Skip to content
Corvian Partners

Cyber posture for Australian schools

After Canvas: what your board needs to be able to say it has done.

A 21-day, board-ready review of your school’s cyber posture. Independent advisory. Plain language. No vendor agenda.

Book a 30-minute posture briefing

The context

The Instructure / Canvas incident affected 8,809 institutions globally – 122 in Australia, including state education departments in five states, independent schools, and major universities.

The acute IT phase is over. The governance phase is not. The OAIC has directed complaint handling back to the schools themselves; each school’s Notifiable Data Breaches assessment is its own to make – Instructure being the breached entity does not discharge the obligation.

The schools that handle this well will not be the ones with the most technical controls. They will be the ones with the cleanest governance answer: Are we exposed – and how would we know? If we have been, what is our NDB assessment, and who signed it off? What does our incident response look like in practice? What do we tell parents tomorrow if the question comes?

The engagement

The Board-Ready Cyber Posture Assessment.

Three engagement structures, each delivered by Corvian’s principals and producing a board-grade report written for governors. Each can begin within ten business days of signing. Fees are set out in a single-page proposal following the initial briefing.

  • Foundation

    3 weeks

    Built for: Schools needing a defensible board answer fast, without internal capability to produce one.

    • Network and identity / access posture review
    • Third-party vendor exposure scan (LMS, finance, communications, parent portals, payment platforms)
    • Incident response readiness gap analysis
    • Governance assessment – board reporting cadence, accountability lines, policy currency
    • Staff and student account hygiene snapshot
    • 25–30 page Board Report with traffic-light risk register and prioritised 90-day action plan
    • One 90-minute board briefing session

    Discuss Foundation

  • Assurance

    4 weeks

    Built for: Schools with active board concern, wanting diagnostic plus stress-test plus follow-through.

    • Everything in Foundation
    • Live incident response tabletop exercise with the leadership team
    • Phishing simulation across up to 50 staff mailboxes
    • 30-day post-engagement check-in
    • Two board briefing sessions – initial findings and 30-day follow-up

    Discuss Assurance

  • Programme

    6 weeks + 8 weeks oversight

    Built for: Mid-tier independents and small Catholic systems wanting a single provider through to remediation.

    • Everything in Assurance
    • 8 weeks of implementation oversight following the assessment
    • Direct support to the school’s IT lead on prioritised remediations
    • Final board sign-off report at 90 days

    Discuss Programme

Scope

The seven assessment domains.

  1. 01

    Network and infrastructure posture

    The technical perimeter – segmentation, monitoring, patching, configuration baselines, third-party network access. Assessed against current sector benchmarks.

  2. 02

    Identity and access management

    Who has access to what, on whose authority, and what happens when someone leaves. Single sign-on configuration. Privileged account hygiene. Multi-factor enforcement.

  3. 03

    Third-party vendor exposure

    The platforms the school relies on. Learning management systems. Finance and HR. Communications and parent portals. Payment processors. Each is a potential ingress.

  4. 04

    Data handling and student information systems

    What student data is held, where, by whom, and under what retention rules. Disclosure pathways. Parent and student access rights. Cross-border transfers.

  5. 05

    Incident response readiness

    What happens in the first 24 hours of an incident. Escalation lines. Decision authority. Vendor coordination. Communications protocol. Tested or untested.

  6. 06

    Governance, accountability, and board reporting

    Who owns cyber risk at the school. How it is reported to the board. Frequency, format, and decision rights. Whether the right questions are being asked at the right level.

  7. 07

    Staff and community-facing controls

    The cultural and procedural layer. Phishing resilience. Acceptable use. Onboarding and offboarding. Parent and student-facing communications protocols.

The firm

Corvian Partners is an independent strategic advisory firm. It holds no vendor relationships, accepts no commissions, and sells no products. The schools cyber programme is delivered by the firm’s principals: the board briefing in every engagement is delivered by William O’Halloran personally, and engagement quality sits with Alexander Gunning, who reviews every deliverable that reaches a client.

Corvian Partners is independent of all education technology vendors, IT service providers, and software platforms.

Process

What happens when you book a briefing.

  1. 01

    The 30-minute briefing call

    A direct conversation with William. You describe the school’s profile and the board-level questions in front of you; he responds with what Corvian is seeing across the sector. No proposal, no sell.

  2. 02

    The tailored proposal

    If the engagement makes sense, Corvian sends a single-page proposal within 48 hours. Scope, fee, timeline, named delivery lead. No fine print.

  3. 03

    Engagement commences

    Once signed, the engagement begins within ten business days. The first site visit is in Week 1; the board report is delivered in Week 3 or Week 4.

Frequently asked

  • We already have an IT provider. Why do we need this?

    Your IT provider handles delivery. Corvian sits at the governance layer above – independent of any vendor, focused on the board-grade questions a delivery provider is not positioned to answer. Corvian’s report often informs the next conversation with the school’s existing IT provider, not replaces it.

  • How is this different from a penetration test?

    A penetration test attacks the technical perimeter to find specific vulnerabilities. The Board-Ready Cyber Posture Assessment is broader – technical posture, governance, accountability, incident response, and third-party exposure together. The output is a board document, not a technical findings register.

  • What happens to our findings – who sees them?

    The report is delivered to the head of school and board chair only, in the form they authorise. No findings are shared, published, or referenced externally. The engagement letter sets this out explicitly.

  • Can this be funded from a risk management budget rather than IT?

    Yes. Most engagements are funded from risk, governance, or board reserve budgets. The assessment is a governance instrument, not an IT spend. Corvian provides supporting documentation for budget approval where needed.

  • Do we have to share our incident history with you?

    Only to the extent you choose. The assessment does not require disclosure of prior incidents. Where the school does share that history, it is treated under engagement confidentiality and informs scoping only.

  • We are a state school. Can we engage Corvian?

    Selectively, yes. Corvian’s engagement model is built around the procurement cadence of independent and Catholic schools. State school engagements are accepted case-by-case where the school has decision authority. System-level engagements are evaluated separately.

Book the 30-minute posture briefing.

The conversation that informs your next board paper. Direct with William. No obligation.

Book the briefing