Assessment Progress

Welcome to the Education Sector Security Navigator

This micro tool helps educational institutions quickly assess their security posture across physical and cyber domains. In less than 10 minutes, you'll receive targeted recommendations to improve your security stance.

How It Works

1. Answer brief questions about your institution's current security practices

2. Receive an immediate assessment of your security posture

3. Get prioritized recommendations for improvement

4. Access resources tailored to your institution's needs

Your responses are processed locally in your browser - no data is sent to any server.

Institutional Profile

Let's start with some basic information about your institution.

What type of educational institution are you assessing?

K-12 (Small: <500 students)
K-12 (Medium: 500-1500 students)
K-12 (Large: >1500 students)
Higher Ed (Small: <5000 students)
Higher Ed (Medium: 5000-15000 students)
Higher Ed (Large: >15000 students)

Which best describes your campus layout?

Single building
Multiple buildings (closed campus)
Multiple buildings (open campus)
Multiple campuses/distributed locations

What is your institution's location type?

Urban
Suburban
Rural

How would you describe your current security budget?

Minimal (No dedicated security budget)
Limited (Small dedicated budget)
Moderate (Dedicated security line item)
Substantial (Well-funded security program)

Do you have dedicated security personnel?

None
Part-time/Shared responsibility
Full-time security staff
Dedicated security department

Has your institution experienced any security incidents in the past 3 years?

No significant incidents
Physical security incidents only
Cyber incidents only
Both physical and cyber incidents

Physical Security Assessment

Let's evaluate your physical security controls and practices.

How would you rate your access control measures?

Minimal (Unlocked doors during operating hours)
Basic (Locked exterior doors, manual check-in)
Moderate (Key/card access, visitor management)
Advanced (Electronic access control throughout facility)

What surveillance systems do you have in place?

None
Limited (Cameras at main entrances only)
Moderate (Cameras at entrances and key areas)
Comprehensive (Campus-wide video surveillance)

How often do you conduct security drills?

Never
Annually
Quarterly
Monthly

What is your relationship with local law enforcement?

Minimal contact
Standard response relationship
Enhanced cooperation (regular meetings)
Integrated (SRO/campus police/formal agreement)

Do you have a formal security assessment or audit process?

No formal assessments
Informal/internal assessments only
Occasional professional assessments
Regular professional assessments

What physical security features protect your critical areas?

Basic locks only
Enhanced locks and limited access
Electronic access control with logging
Multi-factor authentication and monitoring

What visitor management systems do you employ?

Minimal (Basic sign-in sheet)
Basic (Manual check-in with visitor badges)
Enhanced (Electronic visitor management system)
Comprehensive (ID scanning, background checks, integrated system)

What facility hardening measures have you implemented?

Minimal hardening measures
Basic (Reinforced doors, window coverings)
Enhanced (Ballistic materials in key areas, secure vestibules)
Comprehensive (Ballistic glass, door barricading systems, security film)

How do you secure your facility perimeter?

Minimal perimeter security
Basic fencing or natural boundaries
Enhanced (Controlled access points, monitored perimeter)
Comprehensive (Full perimeter protection with monitoring)

Do you have a formal family reunification plan for emergencies?

No formal plan
Basic plan (Designated locations only)
Detailed plan with procedures and responsibilities
Comprehensive plan, regularly tested with stakeholders

Active Shooter Preparedness

Let's assess your readiness for active shooter scenarios.

Do you have an active shooter response plan?

No plan
Basic plan (Not recently updated)
Comprehensive plan (Recently reviewed)
Advanced plan (Regularly updated with input from law enforcement)

Have staff/faculty received active shooter response training?

No training
Some training (One-time or limited)
Most staff trained (Regular training)
All staff trained (Comprehensive program)

Have students received age-appropriate emergency response training?

No student training
Minimal (Basic drill participation only)
Moderate (Structured age-appropriate training)
Comprehensive (Regular training with follow-up)

What emergency communication systems do you have?

Basic (PA system only)
Moderate (PA + limited notification system)
Comprehensive (Multi-channel alert system)
Advanced (Integrated emergency communication platform)

How would you rate your facility's physical security design for preventing/mitigating active shooter incidents?

Minimal considerations
Basic measures (classroom door locks)
Enhanced design (secure vestibules, limited entry points)
Comprehensive security design (ballistic materials, safe rooms)

Do you have a threat assessment team or process?

No formal process
Basic process (ad hoc response to concerns)
Formal team (meets when concerns arise)
Comprehensive program (trained team, regular meetings)

Do you have early intervention programs for concerning behaviors?

