Global Education Security Standard (GESS)

About Global Education Security Standard (GESS)

Students with TabletWith the range of technical, functional, cyber security, data protection, privacy and other requirements, it is an increasingly laborious job to try to have a single way of showing suitability to potential customers or to demonstrating compliance during procurement exercises.

With the range of technical, functional, cyber security, data protection, privacy and other requirements, it is an increasingly laborious job to try to have a single way of showing suitability to potential customers or to demonstrating compliance during procurement exercises.

With the growing number of security standards and frameworks, there is a significant amount of crossover, and much of it not in a language that allows for consideration of educational or operational needs of educational institutions.

Building on the success of the ST4S assessments across Australia and New Zealand, the Student Data Privacy Consortium has brought together a working group of educational departments, leading vendors and academics to develop a Global Education Security Standard, to provide a common grounding baseline for all, as well as regional requirements.

The following frameworks and sets of controls have been reviewed and mapped during this process:

Whilst this standard might seem like a large undertaking for an EdTech vendor, the goal is to ensure that you have clear coverage for all your possible markets, existing and new, with output framed to provide educational institutions with both technical information and clear language around how it makes a difference to them as educational institutes.

The following presentation runs through the standard and questions involved, and provides you with a starting point for meeting the criteria. It is also important to remember that the standard is assessed against a product, not just the vendor. This means questions will be asked about you as a vendor/product producer/service provider and also about the product/service itself.

There are 3 principal categories:
  • Company and Product Detail
  • Security
  • Privacy
As you might understand, the largest category will be security, but all will be relevant. As we look at each category, we will not delve too deeply into the mappings against other frameworks and standards, as these are better explained as part of the assessment process.

This section is to allow you to provide details of you as the product producer, vendor and/or service provider; important legal information about your company; to which countries the assessment is relevant and a summary of the product/service. This is similar to the information already placed into many product catalogues or procurement frameworks, so this is the quickest and simplest criteria to add.

This is the largest category and is broken down into 12 sections. Where questions seem to be repeated, it may be that more detail is required within a particular context. For example, if we are talking about password controls then in one question we might be asking about how you manage it within your company, but in another question we are asking about how schools can manage it within your product/service. Both are important and we will point to where we are asking about you directly and where we are asking about your product or service. There may be overlap, and that is perfectly ok and correct, and there will be opportunities to explain this within your responses.

The 12 sections are:

  • Product Function
  • Hosting and Location
  • Technical
  • Logging
  • Access
  • HR
  • Processes and Testing
  • Plans and Quality
  • Incidents
  • Data Deletion and Retention
  • Compliance Controls
  • Governance
The themes for these sections are generally self-explanatory, but here are more details:

Product Function
This section allows you to provide details on the general use of the product/service; what personal data may be used; any sub-contractors/sub-processors you work with to provide this product/service, and how you check them over; any other data processors you might integrate with or send data to on behalf of the educational institute; any independent third parties you may share data with, and what they use it for; whether it is on-premise, cloud hosted or hybrid; and all the subsequent terms of service, data processing agreements, codes of conduct, accessibility standards. This is an important section to cover as there are different requirements in different jurisdictions. However, there is a common baseline that can be met through GDPR and some considerations for particular jurisdictions, e.g. the US and COPPA/FERPA.

Hosting and Location
This is relevant to cloud-hosted/hybrid models and looks at your approaches to physical security, the hosting services you make use of, and how you manage it.

This section looks at how the infrastructure is protected and managed including the management and security of any software code, how you subsequently protect and secure the educational institute’s personal data; and then looking at you as an organisation and how you protect your own network and systems upon which you develop, how you protect the access you have to the service when you are developing and supporting it, and this is covered in areas such as software updates, anti-virus/anti-malware and organisational approaches your company takes.

Provide information on the logging process i.e. what is collected, how often, what users, type of logs, and if the logs are centralised.

This section is to explain your security policies on providing access for your users including inventory of accounts, password requirements, remote access, authentication, and third party service access.

Explain your onboarding and offboarding process for employees and contractors. Provide information on internal and external agreements. Address your security awareness program and ongoing training.

Processes and Testing
Covers vulnerability scans and penetration testing compliance of third party providers and how you maintain software and hardware updates. Provide information about your incident response plan and how you handle data breaches and data loss.

Plans and Quality
This section lists several plans and processes and the required documentation for each. Business Continuity Plan; IT Change Management process; Security, Privacy, and Risk Management process;IT Asset Management process; Information Security Policy; Security Training and Awareness Policy; Maintenance Policy;Security Planning Policy, System and Services acquisition Policy; Data Management Policy; Service Application Development and other cybersecurity elements.

Addresses the organization’s history with incidents. An incident is defined as an occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

Data Deletion and Retention
Criteria used and time frame for processes and specifics on how the data is managed.

Compliance Controls
Define your compliance certifications or security assessments listing frequency and type.

This section allows you to report the data privacy roles in your organization and if a budget is designated and location of your teams and response systems.

This section is broken down into 3 sections. Variations of the same context will be presented to take in account who is generating the data. There will be some overlap with the security section but will be presented through the “privacy lens”.

The 3 sections are:
  • Privacy
  • Requests
  • Functional
This delves into the specifics of the terms of service/use including age restrictions and intellectual property definitions.

This section asks for details on privacy policy requirements, including disclosure, mandatory information collected on staff, parents, students and third party disclosures. The process to correct, request access and deletion of data and data transfer/sharing/discovery functionality is requested.

Potential issues that could compromise user privacy are listed. Explain processes in place to restrict access including: role based access, user profile creation/visibility restricted, audio/video conferencing/live streaming session procedures. List what tools are in use for remote access, chat, online communities and file download and upload. Guidelines for user content creation, access, and publication are listed. Describe online learning activities and data collected, analysis, and the result reporting. Other information covered is: additional student data collected and the disclosure policy requested; data breach/loss reporting process;health and well being information collected; and logging of personal information events.
GESS Disclaimer
This GESS Documentation and Portal contains copyright material which has been reproduced with the permission of Education Services Australia Limited. Copyright is owned by Education Services Australia Limited. All rights reserved.
About the Consortium
Resource Center
Join the Community
News and Events
Privacy Policy
Terms of Use
A4L Community
PO Box 249
Malden, MA 02148
Contact Us