Yearling Solutions
Back to Case Studies
Education (K-12)
Cyber Resilience
Compliance

Ohio's largest public school system builds formal cybersecurity program to meet HB 96 mandate

Yearling Solutions deployed an Executive Security Advisory model to help the state's largest school district move from ad-hoc security operations to a NIST CSF-aligned program, protecting student data, critical operations, and infrastructure while meeting Ohio's new cybersecurity standards.

1

The Challenge

Ohio's House Bill 96 introduced mandatory cybersecurity requirements for public school districts, requiring a formal, documented program that identifies risks, specifies detection mechanisms, and outlines procedures for infrastructure repair. The law also imposed strict incident reporting deadlines: 7 days to the Ohio Homeland Security Division and 30 days to the Ohio Auditor of State.

As the largest public school system in Ohio, serving over 46,000 students across 127 schools, the district faced significant complexity. Security operations were largely ad-hoc, with no formalized incident response plan, limited governance documentation, and no structured framework to measure or improve cybersecurity maturity. The district needed to stand up a compliant program quickly while protecting student data and ensuring continuity of operations.

Key Objectives:

  • Establish a formal, documented cybersecurity program aligned with state requirements
  • Protect student data, critical operations, and IT infrastructure
  • Build an actionable incident response plan meeting HB 96 reporting deadlines
  • Establish a maturity baseline and prioritized investment roadmap

HB 96 Reporting Requirements

  • 7 days to report incidents to the Ohio Homeland Security Division (OCIC)
  • 30 days to report incidents to the Ohio Auditor of State
  • Ransomware payments require formal approval via legislative resolution
2

Our Approach

Yearling Solutions deployed an Executive Security Advisory (ESA) model, embedding a senior advisor with 30+ years of IT and cybersecurity experience, including former CISO experience at a large global company and over 12 years in GRC leadership. The engagement was structured to move the district beyond audit into strategic security oversight and risk mitigation, using the NIST CSF 2.0 framework as the foundation.

Phase 1: Readiness and Foundational Setup (~60 Days)

An intensive initial phase focused on establishing immediate clarity and compliance readiness through a current-state posture review and HB 96 readiness assessment.

Incident Response Plan

Tailored, actionable IRP for immediate response and recovery, critical for HB 96 compliance

Foundational Governance

Development of core security policies and essential governance documentation

Gap Analysis and Roadmap

Detailed maturity analysis against NIST CSF 2.0 and state requirements with prioritized recommendations

Knowledge Transfer

Immediate support and knowledge transfer for internal IT teams to build self-sufficiency

Phase 2: Sustained Operational Support (As-Needed)

An optional ongoing retainer for sustained operational effectiveness and risk reduction.

Sustained Security Management

Regular security health checks, configuration optimization, and managed incident resolution

Continuous Advisory

Ongoing development of security policies, governance, and compliance posture

Board-Ready Executive Deliverables

Leadership received an executive summary with key takeaways, an HB 96 crosswalk mapping requirements to NIST CSF and district status, a current vs. target maturity profile, and strategic investment recommendations covering people, process, and technology.

3

Results

Within the 60-day Phase 1 engagement, the district moved from ad-hoc security operations to a structured, NIST CSF 2.0-aligned program with full HB 96 compliance readiness. The engagement produced tangible, board-ready deliverables and a clear path forward.

Key Outcomes:

  • Tailored Incident Response Plan meeting HB 96 reporting deadlines (7-day and 30-day windows)
  • Formal security governance documentation and core policies established
  • NIST CSF 2.0 maturity baseline with current vs. target profile analysis
  • HB 96 crosswalk mapping all legislative requirements to framework controls and district status
  • Prioritized investment roadmap covering people, process, and technology recommendations
  • Knowledge transfer to internal IT teams for sustained self-sufficiency
4

Impact

The engagement transformed the district's cybersecurity posture from ad-hoc operations to a formalized, framework-aligned program. With a compliant incident response plan, governance documentation, and a clear maturity roadmap, the district is now positioned to meet Ohio's HB 96 requirements, protect student and staff data across 127 schools, and make informed security investments. The Executive Security Advisory model provided immediate executive-level expertise without the cost of a full-time hire, giving district leadership the confidence and documentation needed to demonstrate compliance and guide ongoing improvement.

Organization Profile

Industry:Education (K-12)
Segment:Public School District
Region:Ohio
Scale:46,000+ students across 127 schools
Distinction:Largest public school system in Ohio
Framework:NIST CSF 2.0

Services Delivered

Executive Security Advisory
HB 96 Compliance Readiness
Incident Response Planning
NIST CSF 2.0 Gap Analysis
Security Governance Development

Facing a Compliance Mandate?

Learn how our cybersecurity advisory services can help you meet regulatory requirements and build a resilient security program.

Explore Cyber Resilience

Explore More Case Studies

View All Case StudiesDiscuss Your Needs