

Conduct cybersecurity awareness training for all staff, students, and relevant stakeholders. Educate them on cyber threats, best practices, and their role in maintaining a secure environment. Train designated personnel on incident response procedures, data breach notification protocols, and secure data handling practices.

Continuous Improvement and Monitoring

Regularly monitor your cybersecurity posture by conducting vulnerability scans, analyzing logs, and assessing adherence to GESS controls. Review and update your security policies, procedures, and incident response plans periodically to reflect changes in technology, threats, and regulations. Seek ongoing support and resources from GESS communities, professional services, and cybersecurity experts to stay informed and adapt to evolving challenges.

Stay Updated

Stay informed about updates and revisions to the GESS framework. Cybersecurity threats and best practices evolve over time, so it’s important to stay updated on the latest developments and incorporate them into your cybersecurity strategy.

Engage with the Community

Engage with other schools, educational organizations, and cybersecurity professionals to share insights, experiences, and best practices related to GESS implementation. Collaboration and knowledge sharing can help strengthen cybersecurity across the education sector.

Using GESS to Evaluate EdTech and Vendors

You can also use GESS to evaluate new technology you’d like to introduce to your school environment. Here’s a simple questionnaire you can use: 

Data Security

• Data Inventory: Does the tool collect student data? What type of data? Is it classified based on sensitivity?
• Data Storage and Transmission: Where is the data stored? Is it encrypted at rest and in transit? Are secure transmission protocols used?
• Access Controls: Who has access to student data? Are there granular access controls and strong authentication mechanisms?
• Data Deletion and Disposal: How can data be deleted when no longer needed? Does the tool follow data disposal best practices?

 Vulnerability Management

• Security Updates: Does the vendor maintain the tool and provide regular security updates? Are vulnerabilities patched promptly?
• Penetration Testing: Does the vendor conduct regular penetration testing of the tool? Are the results shared with schools?
• Third-Party Integrations: Does the tool integrate with other tools? Are those integrations secure?

Incident Response

• Reporting Mechanisms: Does the tool have clear and easy-to-use reporting mechanisms for security incidents?
• Response Plan: Does the vendor have a documented incident response plan? How will they communicate with schools in case of an incident?
• Data Breach Notification: Does the vendor have a policy for notifying schools of data breaches? What is their timeframe for notification?

Privacy Compliance

• Data Privacy Policy: Does the vendor have a clear and transparent data privacy policy? Does it comply with relevant regulations like GDPR or COPPA?
• Data Subject Requests: Does the vendor have a process for handling data subject requests from students or parents?
• Transparency and Accountability: Does the vendor offer clear information about how student data is used and shared? Are they accountable for its protection?

Once you’ve answered all of the questions, create a scoring system based on the importance of each criterion for your school. Involve stakeholders like teachers, IT staff, and legal counsel in the evaluation process and seek out professional guidance if needed, especially for complex tools or compliance requirements.

Remember, continuous evaluation is crucial. Regularly revisit your assessments as EdTech tools and environments evolve and security threats change.

Final Thoughts

Schools, like any other organization, have to take data and cyber security seriously. However, many schools face considerable challenges when it comes to regulatory compliance and cybersecurity best practices. GESS is just one of the many tools and frameworks your school can benefit from – taking your unique challenges into account while empowering you to take your safety (and the safety of your students) into your own hands.