About the ST4S Assessment

Learn how we work with the Australian education sector to standardise the assessment of digital products and services in schools.

Why ST4S?

ST4S has been developed to enhance the security, privacy, interoperability and online safety of software applications and services commonly used by Australian schools.

The goals and standards of ST4S are shared by all Australian education jurisdictions – including state, territory, Catholic and independent school sectors – for the benefit of the whole education community:

    • Schools and educators will benefit from clear, consistent information regarding products and services, generic risks and suggested treatments.
    • Students, teachers and families will benefit from schools choosing more compliant products and services.
    • Vendors will benefit from a standardised and aligned assessment process, with results that are respected by all participating stakeholders.

Who manages ST4S?

ST4S is administered by Education Services Australia (ESA) on behalf of state and territory governments and the Catholic and independent school sectors.

The ST4S Working Group is made up of security and privacy professionals and representatives from across Australia. The Working Group meets regularly to discuss security and privacy matters relevant to the education sector and to maintain the ST4S Assessment Framework.

ST4S assessments are co-ordinated by ESA’s National Schools Interoperability Program (NSIP) team while state and territory governments and Catholic and independent school sector representatives engage their schools, their software vendors and their communities regarding ST4S.

 

An Overview of the Process

Vendors can participate in the ST4S assessment process in one of two ways:

    • Vendor initiated (self-nomination)
    • Invitation from a school or education authority

Vendor initiated – Vendors complete the ST4S Readiness Check and iterate until they are ready to submit for a full assessment. Note: Vendors can access the Readiness Check at any time and use it to gauge their readiness for a full ST4S assessment. Learn more about the Readiness Check here.

Invitation from a school or education authority – Vendors receive an invitation to participate and complete an ST4S Readiness Check, iterating until they are ready to submit for a full ST4S assessment. Note: Vendors can access the Readiness Check at any time and use it to gauge their readiness for a full ST4S assessment. Learn more about the Readiness Check here.

  1. Once vendors have completed the Readiness Check and obtained a satisfactory outcome, they may formally submit their results for consideration by the ST4S Working Group to undertake the full ST4S assessment.
  2. The ST4S Working Group use a range of criteria to prioritise services for assessment including usage by local schools, procurement activities or recent reported incidents involving the product or involving products of a similar type.
  3. Vendors are invited to participate in the full ST4S assessment process and are sent an online questionnaire containing a number of criteria across categories such as data protection, organisational security, software development practices, privacy controls and data breach incident. These criteria are more comprehensive than those within the Readiness Check.
  4. Vendors completing the questionnaire are required to attest that their responses are true, correct, accurate, up-to-date, and not misleading in any way. Depending on responses to some questions, additional supporting documentation may be required.
  5. When submitted the vendor responses are analysed and validated by the ST4S Team.
  6. Results are reviewed with the vendor and any items that require clarification are worked through collaboratively.
  7. Once the review is complete, the final assessment results are made available to ST4S Working Group members and educational jurisdiction Chief Information Officers. Chief Information Officers may distribute the results to their schools.