You are here


Brave New World

Districts are beefing up their databases and using them for more tasks than ever. But are they keepi

As school leaders can attest, they're always being asked to do more. New requirements, new tests and new demands from parents are just some of the daily issues they face.

Consider a school district's overworked database. With the specific requirements of No Child Left Behind, the ability to allow teachers to post their grades online, and the desire of parents to track their child in almost real-time, the school database is being used for more items than ever. The one issue that can get lost under this blizzard of demands is how the district keeps this information safe.

Keeping student information safe is a task facing each school district, and one that has to be taken as seriously as keeping students safe on playgrounds and in the hallways.

"Schools are being forced to keep more and more data for longer and longer periods of time," says Steven E. Miller, project director for CoSN's Cyber Security for the Digital District. "The hardest part is how to make it useful. ... But the more widely you distribute access, ... the more insecure it is. There is a built in contradiction. ... Schools are trying desperately to figure out how to deal with all of this." Miller is also the executive director of Mass Networks Education Partnership, a New England-based technology consortium.

Database Growth Brings Exposure

With budget cuts and competing priorities, securing school databases can be an uphill struggle, say IT directors around the nation. Some state departments of education, such as South Dakota's, are providing student information databases and security systems through a central technology system. But for most other districts, technology security hardware and IT staffing is another budgetary battle.

"Security is one of the biggest issues out there for K-12," says Sterling Beane, information technology director of the Braxton County School District in West Virginia. "Being a school system, we try to operate on the least amount of money to get by with. We just don't have a staff just to devote to network security."

Beane oversees the databases for the district's eight schools and central office. Like IT directors around the country, he has seen the database of the district's 2,600 students grow from storing basic student information like names and addresses to files that contain report cards, standardized test records, medical information, and even how much money is left in students' lunch accounts. In past years, he says, the district didn't have much security protection for its online information. But recently it installed an integrated system that provides everything from anti-spam assistance to firewall protections and intrusion detection at a cost of $5,000 for each of its nine buildings.

"We're not a huge district, but my security concerns are the same as those faced by Miami-Dade or other cities. We still have that critical data we have to keep secure," says Beane.

Keeping student information safe, say experts, has to be akin to keep students safe on the playgrounds and in the hallways.

"It's just extending one of the natural responsibilities of schools into the digital world," says John Bailey, director of Education Technology for the U.S. Department of Education. "We want to keep the schools safe physically, and the same goes for virtually."

There are a host of regulations that require schools to safeguard sensitive student information. The Family Education Rights and Privacy Act of 1974 prohibits the disclosure of personally identifiable education information and the Health Insurance Portability and Accountability Act of 1996 requires that health data be kept private. Most recently, the Children's Internet Protection Act requires that schools filter content to protect students from being exposed to pornographic material online.

"I Detect An Intruder"

As legislators try to keep a handle on school technology, computer pirates are an increasing problem.

IT experts say school databases are threatened by viruses that can crash the entire system, students changing their online grades, and hackers seizing parts of the bandwidth to store information or open up file shares. Experts say there are up to 3,000 hacking programs running over the Internet at all times looking for exploitable openings. Wireless, laptops and handheld computers open up more risks for data interception.

Beane says when his district moved to an online, high-speed student information database system, he was amazed to discover its vulnerability.

"Once we started to speed up our network we had an increased problem with intrusions," says Beane. "They were coming into school and getting into file servers and setting up file sharing locations. They were sharing songs, pictures, movies. Anything you could store on a computer."

To protect the system, schools must take a comprehensive and proactive approach. Even more important, it has to be ongoing, experts say. While most schools have developed a hodge-podge infrastructure over the years, experts say schools districts should come up with policies that will outline who has access to the databases. And they should decide if they want their staff or parents to access the network from home or bring their own laptops to school. Also, they have to make it clear to whoever has access--from administrators to teachers to parents--that they are the first line of defense.

When the Anoka-Hennepin School District, which covers a rural area northwest of Minneapolis, moved its databases online, allowing teachers to record grades and attendance on the computer, the district sent brochures to the staff. These brochures explained that they were professionally and legally expected to keep the databases secure. The district helped teachers create secure passwords during a special training day, says IT director Patrick Plant. Plant says when the network is ready to allow parental access, he will require parents to come to the school and prove who they are before allowing them to create a password.

Schools have a variety of options when it comes to securing their network. On a basic level, schools need to make sure all computers are equipped with the latest anti-virus software and that teachers log off computers at the end of the day and make sure to keep their passwords secret when logging on in front of students or parents.

On a more sophisticated level, at the very minimum, schools need to install firewalls, filters and intrusion detection and encryption systems. Wireless zones should be segmented with firewalls from networks, say technology experts, and every computer work station should be equipped with up-to-date antivirus software.

There are a variety of companies, including SurfControl, SonicWALL and Symantec, which offer security systems that can be customized for school districts. The protections needed depend on the sophistication of the database, say experts.

Two years ago, the Onalaska School District in Wisconsin went from allowing only 20 to 30 users access to sensitive student databases to a new system that will allow every teacher and parent to tap into files to keep track of student progress. Data systems manager Kevin Capwell says it was imperative the district have protections in place that allow parents access to back-up files and not the live database.

"Data is copied from true student records over to another server, so even if all my precautions are insufficient, a hacker type would only be changing grades or attendance on a server that will get overwritten every single night anyway," he says.

Also, the district uses a digital certificate to encrypt messages going into or out of the school system.

Security systems can run the gamut of a few hundred dollars to thousands of dollars depending on the size of the district, the level of technology and what kinds of data the school wants to protect. The security systems are less costly than the database systems themselves, say school and technology officials.

Figuring out what is most important to protect can be the key to a good, cost efficient security system. This step can focus districts on what kind of devices and software they need to purchase for security.

"There is a lot you can do, and it can go from reasonable to exorbitant," says Miller. "The biggest issue is having a good idea in mind of what a good security approach looks like and then you can look at what you can afford."

Fran Silverman is a freelance writer based in Norwalk, Conn.