Currently, ICT security and data protection are dominant topics in both the private and professional aspects of our daily lives. Innovative technologies facilitate some of these aspects and allow for the unlocking of new areas of application, which may not have been feasible up to this point. However, too often the aspect of security is underestimated and, in retrospect, the consequences of doing so are felt painfully by those affected. The past has shown that neglecting of security measures in technical, organizational and legal areas can cause serious security vulnerabilities which may be difficult to correct subsequently. As a recent example, the author presents an incident of accidental release of test results of the informal competency measurement of Austrian students on the Internet. The unintended disclosure of these test results was made possible due to storage on insecure and not appropriately configured servers. As a consequence of this disclosure, Austria will not take part in the upcoming PISA tests in 2015. In Austrian schools a variety of sensitive personal data is being processed. This thesis combines literature analysis and expert interviews to examine what kinds of data are being processed and what measures are being taken to protect this data against unauthorized access. Furthermore, the author investigates options for a School Computer Emergency Response Team (i.e. a 'school-CERT') in supporting Austrian schools regarding ICT security and data protection. Based on the results of this thesis, the author comes to the conclusion that in Austrian schools, both the administrative and educational areas, sensitive, personal information is being processed. While awareness of teaching personnel regarding the secure processing of personal data of pupils is somewhat lacking, the data itself is adequately secured through the application of technical measures. vi A movement towards the exchange of educational data through social media and commercial cloud services can be noticed. In contrast, the responsible ministry plans to manage administrative data via centralized ICT services. The results of this thesis show that the field of action for a school-CERT is widely spread. Primarily, the interviewed experts see a possibility for the development of proactive services to support ICT supervisors in Austrian schools with conceptual tasks. Additionally, the task to serve as a registration office for cyber incidents can be met by a school-CERT. In order to perform its tasks it is essential that a school-CERT becomes accepted by the Austrian schools as a service provider for IT security services. This requires a clear remit for a school-CERT assigned by the responsible ministry, as well as a guarantee for the required financial budget. For a successful start, it is also helpful that the staff of a school-CERT has already some experience of working in schools and brings in the necessary technical expertise.