Q 1

Didn’t we go through all this already with the CIPA stuff about Internet filtering and public meetings? We’re in compliance with CIPA, so we’re protecting our student’s safety. Aren’t we dealing with all this already? What more do you want?

Congratulations. It’s a good start. But most of what you’ve done so far is designed to protect student and staff safety. Safety is about individual actions. Your staff and students are probably already aware that they should never give out personal information to anyone they’ve met on-line or in response to even seemingly authentic email inquiries from anyone. They know not to open email from anyone whose name isn’t recognizable or any email whose subject line doesn’t seem right. They know that there is no one in Nigeria looking for a way to give them money. They know not to respond to SPAM messages – not even to say that they want to be taken off the distribution list. They know not to open any email attachments without first saving them to disk. They know that many web sites are really glorified bait-and-switch traps, seeking to sell products and collect information about potential customers. They know how to back out of inappropriate websites and to not respond to the many pop-up ads that appear on their screen. They know not to share their passwords with others or to leave their logged-on machines running when they leave the room.

But the second half of the fight is about cyber security.

If safety comes from awareness and good behavior, security comes from proper administration of the overall system. Safety is an individual responsibility. Security is an organizational responsibility.

CIPA is mostly about safety, although it does include some security-like requirements. But its primarily focused on keeping kids from seeing the nasty stuff. It’s not about making sure that your IT system doesn’t blow up.

It’s a little bit like the difference between teaching someone to drive carefully and making sure the car doesn’t pull a Godfather scene and explode when they turn on the ignition.

Bottom line: you need to deal with security as well as safety.

Q 2

Look, I’ve got enough problems aligning my curriculum with the state standards and meeting the AYP requirements. My priority is dealing with learning issue -- why should I take on this as well?

Over the years your district has poured a lot of money into technology. You bought equipment, hired staff, trained teachers, and bragged about it to the community.

You did all that because you thought it would provide some benefit. Perhaps you wanted more efficient administrative systems. Or you thought it could improve student learning. Or you needed it to deal with NCLB reporting requirements and data-informed-decision-making. Whatever.

The point is that unless you deal with security, you’re going to get zilch value from that investment. It’s simply not going to keep working. Which is going to make you look very bad.

Most important, surveys show that a key reason teachers aren’t willing to more fully use technology to support student learning is their lack of confidence that it will work properly when they need it and that students won’t be exposed to some undesirable material that will disrupt their limited class time and cause trouble for everyone. It turns out that providing effective security creates the freedom to learn. Without security, your technology resources will not provide the benefits that your taxpayers are expecting, and your students deserve.

Q 3

This is just fear mongering – there’s no need to scream “status orange.” Nothing really bad has happened in my district or in any of my neighbors'. Why should I think that any of this will actually impact me?

It is estimated that over 2,000 programs are flying around cyberspace every minute of every day looking for security holes in systems just like yours. The Internet is a fabulous tool to facilitate your students’ learning; it is also a fabulous tool to facilitate attacker’s learning. It is becoming easier and easier to learn how to create more and more sophisticated “malware.” The time between the discovery of a network vulnerability and the appearance of attack code exploiting it has dropped from months to weeks, to days. Recent private sector surveys revealed that 82% of respondents were hit by virus, worm, or other attacks in past year. Over a third had had their networks penetrated by unauthorized people. And this wasn’t only coming from “bad guy” outsiders: nearly 80% reported that their own staff had abused network access. It’s not a question of “if” but of “when” and “how bad.”

Q 4

Ok, so we get attacked. So what?

What’s your feeling about personal bankruptcy?

Identify theft is becoming a major international problem. What would happen if someone stole social security numbers from your system? Or family medical records? Or all your kindergarteners home addresses and phone numbers – or just the little girls?

You’d probably need to inform everyone who may be at risk. And talk to the press – a lot. It’s possible you would be sued.

Or, perhaps it turns out to be less catastrophic. Perhaps an attack will merely cripple your school’s ability to operation. The payroll system may go down, or key personnel data might get lost. Student grades might get changed making it impossible to issue report cards or provide college recommendations. Or perhaps the only thing that will happen is that your teachers simply stop using it in their classes. In any case, it will cost a bundle in terms of staff time, public support, and the community’s perception of your competency and legitimacy.

Even if nothing happens to your system, it is possible for electronic intruders to secretly take control of one of your machines and use it as a base for launching attacks on other sites. It’s been estimated that up to 80% of all spam comes from these “zombie servers.” Case law is still evolving, but it is likely that you may be liable if you know about this possibility and do nothing to prevent it.

Want to hear more? If there ever was a national emergency – or a hurricane – the school district’s communication systems will be expected to help coordinate the response. But if its not secure, you can be part of the problem rather than part of the solution. What if the Governor has to announce that you are “the weakest link!”?

Q 5

This techie stuff is way over my head. Isn’t dealing with all this my Technology Director’s job? Isn’t this why we hired someone?

Q 6

What is it going to cost? How much of my time, and my staff’s time, will be diverted?

