We teach our children to be safe, to cross an intersection when the light is green, for example. But it is the responsibility of society to create a secure environment, to ensure that the intersection has a working traffic light.
The same is true in cyberspace. We need to carefully build awareness among students and staff about how they should behave on-line to protect their personal safety. They shouldn’t talk to strangers. They shouldn’t give out personal information. They should not open packages sent by anyone they don’t already know.
But it is the responsibility of the “adults-in-charge†to create an secure environment in which our students and staff can focus on the work of teaching and learning. Cyber security is about keeping systems and networks functional — making sure that unauthorized people are not allowed to enter and that authorized people are only able to do appropriate tasks or access permissible data. Cyber security is ensuring that your school system remains operational: that attendance is taken, the curriculum is implemented, report cards are issued, payrolls are met.
Safety is about individual behavior. Security is about the way the organization deals with people, policy, and technology.
Unfortunately, maintaining security is getting more complicated. “Virus†is no longer just a medical term. Trojan Horses are not just about Greek mythology. Worms aren’t only in your garden. And what about “spyware†and “identity theft†and “system hijacking†— new terms that have become depressingly familiar.
System security can be compromised in a variety of ways. The technology could be poorly designed. For example, a student was recently accused of deleting a school system’s reading program files. But the software was designed in a way that give him open access to those files and didn’t inform him that the files were particularly important. The technology could have been poorly installed or configured. For example, many wireless access points are installed with their factory default settings unchanged — which creates an open doorway for anyone to use! A system could also experience operational vulnerabilities when the system can’t handle the number of simultaneous users or the size of the files that are being used. And, always, there are user issues such as when people share their passwords or leave their computers without logging out from a secure area.
As a result, just as schools are coming to depend on technology, they find themselves facing a growing number of increasingly sophisticated security threats coming from both within and outside the education system. Education technology leaders and policy makers need tools to help them analyze their current status, validating what they are doing well and giving them insight into how risk can be further reduced. They need guidance about how to develop and implement a cost-effective action plan to strength security and be able to handle the problems that will inevitably slip through even the most thorough preparations.
A Cyber Security Protocol
Schools need to work through four major phases when dealing with Cyber Security: Setting the Parameters, Risk Analysis, Risk Reduction, and Crisis Management.
In the first step, the security team — composed of district leadership, IT staff, and other stakeholders — agree on a scope of work. Second, rather than get intimidated by the seemingly infinite number of possible threats, the team needs to conduct an “asset-based risk analysis†identifying the systems, data, and other resources whose deletion, exposure, corruption, or damage would cause the most problems. These assets are then subjected to a “stress test†to reveal the ways they may be vulnerable — revealing what will go wrong if new security measures are not taken.
Third, it is now time to develop an Action Plan that immediately addresses emergency situations and lays the foundation for incrementally increasing security for other vital assets. The action list should be prioritized based on the cost of prevention compared with the cost of replacement or repair if things go wrong, the time required to implement safeguards, and the likelihood of success.
Finally, the district has to prepare to maintain operational continuity even if some disaster slips through all their preparations. In fact, if there is any certainty it is that sooner or later a crisis will occur! The key to success is duplication: backups of all data and redundancy of key system components. A crisis management plan describes how the IT staff will limit damage and restore services, to marshal emergency supports, and to communicate with all stakeholders. Not all districts can afford “hot-site†backup. But the value of thorough documentation and off-site storage will become apparent when the security team conducts periodic dry runs. The lessons learned through these practice sessions should be integrated into regular policies and procedures in a continuous circle of improvement.
Summary
As education becomes increasingly enmeshed in digital networks, with students doing Internet research for multimedia projects and educators embracing more data-driven decision-making, school networks have evolved from stand-alone islands to sophisticated systems tightly intertwined both with its users and the rest of the world. With this higher level of empowerment and engagement comes a higher level of risk. Viruses hit more than two thirds of all networked computers each year. Over half of reported system damage comes from within an organization.
However, not everyone is ready to deal with the responsibilities that have been, or will be, thrust on him or her, often in the worst of circumstances when there is little time to think or prepare. Unless we start raising awareness and disseminating best practices now we will be faced with disastrous problems in the future.
CoSN Creates New Set of Cyber Security Tools for K-12 Leaders
Web-accessible Tools are Free and Vendor-Neutral
The Consortium for School Networking (CoSN), in partnership with Mass Networks Education Partnership, has created the Cyber Security for the Digital District leadership initiative to provide information and tools for K-12 Superintendents, School Board members, and Technology Leaders to assess and improve the security of their technology systems in order to protect the safety of staff and students, contribute to the educational mission of their schools, and maintain community support.
A key component of the project is the creation of web-accessible tools. The web site will be officially launched on September 20, 2004 (www.securedistrict.cosn.org). Some of the items in the tool set include:
To see the beta site now, go to http://securedistrict.cosn.org/contact.html.
Some of the items in the tool set include:
For Superintendents, School Board Members, and other Administrators:
- First Steps For Policy Makers
- Eight Questions A Superintendent Should Ask The CTO
- Cyber Security: An Introductory Slide Show
For the CIO, CTO, Technology Director, or other person who runs the district technology systems:
- First Steps for Technology Leaders
- A Self-Assessment Scorecard
- Security Protocol Planning Flowchart
- Asset-based Risk Assessment
- Security Rubric & Planning Grid
The Cyber Security project has also prepared one-hour, half-day, and full-day workshop curriculum that can be delivered by project staff or other interested people as part of conferences or professional development programs. For more information, please contact the project at cs4dd@massnetworks.org
