Citizen Portal
Sign In

District reviews layered cybersecurity measures, urges vigilance around vendor protections

St. Cloud Public School District Board of Education · January 8, 2026

Get AI-powered insights, summaries, and transcripts

Subscribe
AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

The St. Cloud Public School District presented an informational update on multi‑layered cybersecurity efforts — stronger passwords, multi‑factor authentication, simulated phishing, endpoint detection and third‑party data‑protection agreements — and discussed vendor monitoring and incident response.

Katie Herbold, the district’s executive director of innovation and technology services, told the School Board that the district is strengthening its defenses around student and staff data by combining technology, training and planning.

"When we talk about cybersecurity, we're talking about protecting our networks, our devices, and our data from unauthorized access," Herbold said, summarizing the district's approach to safeguarding systems that hold student records.

Herbold described recent changes to authentication and password policies: the district moved from nine‑character passwords to a 12‑character minimum with complexity requirements and added multi‑factor authentication options such as fingerprint, phone‑sent codes or security questions. She said the changes substantially increase the time it would take for standard brute‑force attacks to succeed.

The district also runs simulated‑phishing campaigns for staff. Herbold said clicked simulations trigger immediate, in‑browser remediation training and that staff can report suspicious messages with an in‑mail reporting button; the program uses a gamified leaderboard to encourage reporting. She added that endpoint detection and response software is installed on district devices to quarantine suspicious behavior and alert both users and the IT/security team.

The district contracts with a managed detection and response (MDR) partner that monitors the network around the clock, performs monthly vulnerability scans, and supports incident response and digital forensics if needed. Herbold said the MDR team will contact staff for high‑priority alerts at any hour.

On third‑party risk, Herbold said the district uses Data Protection Agreements (DPAs) to bind vendors to the district’s security standards and to specify secure disposal of backups when contracts end. "Our data is really only as secure as our weakest partner," she said, describing DPAs as a contractual safeguard.

Board members asked about backup procedures and links between cybersecurity and building security systems. Herbold confirmed that cameras and core systems have backups and that operational coordination occurs with the director of operations. No formal board action was taken; the item was presented for information and questions.