   Remember that prevention is almost always cheaper than repair, and that the cost of a successful attack includes a lot more than dollars. But it is true that the money you save is an “avoided cost” that never shows up in the budget and is impossible to exactly quantify.

   So how much does prevention cost? Obviously, it depends on what needs to be done. But, more subtly, it also depends on the level of security you feel you need. There is no such thing as absolute security – the only absolutely secure computer is one that has been turned off, which sort of misses the point.

The goal of a security planning process is to get a clear picture of your current status, set priorities for immediate and long-term action, determine approximate costs, and do a cost-benefit analysis of where you can get the most impact for your investment.

But rest assured that it is going to cost something. The first cost is going to be some mental cycle time and a few hours of your schedule. You are going to have to get involved.

Q 7

So how can we get a handle on the extent of our vulnerability? How do we compare with other districts?

   Now you’re beginning to ask good questions!

   Start by asking the chief technology officer (CTO) in your district to do a quick self-analysis with the Self-Assessment Checklist . It takes about 15 minutes to complete the checklist, which automatically calculates a score between 0 and 100 describing the district’s security situation.

Then, ask the district CTO to have a conversation with you to answer the “Eight Questions A Superintendent Should Ask The CTO” which is also found on the CoSN site. You need to find out what kinds of security problems, big and small, have occurred over the past year. You need to know if your district has a security plan, and if it is being implemented. You need to know if all available security-related software “patches” and upgrades available for your computer applications have been installed, and how many person-days each update process requires. You need to know how prepared your district is to survive the inevitable security crisis – are key databases regularly backed up, will key systems be able to be run at a minimal level while repairs are being made, when was the most recent “emergency practice session” to make sure that crisis management plans are ready for use?

Q 8

What are the problems we’re most likely to find?

Again, it really depends, but here are some of the things we typically discover when we do a district-level “tech audit.”

• An unclear division of responsibility for maintaining security.

You need to create a list of tasks and identify exactly who will do what according to what schedule. You also need to have someone with overall responsibility for making sure it all happens.

• Unclear policies and procedures that overlook – or create – vulnerabilities.

Technology problems are often the end result of inadequate policies and procedures. You need to have a regular process of patching or upgrading old software, updating virus definitions, maintaining equipment.

• Holes in your perimeter defenses.

Your switches and firewall need to be able to meet today’s attacks. Your email provider, web hosting vendor, and Internet access company need to be implementing their own security measures to stop problems before they get to your electronic doorway.

• Problems with wireless access, mobile lap-tops, and dial-in accounts.

These are the most recent breaches in network walls. Wireless access points can not be left open or in their “default” mode. In-coming laptops need to be automatically scanned, or at least rebooted, before they are allowed back on your network. Dial-in connections need to be validated and controlled.

• Internal problems around data access controls.

You need to have clear rules about who gets access to what equipment and what data under what circumstances. Then you need technology tools that let you enforce those policies.

• Lack of user awareness or compliance.

You run a school. The need for participatory and authentic learning about the reasons for and methods of keeping the system secure should be part of the professional development program and the classroom curriculum.

• Unclear protocols for dealing with crises.

You need to be absolutely clear – and practice beforehand – who does what when something goes wrong. The biggest problems happen when your system does not do regular backups – with offsite storage – of key data or lacks sufficient redundant equipment or connections to allow continuity of the most critical functions. The most important part of crisis management is having full and repeated communication with all stakeholders.

Q 9

Can we handle those problems, or will we need to bring in outside experts?

It depends…of course. No matter how small your IT staff, there are a lot of basic things that they can do to make your system more secure – assuming they have permission to take the time to do it. If your IT staff is large and highly skilled they can do even more.

No matter what the size and skill level of your employees, if you and they work through the steps outlined in the security planning protocol you will vastly improve the security of the system and your ability to sleep at night.

In addition, no matter what the size or skill level of your employees, it is a good idea to have an outside group do a security audit. You might want to start by pulling a bunch of your students together into a “red team” with the task for finding weaknesses. You might want to balance that by also organizing a “blue team” to try to figure out ways to stop any intruders.

   It is quite possible that your self-analysis and the audit will reveal problems that are more complicated than your staff can handle. Talk to several vendors about your situation. Ask them what they would propose. Make sure to have your chief technology officer also talk to her peers in other districts – do they have similar problems? What have they done? And join the Cyber Security for the Digital District’s on-line K-12 forum to see if anyone has already made comments about a similar kind of situation – or to ask for advice from other forum members.

Remember – it is impossible to get absolutely security. You don’t have to do everything – in fact, you can’t. Identify your most serious problems. Clean up the easiest things first. Lay the foundation for tackling the big stuff. No matter how slowly you are able to progress, the critical thing is to get started and keep moving.

Q 10

What should I be doing to make sure we stay on top of this issue?

Be a leader! Convene a Cyber Security team and make sure they stay focused. Allocate resources. Lead by example. And send a strong message to all stakeholders that security is an important issue that impacts everyone’s wellbeing and that everyone will have to pitch in if the school is to continue to provide IT services.