No program in place
Basic program with limited resources
Moderate program with dedicated resources
Comprehensive program with proactive monitoring

Is there a clear mechanism for reporting concerning behavior?

No formal reporting mechanism
Limited options for reporting
Multiple reporting channels available
Comprehensive system with anonymous options

Are mental health resources integrated with security protocols?

No integration
Minimal connection between services
Moderate integration with regular communication
Fully integrated approach with shared protocols

Remote Learning Security Assessment

Let's evaluate your security measures for remote and distance learning environments.

How do you secure remote/distance learning environments?

Minimal controls (basic password protection)
Basic controls (managed accounts and passwords)
Enhanced (MFA, secure access policies)
Comprehensive (Zero trust model, full monitoring)

What authentication methods do you use for remote access?

Passwords only
Enhanced passwords with complexity requirements
MFA for some systems/users
MFA required for all remote access

How do you monitor for unusual access patterns in remote systems?

No monitoring
Basic logging with manual review
Automated alerts for suspicious activities
Advanced behavior analysis and anomaly detection

What training do you provide to students/parents about secure home setups?

No training provided
Basic guidelines provided
Detailed resources and support available
Comprehensive training and ongoing support

How do you secure video conferencing and virtual classroom platforms?

Default settings only
Basic security features enabled
Enhanced security with waiting rooms/access controls
Comprehensive security with monitoring and integration

Cybersecurity Assessment

Let's evaluate your cybersecurity posture.

How would you rate your network security?

Basic (Standard firewalls only)
Moderate (Firewall + some monitoring)
Advanced (Next-gen firewall, IDS/IPS)
Comprehensive (Full security stack with 24/7 monitoring)

What endpoint protection measures do you have?

Minimal (Basic antivirus)
Standard (Managed antivirus)
Enhanced (Endpoint protection platform)
Advanced (EDR/XDR solution)

How often do you conduct security awareness training?

Never
Annually
Quarterly
Monthly with phishing simulations

Do you have an incident response plan for cyber attacks?

No plan
Basic plan (Not tested)
Moderate plan (Documented but rarely tested)
Comprehensive plan (Regularly tested)

How is your network segmented?

Minimal/No segmentation
Basic segmentation (e.g., staff vs. student)
Moderate (Multiple VLANs by function)
Comprehensive (Zero trust/micro-segmentation)

How do you secure cloud services (Google Workspace, Microsoft 365, etc.)?

Default settings only
Basic security settings enabled
Enhanced (MFA, advanced security features)
Comprehensive (CASB, DLP, third-party tools)

How do you manage mobile devices used for educational purposes?

No formal management
Basic management (inventory only)
Moderate (MDM for institution-owned devices)
Comprehensive (MDM for all devices accessing resources)

How do you handle backup and recovery?

Minimal/Ad-hoc backups
Basic scheduled backups
Enhanced (3-2-1 backup strategy)
Comprehensive (Tested DR plan, immutable backups)

How quickly can you restore critical systems from backups?

Unknown/Not tested
Several days
Within 24 hours
Within a few hours

Do you have alternate methods to continue operations during outages?

No alternate methods
Limited manual procedures
Moderate continuity plans for key functions
Comprehensive business continuity plan

Have you tested your recovery procedures in the last year?

Never tested
Partially tested (tabletop only)
Limited testing of some systems
Full recovery testing completed

Do you have specific ransomware prevention and response measures?

Minimal/No specific ransomware measures
Basic measures (Regular backups only)
Enhanced (Immutable backups, response playbook)
Comprehensive program (Prevention, detection, response, recovery)

How do you evaluate and manage education-specific supply chain risks?

No formal evaluation
Limited review of major vendors only
Moderate assessment of critical suppliers
Comprehensive supply chain risk management program

What is your approach to implementing zero trust security principles?

Not implemented/Not familiar
Planning/Early stages
Partial implementation in key areas
Advanced implementation across multiple systems

How would you rate your security monitoring and threat detection capabilities?

Minimal/Basic logging only
Moderate (Some monitoring with manual review)
Enhanced (SIEM implementation or equivalent)
Advanced (24/7 monitoring with automated alerting)

How do you align your cybersecurity program with frameworks like NIST CSF?

No formal alignment with frameworks
Partial/Informal alignment
Moderate alignment with documented mapping
Comprehensive framework implementation with regular assessment

IoT & Smart Campus Security

Let's evaluate your approach to securing connected devices and smart campus technologies.

How do you secure IoT devices on campus (cameras, HVAC, access controls)?

