Databus Issue: 2008 1 01/28/2008
Security
Nancy Burns Technology Specialist / CTOHave We Become the Network Police?
PDF
Security…. according to Oxford American dictionary security is “the state of being free from danger or threat … the safety of a state or organization against criminal activity such as terrorism, theft, or espionage … procedures followed or measures taken to ensure such safety… the state of feeling safe, stable, and free from fear or anxiety.” Quite a variety of definitions, but when you stop to think about it, all of these definitions apply when we talk about security in an educational setting.
We have become the IT police, keeping our networks locked down tight, ensuring no viruses, mal ware, or SPAM traverse the walls and moats of protective software, hardware, firewalls, etc. We train our troups, both front line and office to recognize a problem, quarantine it, and destroy it before damage is done. And we do a pretty good job.
But the job of IT security in California public schools has become a much more difficult and complicated undertaking that just protecting our equipment and network. It seems we are often charged with the security of the databases containing both student and staff confidential information. Somehow it has also become our responsibility to protect our students against having their photographs or other information posted on websites that may or may not be within our personal control. As LEAs put more and more student information in an electronic form, we have to be ever diligent that only those individuals who are legally allowed to view student information have access to it. This includes not only simple things like setting view preferences to allow only certain individuals to be able to view confidential information such as student special education or NSLP information, but also educating our users that they should not share this with information with others who are not approved.
This security of student information spills over into email communication. We must inform all staff about the importance of not sending confidential student information in the form of email. It is so easy for a teacher or principal to respond to an email sent by a parent to discuss questions on a recent IEP or a recent discipline problem. We must be persistent in educating not only our staff of the breach of security this could bring, but we must also educate our parents of the risk they place on the security of their student’s confidential information by putting it in the form of an email.
We are also charged with keeping our students safe when using online services within their school day. This is another line of security. How do we allow students an optimum educational experience, but keep them safe from websites, chat rooms, email and other distractions that will hinder rather than enhance their education. On the one hand we are told that to have a proper educational experience, we should allow YouTube, MySpace and FaceBook. These same people tell us we must also keep all these same students safe from all harmful things on the internet. This is an oxymoron at the very least. Do we allow our students to use flash drives, iPods, or connect to our network with other personal electronic devices? If they are allowed to use email, is it a district provided account, or do we allow them to use their own personal accounts. At what age do we loosen the reins a bit and allow our students more leeway to explore?
Yet another part of our security responsibility is often that of plant security. Many California schools are bringing in various forms of IP based security. Whether it is as simple as security cameras placed around campus to record general traffic coming in and out of our school sites, or something such as LobbyGuard, that gets down to the personal level of recording each and every visitor, checking finger prints and keeping records of the patterns of our visitors, plant security is becoming more and more a function of the IT personal in the California public school.
So, what’s an effective IT professional to do… besides bang you head against the wall repeatedly hoping for a magic solution? I wish I had a magic one-size-fits-all solution. I’m afraid, however, that there is no one easy answer. Each of us must examine our own site security needs, investigate options, and make as intelligent a choice as we can based on availability, ease of implementation and, unfortunately, budget. Due diligence is the very most we can ask of ourselves. Keep in touch with other IT professionals in similar settings to your own, share problems and solutions through avenues such as the EDTECH listserve; communicate your concerns with your administrative staff so they understand the ramifications if security measures are not implemented. Then burn you incense, chant your chant and work your magic to make it all a perfect world wherever you are.
