The mission of a school is to facilitate learning. Learning depends on teachers, buildings, curriculum, materials, and, increasingly, security.
In fact, schools are safer than ever before. We don't allow sharp-edged climbing structures in the gym, mold in the heating system, bullying behavior on the playground, or abusive language in the classroom. We teach our students how to treat each other with respect.
Similarly, as digital tools expand the learning process beyond the constraints of traditional school buildings, we need to manage a new set of risks. In addition to enhancing users' personal safety, we need to protect our systems and data from liability caused by accidents or attacks. We need to protect our schools from having its instructional activity blocked, its operations disrupted, or its public support undermined because of IT failures.
As technology becomes more ubiquitous and complex, the number and variety of its vulnerabilities also increases. The SANS Institute estimates that up to 3,000 hacking programs are running over the Internet at all times looking for exploitable openings. However, 90 percent of computer attacks use known security flaws for which a solution is available but not installed or implemented, according to the Gartner Group. Security is more a result of high quality day-to-day operations than a one-time burst of heroics.
But it is also important to remember that while we can manage risks, we can not eliminate them. So we must prepare to maintain "business continuity" when the inevitable disaster occurs.
WHAT TO DO?
In schools, as in most organizations, a successful security strategy will combine technology, policy and people. Technology provides the tools. Equally important is improving the policies and procedures followed by system administrators and everyday users. But most important is working with stakeholders to create a "community of trust" in which everyone has a shared understanding of the value of our technology resources and the proper way to use those tools to accomplish educational goals. Security, ultimately, is a social process more than a technical one.
Security, like personal health, comes from within. Doctors know that we will always be surrounded by germs and viruses. What keeps us healthy is the strength of our immune system, the quality of our food, the amount of our physical activity, and the degree to which we reduce our health risks. The same holds for the health of our IT systems--the best defenses are regular check-ups and a good lifestyle.
Increasing security is a four-step process. First, district leaders must be clear about the value they want from their IT investment, and IT leaders must be in regular communication with all users to ensure the desired value is being realized. Without user support, no security system will succeed.
Second, IT leaders need to inventory their assets to be clear about what they are trying to protect and how each of those assets might be vulnerable to exposure, distortion, disruption or theft. Then a "threat analysis" can identify who or what is most likely to exploit those vulnerabilities, and how it might happen. And issues must be prioritized: what assets are most valuable; what vulnerabilities are most visible; what threats are most likely?
Third, a risk reduction strategy must be created and implemented, focusing on immediate, high priority concerns. Once these are addressed a longer-term plan must be put in place to ensure that regular "stress tests" occur, that the IT staff has the needed skills, that the system is kept in good shape, that sufficient back-ups are done, and that spare parts are available.
Fourth, since something will go wrong no matter what preparations are made, a "crisis management plan" needs to be created, and regularly rehearsed, detailing a clear set of responsibilities, endless communication with everyone, and lots of redundancy.
Steven E. Miller is project director for CoSN's Cyber Security for the Digital District and executive director of Mass Networks Education Partnership, a New England-based technology consortium.