Security Issues with Guidelines for Assessment |
| Management: District Leadership |
| Issue |
Basic |
Developing |
Adequate |
Advanced |
| Oversight |
Goals for security have not been articulated. District awareness of legal issues: basic. Extent of compliance: unknown. No policy specifically targets technology use. |
Security goals have been outlined. Awareness of legal issues: growing.
Compliance: OK at network level. Policy in early stages, addresses legal issues. |
Security goals stated clearly. Awareness of legal issues: from desktop to internet. Compliance: not fully auditable. Policy ties technology use to district mission. |
Security goals integrated with educational and administrative objectives. Awareness of legal issues: comprehensive. Compliance: fully auditable Policy meshes seamlessly with district mission. |
| Support |
No support specifically for security. |
Support is inconsistent. |
Commitment to TCO-based budgeting and HR needs. Appropriate communication. |
Strong support restrained by performance indicators. Effective communication. |
| Management: IT Security Management |
| Issue |
Basic |
Developing |
Adequate |
Advanced |
| Security Implementation |
staff - computer ratio 1:>750. IT staff are generalists lacking specialized expertise. No one assigned to monitor security. |
staff - computer ratio 1:750. IT staff are mostly generalists; few network specialists CTO or other management staff also deals with security. |
staff - computer ratio 1:500. IT staff have differentiated expertise. A staff person focuses on security. |
staff - computer ratio 1:250. IT staff have differentiated expertise, are cross-trained. A Chief Security Officer exists. |
| Security Planning |
No security plan. No security audit. No Crisis Mgt Plan specifically for IT. |
Basic security plan. Internal security audit done. Basic IT Crisis Mgt Plan. |
Security plan linked to goals & audit. External security audit done. Updated IT Crisis Mgt Plan. |
Security plan linked to goals & audit. External security audit done. IT Crisis Mgt Plan fully tested. |
| Security Team |
No formal Security Team |
Informal, ad hoc security team lacks authorization. |
School Board approves Team purpose Stakeholder groups represented |
School Board reviews Team accomplishments Strong leadership representation |
| Technology: Architecture - Systems Design |
| Issue |
Basic |
Developing |
Adequate |
Advanced |
| Architecture |
Network architecture at basic stage |
Network architecture lacks capacity for growth |
Appropriate network architecture implemented |
Appropriate architecture with room to grow. |
| Internet |
Minimal: may match current needs |
Inadequate for accelerating demands |
Bottlenecks occur during peak demand |
Capacity for future demands |
| Perimeter Defense |
No DMZ.
Virus protection, content filtering at minimal levels |
Basic DMZ. Firewall functions separated from servers; patch mgt remains manual. |
Full DMZ. All email, web services protected. Automated patch management. |
Full DMZ. All protection services are automated; network monitored in real time. |
| WAN Security |
WAN incomplete, no redundancy or standardization |
WAN nearly complete; building-level LANs not standardized. Redundancy only on most critical network components |
WAN complete; properly segmented.Most building LANs standardized. Centralized management incomplete |
Centralized WAN management. Redundancy for network components |
| Technology: IT Operations |
| Issue |
Basic |
Developing |
Adequate |
Advanced |
| End User Security |
End user computer security not enforceable or verifiable. Manual patching: inconsistent updates. Lack of user support severely limits productivity |
End user computer security improved but not enforceable. Patching is manual but consistent. User support frequently delayed |
End user computer security enforceable or verifiable. Automated patching and updates in most buildings. User support meets minimal requirements |
End user computer security is effective throughout district. Fully automated updates or thin-client setup. Multi-tier user support results in significantly improved outcomes. |
| WAN and LAN Management |
--Few standards or policies --Systems occasionally down --No preventive maintenance --External vendors: not documented |
-- some standards, few policies -- Systems usually reliable -- monitoring & maintenance on critical devices -- External vendors: not verified |
-- Standards & policies in place. -- Systems rarely down -- routine maintenance but documentation still skimpy -- External vendors: not audited |
-- clear, flexible policies -- effective standardization --Systems: highly reliable -- efficient maintenance -- appropriate documentation -- External vendors: fully audited |
| Environmental and Physical Security |
| Issue |
Basic |
Developing |
Adequate |
Advanced |
| Environmental Security |
Environmental hazards not addressed. Three or more of major categories may require remediation |
Environmental hazards partially addressed. Two or more of major categories may require remediation. |
Environmental hazards mostly addressed. At least one major category may require remediation. |
Environmental hazards fully anticipated. |
| Physical Security |
Network infrastructure not secured |
Infrastructure partially protected; unauthorized access can still occur |
Infrastructure mostly secured |
Infrastructure properly secured |
| End User Security |
| Issue |
Basic |
Developing |
Adequate |
Advanced |
| Participation |
Minimal awareness of security issues; minimal training available. Minimal communication offered; feedback not solicited. |
Growing awareness of security issues; tech training improved but lacks security component. Increased tech communication fails to reach many users. |
Security awareness lowers risk; training includes security; organized outreach improves trust and compliance. Organized outreach |
Awareness no longer security issue; Training is ongoing, and communication strategy uses multiple pathways. |
