At the ECNO Conference, we announced an important change in how ECNO will assist Ontario school boards assess student privacy risk. Beginning this fall, the Vendor Assessment for Student Privacy (VASP) service will be transitioning to a new Privacy Impact and Security Assessment (PISA) model. This reflects a broader governance shift: protecting student data now requires a more rigorous, evidence-based process that supports board accountability and defensible decision-making.
For member boards, the new model will provide a more robust basis for evaluating digital tools. VASP relied primarily on checklist-based review and supporting documentation. PISA expands that approach by assessing privacy and technical security risk together and by adding active testing, including scanning and validation. The result is stronger assurance that vendor claims have been tested and that board decisions are grounded in a fuller view of risk.
A key enabler of this model is our new Stratum platform, which will support the assessment process from intake through final reporting. It will give boards access to completed assessments through a shared library, reducing duplication and improving consistency across the sector. It will also strengthen record-keeping by providing a clearer trail of evidence, review steps, and supporting documentation for audit and compliance purposes.
The PISA model will build on the work of the OSABO Joint Collaborative Committee’s PISA Working Group and standardized PIA templates. Together, these will establish a common foundation for evaluating vendors against shared expectations. The tiered risk model should also help boards process lower-risk tools more efficiently while reserving deeper review for higher-risk systems. This supports a practical operating model while also meeting increasing regulatory expectations.
Our shared service model provides boards with access to specialized expertise that may be difficult to maintain locally, including legal, privacy, and cyber security support. By centralizing those capabilities, ECNO can help boards of all sizes obtain thorough assessments without bearing the full cost individually. This improves both cost-effectiveness and sector-wide capacity, while giving boards a more consistent and defensible basis for action.
Overall, we believe the transition from VASP to PISA will better equip member boards to meet legal and regulatory requirements, reduce privacy and security risk, and make more informed decisions about the digital tools used to support students.
CYBERSECURITY HAS MOVED TO THE BOARD TABLE: Here is How School Boards Can Respond.
ECNO’s white paper, Enhancing Board-Level Cyber Governance, positions cybersecurity in K–12 education as a core governance responsibility rather than a technical function. It reflects a broader shift already underway, in which boards are expected to actively oversee cyber risk, ask informed questions, and make decisions based on a clear understanding of exposure and impact. This shift is reinforced by Ontario’s Enhancing Digital Security and Trust Act, which requires school boards to establish formal cybersecurity programmes, assess readiness, and report incidents within defined timelines. As a result, expectations for IT and security leaders are changing, with greater emphasis on communicating risk in clear, practical terms that support board-level decision-making.
Many organisations are still adapting to these expectations. While IT teams understand the risks, translating them into concise, governance-focused information remains a challenge. Reporting can become overly technical or too detailed, making it difficult for trustees to connect cyber risk to operational and financial impact. At the same time, boards are not looking for more data, but for clarity on where they are exposed, what is improving, and what still requires attention. Closing this gap has become a leadership priority.
The white paper identifies ECNO’s Security Solutions Service as a practical way to support this transition, although outcomes depend on how it is used. Organisations that integrate the Information Security Officer into regular planning and risk discussions tend to achieve stronger results. This approach improves visibility, strengthens alignment between technical work and governance expectations, and provides leadership with a more consistent view of risk. In contrast, using the service occasionally limits its impact.
Stronger organisations demonstrate a set of common practices. Cybersecurity is treated as a regular topic in board or audit discussions, updates are concise and focused on risk, and exercises are conducted before incidents occur. Emerging risks are communicated early, allowing leadership to respond proactively. These practices shift cybersecurity from a reactive function to an ongoing process of risk management, supported by more predictable and planned investment.
Overall, the white paper reinforces that effective cyber governance depends on alignment across the organisation. Boards define direction and risk tolerance, leadership translates this into actionable priorities, IT teams deliver execution, and services such as ESS provide additional expertise and perspective. As this model matures, the success of IT and security leaders increasingly depends on their ability to translate complex cyber risks into clear, practical insights that support decision-making at the leadership level.