How to Perform a Security Audit

Picture this scenario: a student logs in to your school's network using the password of a former teacher and "improves" his first-quarter grades and attendance along with those of his nine friends. This is just one real-life example of the many kinds of network security breaches occurring at schools across the
Publish date:
Social count:
Picture this scenario: a student logs in to your school's network using the password of a former teacher and "improves" his first-quarter grades and attendance along with those of his nine friends. This is just one real-life example of the many kinds of network security breaches occurring at schools across the

Picture this scenario: a student logs in to your school's network using the password of a former teacher and "improves" his first-quarter grades and attendance along with those of his nine friends. This is just one real-life example of the many kinds of network security breaches occurring at schools across the country. How big is the problem? Purdue University's Center for Education and Research in Information Assurance and Security decided to investigate the issue by performing penetration tests on the networks of five Indiana school districts-in other words, hacking into their systems with permission. The results were alarming. The testing team was able to hack into all five networks via the Internet. In four of the five schools, they accessed payroll and grade information without difficulty; and in three cases, they were able to easily obtain a complete list of students and staff. Perhaps most troubling of all, these attacks and security compromises went undetected by school IT staff.

The above cases underscore the importance of taking a proactive approach to securing your school's network. To do this, however, you first need to know your system's specific vulnerabilities and what steps you can take to reduce them. The formal process for doing this is known as an information security risk assessment, or a security audit. What follows is an overview, loosely based on the National Institute of Standards and Technology's Risk Management Guide for Information Technology Systems and other commonly accepted industry standards, of how to perform a basic audit for your school or district. In doing so, you will:

  • Demonstrate due diligence by developing a security process that is consistent and objective
  • Help your school or district make informed decisions about what preventive measures it needs and why
  • Justify the up-front costs of security
  • Show your staff the importance of best security practices that they sometimes resist (such as changing passwords).


The primary goal of risk management is for schools to protect their ability to fulfill their educational missions. Therefore, a security audit should be treated as an essential management function, headed up by a district's chief information officer or technology director, but also involving administrators, teachers, and building-level technology staff. An effective way to do this is to form a risk assessment committee, co-chaired by a high-level administrator and the senior IT staff member, whose charge is to design the audit from beginning to end and oversee its execution.

Security Checklist

To get a better idea of where your school may be vulnerable, we recommend surveying your staff. Here, a sampling of potential issues to address.
- Evaluation, testing, and installation of vendor-recommended patches
- Software policies
- Staff knowledge and awareness of information security risks
- User password practices, such as password sharing and how often passwords are changed
- Procedures for disabling accounts of personnel who quit or are released


If you've never done a security audit before, chances are your system is vulnerable and now is the time to start. If you've already performed an assessment, then you'll want to update it whenever you make significant changes, such as moving a database to a new server or adding substantial code to an existing system. You'll also need to revise it when you introduce new hardware and software to the network and before undertaking any major projects, such as installing a wireless network. In addition, it's a good idea to schedule regular updates-either annually or biannually-of your risk assessment.


When performing a security audit, solely assessing your technology assets is not enough. Schools should also take into account policies addressing such issues as acceptable use, network rights, software installation, and the practices of both students and staff.


There are four steps to follow when conducting an information security risk assessment (see Figure 1).

Figure 1: Information Security Risk Assessment Process

Step 1: Asset Identification and Classification

This is the process of identifying valued assets and categorizing them into manageable groups. For schools, assets can generally be grouped in the following categories:

  • Technology resources (hardware and software)
  • Information resources (grades, health records, payroll records, and personally identifiable information)
  • Curriculum resources (lesson plans and other teaching materials, and Internet connectivity for student assignments)
  • People resources (students, staff, and families).

There are various ways to gather this data, including interviewing key IT staff, examining any previous audits, and reviewing inventory records.

After identifying assets, classify them with regard to confidentiality, integrity, and availability. Examples of assets that need strict confidentiality are student grades, health records, and bank account numbers for direct deposit. Assets that require integrity (meaning they can't be altered) include payroll and lesson plans. Assets that need to be available at all times are attendance systems, lesson plans, and online systems that provide homework updates for parents. By performing this step, you'll learn what specifically needs protection and what type of protection might be warranted.

Step 2: Threat and Vulnerability Assessment

This is one of the most important steps in the risk analysis process. Once all assets have been classified, list potential threat sources for each one. The National Institute of Standards and Technology defines a threat source as "any circumstance or event with the potential to cause harm to an IT system" (see Table 1).

Table 1:
Threat SourceExamples Natural A hurricane, flood, earthquake, tornado, water pipe that bursts, or an electrical storm Human Accidental mishaps, intentional intrusions, or violations. Accidents can be caused from people within the organization or an outsider. Environmental A power failure, pollution, or a chemical spill
Adapted from the NIST Risk Management Guide

Next, determine the corresponding vulnerabilities for each threat source. A vulnerability can be triggered accidentally-for example, a system crash that occurs due to a flood or a network design flaw-or intentionally, such as a student hacking in to the network and changing his or her grades. Table 2 shows the relationship between a threat source, a vulnerability, and the corresponding consequence.

