Cybersecurity threats are rising in K–12 schools. No organization is too small to be targeted. Whether you’re a single-site charter or a large school district, protecting student and staff data is critical.
This easy-to-use cybersecurity checklist is designed specifically for schools. It covers everything you need to review across 10 key areas – from staff training to ransomware protection. You don’t need to be a tech expert to use it. Just follow the checklist and use it to guide your next audit, planning meeting, or board update.
Simple. Actionable. Built for schools of all sizes.
Use this checklist to audit and strengthen your organization’s cybersecurity posture.
Complete each section at least once per semester and follow up with your IT team or vendor to address any unmet areas. For each item, check ✅ if complete, ⚠️ if in progress, or ❌ if missing.
1. Governance & Policy
Ensure your cybersecurity efforts are aligned with clear policies, procedures, and roles.
- District-wide cybersecurity policy is documented and up to date
- Acceptable Use Policy (AUP) signed annually by students, staff, and families
- Roles and responsibilities defined for IT, data privacy, and incident response
- School Board or CMO leadership reviews cybersecurity risk at least annually
- Regular cybersecurity awareness campaigns shared with school leaders
2. Staff Training & Cyber Hygiene
All staff should receive basic cybersecurity training and practice safe habits.
- Annual cybersecurity training is mandatory for all staff (including IT)
- Phishing simulations conducted at least twice per year
- Teachers and staff know how to report suspicious emails or cyber incidents
- Passwords must meet strong standards (12+ characters, complexity, etc.)
- Multi-Factor Authentication (MFA) is enabled for all critical systems
3. Student Device & Account Security
Protect devices, apps, and credentials used by students.
- Student Chromebooks/iPads/laptops have content filtering and MDM installed
- MFA is required for students on any cloud-based learning system
- Student passwords are securely managed and meet grade-appropriate standards
- Single Sign-On (SSO) is used wherever possible for student apps
- District IT staff can remotely wipe or lock lost/stolen student devices
4. Network & Infrastructure Security
Ensure all physical and virtual networks are protected against unauthorized access.
- Firewalls and content filters are in place and regularly updated
- Guest Wi-Fi is separated from internal staff/student networks
- Network devices (routers, switches, access points) have strong admin passwords
- Network segmentation used to isolate sensitive systems (e.g., SIS, finance)
- VPN or secure tunnels used for remote access by staff/contractors
5. Data Privacy & Compliance
Comply with FERPA, COPPA, and state-level student data protection laws.
- Student and staff PII (personally identifiable information) is encrypted at rest
- Cloud platforms (Google Workspace, Microsoft 365) meet K–12 data privacy standards
- Third-party edtech vendors reviewed for compliance with privacy laws
- Data sharing agreements (DSAs) signed with all vendors handling student data
- Parents have access to privacy notices and opt-out procedures as required
6. Software, Devices & Patches
Maintain up-to-date systems and protect against known vulnerabilities.
- Automatic updates enabled on all devices and servers
- Patch management policy in place for critical systems
- Obsolete software and unsupported operating systems are retired
- Staff and students restricted from installing unapproved software
- Antivirus/EDR software installed and running on all endpoints
7. Incident Detection & Response
You need to be able to detect, respond to, and recover from cyber incidents.
- Incident Response Plan (IRP) is documented and reviewed annually
- Staff know who to contact in the event of a data breach or ransomware attack
- Regular backups performed and stored off-site or in the cloud
- Restoration from backups tested at least once per semester
- A central log system (SIEM) is in place to monitor suspicious activity
8. Ransomware & Threat Protection
Prevent, detect, and prepare for ransomware and other cyberattacks.
- Ransomware playbook included in the district IRP
- Staff and students trained on how ransomware spreads (e.g., through phishing)
- Blocklist applied to known malicious domains and file types
- Email gateway filters and attachment scanning are active
- Offline or immutable backups maintained as a ransomware recovery fallback
9. Third-Party Vendor & App Vetting
Review all vendors and educational apps for security risks before approval.
- All apps go through a vetting process before classroom or school use
- EdTech vendors provide security documentation or third-party audits
- Vendors contractually required to report breaches affecting your data
- App inventory maintained and audited at least annually
- Integration with SIS or SSO systems uses secure protocols
10. Audit, Testing & Continuous Improvement
Test your defenses and continuously improve cybersecurity posture.
- Cybersecurity audit or risk assessment completed within the past year
- Penetration testing or vulnerability scans performed regularly
- Cybersecurity goals included in the district’s tech plan or strategic plan
- Lessons from past incidents documented and used to improve policies
- Cybersecurity topics regularly presented to school or CMO leadership
Instructions for Use:
- Review each item during site visits, annual planning, or post-incident audits
- Use the checklist to identify gaps in your schools or CMO’s cybersecurity strategy
- Follow up with IT staff, principals, and vendors as needed
- Store a copy of this checklist with your strategic tech or compliance documentation
