Annual Technology Review Checklist

Pull the device roster from Google Admin or Jamf School and reconcile against the asset-tag database. Flag missing units, broken hinges, and devices that haven't checked in for over 30 days. Damage-billing decisions for the prior year should be closed before the new 1:1 deployment.

Walk every classroom and office. Match the asset tag on the device to the tag listed under that staff member in the inventory system. Mismatches usually trace back to a sub-loaner that never got returned, or a device handed off when a teacher transferred buildings.

Power-cycle each Promethean, SMART, or ViewSonic panel; verify pen calibration, HDMI passthrough, and casting from a teacher laptop. Replacement panels have 8-12 week lead times, so log failures now to budget for summer install.

Pull page counts from PaperCut or the MFP web console. Devices over their rated duty cycle or out of toner-supply contract should be flagged for replacement or lease renegotiation. Confirm the scan-to-email path still routes correctly after last summer's mail-server changes.

Cross-reference Chromebook AUE dates and Windows hardware compatibility against the manufacturer's lifecycle page. Devices past Auto Update Expiration cannot receive policy or security updates and must come off the student network. Note model, count, and building.

Confirm PowerSchool, Infinite Campus, or Skyward is syncing to the LMS and Clever/ClassLink rosters. Stale rostering is the most common reason a teacher reports a student is missing from their gradebook in week one.

In Canvas or Schoology, end-date prior-year terms and confirm course-content blueprints are intact for the new term. Coordinate with the registrar on retention — graded student work is often part of the cumulative academic record under state retention rules.

Pull the list of every app with student PII access. For each, confirm a signed Data Privacy Agreement on file (or the Student Data Privacy Consortium standard DPA). Apps without a DPA are a FERPA and COPPA exposure — block the SSO connection until paperwork is signed.

Check Intune or Jamf compliance reports for Windows and macOS staff devices and ChromeOS channel for student units. Anything more than two minor versions behind goes on a remediation list. Servers running an unsupported Windows Server build are an immediate cyber-insurance issue.

Walk each room with Ekahau or a NetSpot survey on a representative client device. Target -67 dBm or better at the desks furthest from the AP. Portable classrooms and library back corners are where state testing day fails.

Run the standard test URL set against on-network and off-network student devices. Confirm category blocking is consistent on home Chromebooks and bypass attempts via VPN or DoH are detected. CIPA non-compliance puts E-Rate funding at risk.

Open a ticket with the filter vendor for any failed categories, push the agent update to affected devices, and schedule a re-test before E-Rate Form 486 certification. Document the fix in the cybersecurity binder.

Verify patch panel labeling matches the as-built drawings, no hanging cables, UPS batteries within service date, and rack temperature under 80°F. Take photos for the cybersecurity insurance renewal packet.

Walk the firewall rule list for orphaned any-any rules, expired vendor remote-access exceptions, and unused port forwards. Pull 90 days of IDS alerts and confirm none correspond to active compromise. Common gap: a rule opened for a contractor in 2021 still allowing inbound RDP.

In CrowdStrike, SentinelOne, or Defender for Endpoint, confirm 100% deployment across staff devices and servers. Anything unmanaged is a ransomware blast-radius problem — reimage or remove from the network.

Pick a random file from a teacher share and a record from the SIS, restore both to a sandbox, and confirm contents. A backup that has never been test-restored is not a backup. Document the restore time as your RTO baseline for the cyber insurance carrier.

Open a P1 ticket with the backup vendor, notify the superintendent and business manager, and pause any in-flight cyber insurance attestation until the restore is verified. A failed restore is the single most common finding in post-ransomware forensics.

Confirm MFA is enforced on all staff Google or Microsoft accounts, the password complexity policy matches the NIST 800-63B guidance, and elementary student passwords are managed by the teacher rather than left at default. Privileged accounts get hardware token MFA, not SMS.

For each system holding student PII, capture: data elements, retention period, who has access, where backups live, and the school official with legitimate educational interest justification. This is the document the OCR investigator will ask for first.

Walk the superintendent, business manager, and curriculum director through the remediation list. Flag anything affecting state testing readiness or E-Rate eligibility separately — those have hard external deadlines the cabinet should see before they prioritize.