Making a Tech Plan: Checking It Twice
With more than 6,000 computers attached to the New Haven, Conn., Public Schools' network, technology coordinator Ralph Valenzisi knows he has his hands full keeping the network safe for teachers and students. Valenzisi takes a common sense approach to protecting the network.
Every user gets a user name and password. A second level of protection keeps some user names from working on all computers, meaning not everyone can access student records. Virus scanning programs are updated almost daily, and all major software programs are upgraded with the latest versions. "I believe the system is very secure," he says.
Yet, the district-like many of its counterparts-does not have a comprehensive security plan in place. And even though most school districts don't have one, they should, says Steve Miller, a project director for the Consortium of School Networking. Each district should have an information technology security plan-something Miller says is necessary with developments in technology and the Internet coming at light speed. "It should be a model of what ought to be happening," he says. "Security was always an incidental by-product of other things. People have to be proactive rather than reactive."
Miller advocates upgrading the plan annually, with a major reexamination scheduled every three to four years. "The ideal situation is that the information technology system is so integral, visible and valued that the users will go out of their way to help the system remain secure," Miller says.
Natalie Carrignan, manager of information technology for the Stratford (Conn.) Public Schools, is in the midst of assembling a security plan. Connecticut requires five areas to be analyzed in any plan: infrastructure, curriculum, professional development goals, system management and policy making. "Part of what we are doing is not telling people too much of what we are doing," she says cryptically. New Haven, Stratford and many other districts have made good strides in one area, with the formation of an acceptable-use policy for the Internet. Valenzisi says firewalls and filters are in place to prevent students from having access to pornography or violent material. Carrignan says that if a teacher wants to use a site that is blocked by filtering software, they have to make a formal request to an assistant superintendent to have the site allowed.
Protecting the Piecemeal Server
A resourceful student is unhappy with his grade. Rather than ask for help or extra credit assignments, he puts his burgeoning intellect to use in another, more nefarious way, hacking his way into the district's network and changing his grade.
While this scenario used to be a type of apocryphal story that circulates in every school, it's a real concern today for school IT directors, says Steven E. Miller, project director for CoSN's Cyber Security for the Digital District.
Most school districts set up computer networks in a piecemeal fashion, leaving it susceptible to attacks from viruses and hackers. Miller says districts don't have any choice but to install networks in this manner. "It is the only way they can afford to do it," he says. Only very large districts or small, well-financed districts can afford to put in an entire computer network, where every component speaks the same language. Therefore, Miller says it is imperative for strictures to be put in place to protect both the network and its users. Miller advocates a four-part plan for districts to keep their networks and information safe:
Make sure the system is serving the legitimate needs of its users and adding value to the educational process. "If your users don't see you as a good part of their work, you are lost from the beginning," Miller says.
Build a "community of trust" so that people understand the benefits of using passwords and keeping the network secure.
Conduct a network security audit. "Inventory what you are trying to prevent, how your network is vulnerable to it and where the threat" might come from, Miller says.
Implement the audit's findings once completed through regular system maintenance. Yet, IT officials understand that all the precautions, both technical and administrative, never eliminate the likelihood of a problem, Miller says. "The bottom line is that you can never be 100 percent secure. This is about risk management, not risk elimination."