Minimal security measures
Basic security (changed default passwords)
Enhanced security (firmware updates, strong authentication)
Comprehensive security with monitoring

Do you maintain an inventory of connected devices?

No inventory
Partial/outdated inventory
Complete manually-maintained inventory
Automated discovery and inventory management

Are IoT systems on segregated networks?

No network segregation
Partial segregation for some devices
Most IoT devices on separate networks
Complete segregation with monitoring

How do you manage firmware updates for connected devices?

No update management
Manual updates when issues arise
Scheduled update process
Automated patch management

Do you perform security assessments of smart campus technologies before implementation?

No security assessment
Limited review of documentation
Thorough security review
Complete assessment including testing

Data Privacy Assessment

Let's evaluate your data privacy practices.

How do you manage sensitive student data?

Minimal controls (Basic access restrictions)
Basic controls (Role-based access)
Enhanced controls (Data classification + access controls)
Comprehensive controls (Full data governance program)

How do you assess third-party vendor security?

No assessment
Limited (Basic vendor questionnaire)
Moderate (Detailed security review)
Comprehensive (Formal vendor risk management)

What encryption practices do you employ for sensitive data?

Minimal (No systematic encryption)
Partial (Some systems encrypt data)
Most systems employ encryption
Comprehensive (End-to-end encryption strategy)

How do you control access to student records?

Minimal controls (Basic password protection)
Basic controls (Role-based access)
Enhanced (Role-based + approval workflows)
Comprehensive (Least privilege + access monitoring)

Do you have a data breach response plan?

No formal plan
Basic plan (Not tested)
Moderate plan (Documented roles and procedures)
Comprehensive plan (Regularly tested)

How do you manage privacy in educational technology tools?

Minimal oversight of tools used
Basic review process for new tools
Formal approval process with privacy review
Comprehensive management with ongoing monitoring

Do you have a formal student data governance committee?

No formal committee
Limited scope committee (meets rarely)
Active committee with regular meetings
Comprehensive governance structure with executive support

How do you manage parental consent for student data collection?

Minimal processes (Basic annual permission forms)
Moderate (Specific consent for some activities)
Comprehensive consent framework for all data collection
Advanced system with granular permissions and verification

Are you compliant with state-specific student privacy laws (e.g., SOPIPA, state laws)?

Unknown/Not evaluated
Partial compliance with some state laws
Compliant with most applicable state laws
Full compliance with all applicable state privacy laws

How do you handle biometric data collection or processing (if any)?

Not applicable - No biometric data collected
Minimal safeguards for biometric data
Moderate protection with specific consent
Comprehensive protection with strict limitations

Crisis Communication Assessment

Let's evaluate your crisis communication preparedness.

Do you have pre-drafted crisis communication templates?

No templates prepared
Limited templates for some scenarios
Comprehensive templates for multiple scenarios
Advanced templates with multiple distribution channels

How do you communicate with parents/guardians during incidents?

Ad-hoc/no formal process
Single channel communication
Multiple communication channels
Coordinated multi-channel approach with confirmation

Do you have backup communication channels if primary systems fail?

No backup channels
Limited backup options
Multiple backup channels
Comprehensive redundant systems

How frequently do you test your crisis communication systems?

Never tested
Annually
Quarterly
Monthly or more frequently

Do you have designated spokespersons trained for crisis communication?

No designated spokespersons
Designated but untrained
Trained spokespersons
Comprehensive training with regular practice

Compliance Assessment

Let's evaluate your compliance with education-specific regulations.

How would you rate your FERPA compliance?

Unknown/Minimal
Partial compliance
Mostly compliant
Fully compliant with regular audits

How would you rate your COPPA compliance (if applicable)?

Not applicable
Unknown/Minimal
Partial compliance
Mostly compliant
Fully compliant with regular audits

Do you have policies for data retention and destruction?

No formal policies
Basic policies (Not consistently followed)
Comprehensive policies (Generally followed)
Advanced policies (Consistently enforced with auditing)

Are staff regularly trained on compliance requirements?

No compliance training
Minimal (One-time or occasional)
Regular training (Annual)
Comprehensive (Regular with testing/verification)

How do you document and track compliance activities?

No formal tracking
Basic documentation
Systematic tracking
Comprehensive tracking with regular reporting

Do you have staff specifically responsible for compliance?

No designated staff
Partial responsibility (Added to existing role)
Dedicated staff member
Dedicated compliance team/function

Are you eligible for security-related grants or funding?

Unknown
Some eligibility (Not pursuing)
Actively pursuing available grants
Currently receiving grant funding