Industry Trends

CIPA Compliance and Cybersecurity: You Can’t Have One Without the Other

By Susan Biddle | August 31, 2017

Cybersecurity measures are being adopted and fine-tuned across industries to ensure sensitive data is protected against cybercriminals and evolving attack vectors. However, some industries, such as education, are held more accountable for data protection than others.

The federal government requires schools to have certain protective features in place under the Children’s Internet Protection Act (CIPA), which was enacted in 2000. CIPA seeks to protect the personal information of minors from unauthorized viewers and to keep minors from accessing inappropriate material online.

Adopting technology and cybersecurity strategies that ensure the goals of CIPA are upheld has become more important, albeit more difficult, as technology becomes prolific in the classroom and cyberattacks become increasingly sophisticated. IT teams have to combat ransomware, phishing attacks, and social engineering at the same time that the number of endpoints accessing their network rises. Moreover, the increase in device and bandwidth use that requires in-depth network security also means higher costs for IT budgets.

CIPA Enables E-Rate Funding

In addition to protecting children’s personal information and safety, CIPA compliance is required for schools to be eligible for E-rate funding. E-rate is a government-run program that grants money to K-12 schools for internet access and critical technical infrastructure costs. This money has become necessary for school administrators as technology becomes more engrained in the education process.

Today, both students and faculty expect to have access to devices, applications, and Wi-Fi while on school grounds. In addition to providing these services, IT teams have to ensure their tech infrastructure can stand up to an increased number of endpoints as students and staff alike continue to bring their own devices. Bandwidth costs, access points, switches, caching and other infrastructure amount to huge costs for education IT budgets, and can prevent them from using funds for programs such as digital curriculums and education-focused applications.

E-rate is mitigating these costs with approximately $4 billion distributed to K-12 schools for IT in 2017. However, in order to be approved to receive this money, schools must demonstrate that they comply with CIPA’s ordinances. As such, CIPA compliance, cybersecurity, and technology use go hand-in-hand.  

Core CIPA Regulations

CIPA compliance breaks down into five core components that secure what minors are able to access online, with whom they can communicate, who can access and disseminate personal information about them, and that restrict hacking and unlawful cyber behavior.

  1. Schools need to ensure that students cannot access material that might be inappropriate or harmful to them while connected to their network. This means adopting technology protection measures that filter or block access to images of child pornography and images that are obscene or harmful on devices being used. There are various guidelines for determining which images and websites fall under these umbrella terms based upon court stipulations, legal precedent, and individual judgment. Obscene content is defined by Miller vs. California, which states that obscene content is that which does not offer legitimate literary, artistic, political, or scientific value. Local school boards, agencies, or other local authorities determine Inappropriate material.
  2. In addition to limiting what students can access online, schools need to ensure that they safely and securely engage with electronic forms of communication, such as email and chat rooms. Many forms of malware, such as ransomware (which affected one in ten educational organizations in 2016), are disseminated through infected email attachments or links sent in emails. In order to keep the network secure and children from interacting with dangerous users, schools need to implement protocols that limit malicious communication.
  3. Schools keep records on their students that include personally identifiable information (PII), financial information, and health information. This makes them a target for cybercriminals who seek to sell this data on the dark web. Aside from cybercriminals, only certain employees at the school should have access to these records to ensure the privacy of each child. CIPA requires that schools restrict unauthorized disclosure, use, and dissemination of personal information regarding minors, and therefore must have the proper security measures in place to keep this information private.
  4. While it is clearly important that schools keep external actors from gaining access to sensitive information, it is just as important that students cannot hack into this, or other protected information. Thus, CIPA requires that schools must have solutions in place that prevent hacking and other unlawful activities by minors online.
  5. In addition to these rules for guidance, schools must also have a community meeting to discuss what they entail, define any ambiguous material, and come up with an acceptable use policy to be implemented across the school’s community. 

Becoming CIPA Compliant

The best way to ensure CIPA compliance is with integrated cybersecurity solutions that keep students safe online, while also protecting your network from a broad range of cyberattacks.

Next generation firewalls (NGFWs) offered with FortiGate technology provide wide network protection from known and unknown threats, including ransomware, malware, and botnets, in addition to providing content filtering and the blocking of unwanted or malicious websites.

Anti-virus and web filtering from FortiGuard block the latest threats, while restricting access to unwanted websites. FortiGuard also automatically distributes critical updates based on the most recent threat intelligence. While FortiGate and FortiGuard block malicious content and websites, Unified Threat Management solutions allow you to set different user abilities for students, administrators, faculty, and guests to segment access to material based on policy.

To mitigate threats disseminated through email, such as ransomware and phishing, Fortinet offers secure email gateways to block these types of attacks, while also ensuring that sensitive data is not leaked through outgoing messages. 

Due to CIPA and E-rate, school’s IT programs and curriculum are inextricably tied to cybersecurity. These rules ensure the safety of minors in addition to making your school E-rate eligible, thus compliance is necessary.

Schools have to meet these needs within their budget, and typically, with limited resources as well. In addition to providing comprehensive security, Fortinet’s products are integrated with each other, offer automatic updates, and limit the strain on your IT team with single pane of glass visibility into the entire security framework. For more information on how Fortinet enables CIPA compliance, click here.

Let’s get a conversation going on Twitter! What features would most help your school achieve compliance?