Student Data Security: A Call to Arms for K-12
IoT in the Education Space
A Collaborative Partnership to Engage Students to Drive Success...
The Evolution of the "I" in CIO
Creating a "Cyber-Mindful" Campus Community: Responding to the...
Thomas Skill, Associate Provost and CIO, University of Dayton
Securing BYOD for Schools
By Bill Pickett, CIO, Glenelg Country School
Today, the diversity of products that come into the school environment creates the largest issues. The consumerization of the hardware industry has small technology departments working with extremely diverse equipments. The web based offerings for any product, i.e. blogging applications, offer an almost unlimited number of options. More and more software and hardware is being offered as a cloud based solution. More and more external influences are affecting the decisions of the CIO in ways they can’t begin to control. Today’s school CIO needs to build systems and partner with vendors that are extremely robust.
Schools must adapt their network security plans to accommodate their BYOD environment. We have segmented our wireless network into individual SSIDs to accommodate different equipment and access. Our wireless controller firewalls the wireless side of the network from the wired side. School owned equipment connects to entire domain, while faculty and student BYOD devices have limited access to printers and the Internet via the firewall filter. We have also expanded the number of access points in the school to accommodate the eventuality of every student having at least one internet connected device.
While user education is important, it is becoming necessary to add endpoint threat analytics that detects and prevents malicious behavior
Most school networks have a limited number of applications and some storage. Implementing the cloud in most cases has been a relatively evolutionary decision. Our migration of Office 365 offered a way to move a great deal of storage and work offsite and provide our customers better access and more storage at no cost. Our website, like most small schools, is managed by someone else. As we looked to provide parents more access into the Student Information System (SIS), it made sense to integrate it with the website to unify the information flow. We have moved our nursing module into the cloud and also integrated it with our SIS. It provides parents a better experience and eliminates internal redundancy. Most of our application vendors offer cloud based products for any future system upgrades. Many of those will also integrate with our SIS. We are positioning ourselves to migrate major applications to the OEM’s cloud service in future and to take advantage of any cross platform data integration/single sign on that is offered.
Network security remains a universal concern. Everyone has the typical software, hardware, and implementation models of security in place. Yet, we continually hear about security lapses and ransomware payments in medium and large businesses. A recent article reported it takes over 200 days to detect a security breach. While user education is important, it is becoming necessary to add endpoint threat analytics that detects and prevents malicious behavior. Something is now necessary to sit behind the typical security systems and independently monitor user’s patterns and actions to prevent anything out of the ordinary.
It is equally important to have a security discussion with cloud vendors. Naturally, the conversation should be a review of their own internal security. Don’t’ assume a vendor does backups, has filtering software on their routers, or even anti-virus on every computer. Additionally, it is important that the data you give them to house is contractually yours; that you have unfettered access to it. One of the last things you want to deal with, if you cloud vendor goes bankrupt, is the bank holding and trying to sell you your own information. Your cloud vendor, more likely than not, has a backup site outside of the United States. You should not assume all the countries where your data is stored have laws in place to protect the privacy of your data. You should also specify how your data will be returned to you in the event you want to move to a different vendor, or the vendor fails. You should specify a generic content model for the return of your data, i.e. CSV, Excel, or SQL. As an aside, you should also ensure that your contract with any software vendor is set up so that you will not have to switch vendor’s mid-school year. Something painfully learned.
Today, school CIOs are working to: Tailor the family experience and provide ubiquitous access to internet, resources, information, communications and their child’s student records; and to provide faculty, students, and staff with the information, knowledge, resources, access, information systems, and stability necessary for them to perform well. All this done in a way that complies with the various applicable laws and regulations, i.e. Cipa, Coppa, Hippa, PCI and provides minimally invasive security, at the lowest possible lifecycle cost, and is extremely respectful of everyone’s learning curve. It is a huge task but extremely rewarding and worth doing well.