About the ST4S Assessment

Learn how we work with the Australian education sector to standardise the assessment of digital products and services in schools.

Why ST4S?

ST4S has been developed to enhance the security, privacy, interoperability and online safety of software applications and services commonly used by Australian schools.

The goals and standards of ST4S are shared by all Australian education jurisdictions – including state, territory, Catholic and independent school sectors – for the benefit of the whole education community:

    • Schools and educators will benefit from clear, consistent information regarding products and services, generic risks and suggested treatments.
    • Students, teachers and families will benefit from schools choosing more compliant products and services.
    • Vendors will benefit from a standardised and aligned assessment process, with results that are respected by all participating stakeholders.

Who manages ST4S?

ST4S is administered by ESA (Education Services Australia www.esa.edu.au) on behalf of state and territory governments, the Catholic and independent school sectors.

The ST4S Working Group is made up of security and privacy professionals and representatives from across Australia. The Working Group is run by the NSIP team and meet monthly to discuss security and privacy matters relevant to the education sector and to maintain the ST4S Assessment Framework.

Whilst ST4S assessments are co-ordinated by the NSIP team at ESA (collectively referred to as the ST4S Team), local state and territory governments and Catholic and independent school sector representatives are responsible for engaging schools, their software vendors and their communities regarding ST4S.


An Overview of the Process

  1. Vendors are selected for and are notified by the ST4S team. ST4S Working Group members use a range of criteria to prioritise products for assessment including rates of use by local schools, procurement activities or recent incidents involving the product or products of a similar type.
  2. Vendors are invited to participate in the assessment process. Where they agree, they are sent an online questionnaire containing a number of criteria across categories such as, data protection, organisational security, software development practices, privacy controls and breach/incident data.
  3. Vendors completing the questionnaire are required to attest that responses are true, correct, accurate, up-to-date, and not misleading in any way. Depending on responses to some questions, additional supporting documentation may be required.
  4. The vendor responses are analysed and validated by the ST4S Team.
  5. A draft report is created and, together with any clarification questions, is sent to the vendor for feedback.
  6. Following a review cycle with the vendor, a final copy of the report is developed.