Table 2:
Threat SourceVulnerabilityPotential Result Unauthorized users such as outside hackers, disgruntled or mischievous students A Windows design flaw (e.g., the recent RPC vulnerability that has made it possible for any user on the Net to access the system) Unauthorized users gain access to confidential data, and are able to steal or modify it
Adapted from the NIST Risk Management Guide

How do you come up with a list of prospective threats and vulnerabilities? One way is to hire an outside contractor to perform a penetration test like we did for the five schools in Indiana. Penetration tests use special network scanning software to identify system flaws. There are many organizations that perform penetration testing including Infotex (, AT&T (, Symantec (, and Guardent ( Other ways to determine potential weak spots include surveying staff (see Security Checklist) and joining a vulnerability notification/incident response service. Worthwhile vulnerability services include CERT (, SANS (, SecurityTracker (, ICAT (, and CASSANDRA (

Step 3: Evaluation of Controls

Once assets, threats, and vulnerabilities have been identified, evaluate potential countermeasures. These should be thought of in terms of whether they prevent, detect, or respond to attacks as well as whether they're technical-, policy-, or personnel-oriented (see Table 3). The main point of this step is to determine whether a single safeguard is sufficient for protecting your assets. If not, which combination of countermeasures is needed to achieve the desired level of security?

Table 3:
PreventionDetectionResponse Technology - Antivirus protection
- Access control lists that partition levels of access to sensitive systems and data
- Firewalls
- Intrusion detection systems that monitor the integrity of the system and files - Intrusion detection software Policy - Acceptable use policies
- Systems development and maintenance policies - Policies on intrusion response (i.e., roles and responsibilities of your emergency response team) - Business continuity planning to ensure procedures for bringing your system back online if it is hacked and/or crashes Personnel - Information security training - Computer emergency response teams

Step 4: Analysis, Decision, and Documentation

The final step is to analyze your controls and then make decisions about which ones you want to implement. Begin with a cost-benefit analysis. Estimate costs for all suggested safeguards and assign a dollar amount to the expected benefit for each one. In addition to the actual price tag, be sure to consider implementation, operations, maintenance, usability, scalability, and performance costs. In many instances, more than one safeguard will be identified to mitigate a risk. For each threat or risk, determine to what degree the selected safeguards will reduce the likelihood of occurrence, the damage of such an incident, or both. To learn more about the process, a sample cost-benefit analysis is available in the NIST Risk Management Guide.

The cost-benefit analysis, along with the rest of your audit data, should be included in a formal report. In addition to providing management with the information they need to select appropriate countermeasures, it creates baseline data for the next audit.

A Final Word

While a comprehensive audit will help integrate security throughout your school, it's important to think of risk assessment as an ongoing process. Continual education and communication are keys to realizing the effects of the audit. When new staff is hired, for example, be sure to educate them about the role of information security in your district and the associated responsibilities. Likewise, as new technology is deployed or when problems occur, inform the school community of any related security issues. If security is discussed outside of the audit, then the staff and students will deem it as the core value it is.

NEXT: Learn More

Melissa Dark, associate professor of computer technology at Purdue University, is the assistant director for educational programs at the Center for Education and Research in Information Assurance and Security.

Amy Poftak is executive editor of Technology & Learning.

Read other articles from the February Issue

Learn More

The American Society for Industrial Security's general security risk assessment guidelines

Center for Education and Research in Information Assurance and Security

Computer Security Institute (an entity of CMP Media, Technology & Learning's parent company)

Consortium for School Networking Cyber Security For the Digital District

Information Security Management Handbook by Harold F. Tipton, and Information Security Risk Assessment by Thomas Peltier from Auerbach Publications

The National Institute of Standards and Technology's Risk Management Guide for Information Technology Systems

< < < Return to Intro

Read other articles from the February Issue



How to Perform a Data Makeover

If the data you're storing isn't the right data, or is inconsistent, erroneous, or incomplete, the best analytic tools in the world won't help you make sense of it. We give you four steps to help you "keep it clean."

Security in a Box

These days, security has become a loaded word. Security has increased just about everywhere—on subways and buses, in airports, and at courthouses. Security is critical on information networks, too. As many school IT specialists have learned the hard way, hackers, viruses, spam, and spyware lurk behind every

Securing a School Network

Preface Securing your school’s network can be a cost burden. Not securing your school’s network can be even more costly. Many threats exist for all users of the Internet, but schools inherently have certain risks that many businesses do not encounter. Schools must deal with rising information security concerns,

Performance Pays

Between implementing a teacher pay-for-performance system and organizing the CIOs of his state, Ed Freeman of Denver Public Schools is a busy man.

Cyber Security

We teach our children to be safe, to cross an intersection when the light is green, for example. But it is the responsibility of society to create a secure environment, to ensure that the intersection has a working traffic light. The same is true in cyberspace. We need to carefully build awareness among students

Secure Your Wireless Network

Imagine a completely wireless school, an open network in which all students and staff can roam around using laptops or handheld computers to browse the Internet, access files and applications on the school server, and communicate with each other and the world via e-mail. It's a great picture — and at some

Image placeholder title

BYOD and Security

Last month we wrote about the evolution of one-to-one computing and how districts are allowing students to “bring your own device” (BYOD) to school.