School districts face a moving target when it comes to keeping students from inappropriate Internet sites.
Duval County Public Schools in Jacksonville, Fla., with 140,000 students, has in place a three-part system of filtering, monitoring, and reporting. Information security analyst Jim Culbert explains how it works.
Step 1. Take a look at content filter vendors in the education space.
Most filters are designed for corporate settings. Pay attention to the categories and whether theyâ€™re geared to an educational environment. For example, school cheating is a category that an education filter would have, but not a corporate one. The categories — including adult content, shopping, sports, gaming, chat rooms, and social networking sites — are already built in. Thatâ€™s one of the biggest things youâ€™re buying when you purchase a filter.
Step 2. Get an enterprise reporting system in place to justify policies.
An enterprise reporting system can generate data on where users are going on the Internet. Use these reports to gain support from your school board and your executive-level administrators. Itâ€™s a large undertaking to get Internet use policies in a format that a district is willing to enforce, so having hard data will put some teeth behind an acceptable use policy. These policies should include clearly-stated consequences for violators.
Step 3. Take responsibility for deciding which content filter categories the district will allow outside the technology division.
Put category selection in the hands of those of who have direct contact with kids, including parents. Duval County schools formed a committee of teachers, administrators, PTA members, media specialists, and parents. The committee votes on which categories weâ€™re going to block or unblock.
We use the content filter from 8e6 Technologies. It can automatically upload unknown sites back to the host company, categorize those, and return them. Letâ€™s say that you open up a new gaming Web site tomorrow, and someone from our district goes to it. The system would not know immediately which type of site it is. The system would send it back to 8e6, and they would categorize it. Then, next time someone tried to access it, the system would either allow or prevent them, depending on the committeeâ€™s decision.
Step 4. Authenticate users.
Users need to be authenticated on the network so you can know who is going to what site. That is so important. Donâ€™t allow any anonymous Internet activity. Toward this end, have a strong, well-trained security staff to ensure that users are following district policy about logging on, and not sharing user names and passwords. Thatâ€™s the whole point. Once you get all your users authenticated and students are aware theyâ€™re being monitored, it changes their entire mindset.
Step 5. Spell it out for students.
Use a log-on banner to notify your users that they have no expectation of privacy on the network, and that they must follow the acceptable use policy. Letâ€™s say you try to go to Playboy.com. The page comes up with your name in the middle of it and a warning that you have violated the acceptable use policy and that continued attempts will result in discipline.
Step 6. Donâ€™t get the wrong people in trouble.
You have to ensure that you never report anybody who has accidentally accessed inappropriate material. One of the things we look at is the search terms they used in Google or Yahoo or any other search engine. That information comes to the reporting system. The biggest thing definitely is intent. People get this notion that we sit around and look at everyoneâ€™s Internet history. Thatâ€™s just not possible.
What we do is set thresholds of, for example, how many inappropriate sites you would need to attempt to access before we are permitted to start an inquiry on the activity.
School CIO wants to hear from you.
Send comments, description of your districtâ€™s best practices, or topics that you would like to see covered to: firstname.lastname@example.org. Be sure to include your contact information.