Every organization carries with it some inherent risk, and key to managing it is knowing where to start with a mitigation strategy. When it comes to protecting the privacy of student data, the risks sometimes seem to be lurking around every corner: the employee who leaves the laptop in the backseat of the car or the password taped to a laptop, the phishing scam that targets your school system leadership, the students who plan a denial-of-service attack on the day of final exams, the sheer volume of third-party technologies that are brought into the classroom every day.
All of these can keep the most seasoned CTO up at night, and sometimes the task of quantifying risks in order to be able to address them can be overwhelming. One key to wrestling risk to the ground is to do what we are often most reluctant to do: face it head-on.
To be sure that you don’t get buried under the sheer volume and weight of the concerns, keep the Creighton Abrams quote in mind: “When eating an elephant, take one bite at a time.” Here are some steps to figure out which bite to take first:
- Conduct an analysis. With the results of your pre-assessment in hand, decide what aspect of your school system represent known areas of risk. Conduct a full gap analysis of the data, how it is secured, where and with whom it is shared and how the use of the data is handled in alignment with federal and state laws, district policies and community norms.
- Assess the gaps . Consider the different types of risk that each gap may represent. Is it a regulatory issue? Does it come with financial repercussions? Could this issue hurt your school system’s reputation or cause you to lose the trust of your community? Rank the gaps in order of severity, considering all facets of potential repercussions.
- Consider the likelihood. Add another layer to the analysis by considering the likelihood of each risk coming to fruition. Is the item that represents your highest level of risk the one that is least likely to occur? Try to quantify this with scoring metrics if you can. When you’re done, assess the list and consider whether or not the risk that is going to keep you up at night also made your top 10. There is a science to this, but don’t ignore your gut. You know your organization best and that nagging feeling is your instinct trying to tell you something. Make that list a top 11 if you need to.
- Take stock of your resources. Some of the gaps on your list might be relatively easy to address, while others will take time, manpower and finances that you may not have on hand. This is another axis for your analysis. Document what you should do first versus what you can do first. Are there small risks that may be damaging to your school system’s reputation that are easy to fix? Are the larger risks significant enough to warrant prioritizing above everything else? If so, but you’re not able to because of resource constraints, are there interim steps you can take to reduce the severity of the risk while you plan a larger mitigation strategy for the future? Are you able to tackle multiple risks at once?
- Make a plan. Considering the severity of the gaps, the likelihood of the risk occurring and what it will take to address each gap, create your action plan. The plan should include realistic short-term and long-term goals. Document the steps for all of them, recognizing that the action items for short-term goals will be focused more on “doing,” while action items for long-term goals will be focused more on the planning needed to be poised to act. Establish a realistic timeline, understanding that, depending on what risks you are trying to address and the resources you have available, getting to everything may take a few years — not weeks or months.
Building a school compliance program is a risk mitigation strategy, and it requires building a function that will be part of the fabric of the organization for the future. Shedding light on existing risk is one of the most important steps in mobilizing the function to get you moving on the right path. By doing so, you can you make “eyes wide open” decisions: thoughtful, deliberate choices that are made with all the facts in hand, and with appreciation for potential repercussions and strategies in place to mitigate the risk where needed.
Linnette Attai is the founder of PlayWell, LLC, through which she advises private and public companies, schools and districts, trade organizations, lawmakers and policy influencers. Attai has been helping clients navigate data privacy matters for over 25 years. She is the author of ” Student Data Privacy: Building a School Compliance Program .”