CASE STUDY: Ayer Public Schools

District: Ayer Public Schools. Ayer, Massachusetts

CTO: Brian McDermott, Business Manager & Technology Director

Website: www.ayer.mec.edu

District. Ayer is a relatively small, middle-income town located near a former military base about 30 miles from Boston. We have approximately 1,400 K-12 students. We have only two buildings, one is for the elementary school and the other houses both the middle and high school students. There are approximately 200 staff members, which includes 118 teachers and 10 administrators. As is true in many small districts, many of the administrators have multiple duties. My own double title, which is not a typical combination and still doesn’t acknowledge my responsibility for preparing and analyzing data used for decision-making, has the advantage of putting my salary into the general administrative budget.

Infrastructure. We now have two full T1 lines coming into the district, up from the 1 we had last year. We are transitioning toward a single T1 with a fractional (probably 256, but maybe 512k) as a redundant service in case the primary goes down or is particularly slow. This level of service is available to all drops across the district including all offices, classrooms and labs. Every classroom (approximately 100) has at least two network boxes with the number of network drops ranging from 2 to 8. Every classroom teacher has a phone and computer. The two buildings are connected with fiber, and there are 6 network closets (IDF) in the Middle/High school building and 5 IDFs in the elementary building all of which are connected with fiber. From the closets, category 4 Ethernet cabling finishes the connection to the classroom/office areas.

IT Organization. Our overall IT budget is approximately $300,000. This includes our IT staff that is made up of three full time people: one System Administrator, one Administrative Technology Support Specialist and one Technical Support Assistant. The System Administrator has the bulk of the cyber security responsibility although the other two positions work on issues that impact desktops-- software installation, training, or other types of maintenance. While I oversee IT, I am not charged to that budget line.

We do not have a separate budget for security, and estimating the percentage of the overall budget spent on cyber security is difficult because there are other factors that have gone into some of the changes we have made in our infrastructure and systems that relate to cyber security. Nevertheless, an estimate of 20% is probably close.

Administrative technology use. Ayer’s business operations and internal communications are heavily computerized. Many of our data entry forms for ordering supplies, keeping track of lunch order, and more now run on our Intranet as does our budget/accounting system. Administrators send out electronic announcements. Teachers are constantly on email. We have an up-to-date public web page.

Educational technology use. We also use the system for learning. Students do word processing and share files for cooperative work. Many classes use the web for research. We have students taking on-line courses. But we don’t do too many of the more interactive programs – on-line projects through Jason.org, for example, or collaborative projects with students in other school district across the country and world, capturing and sharing data that is used for scientific research (e.g., whale.net, weather projects), etc.

Technology integration. While the Internet gets used, many teachers have just not been willing to fully integrate technology into their daily instruction. Not all of them feel comfortable with their level of skill, or they haven’t had time to explore ways that technology adds unique value to the learning process. Because we still haven’t solved all the maintenance issues, many teachers aren’t confident that the system won’t crash when they’re using it. Also, they just don’t know if they’ll suddenly get pornography or sexually explicit spam popping up on their screens that students might see. Even though it doesn’t happen often, once in a year is way too often; it’s pushed a lot of teachers away. Just because of the risk. And it’s my feeling that the nervousness has gotten worse over the past few years, precisely because of all the media and political attention paid to cyber security problems.

IT evolution. Ayer only really started dealing with technology in the late 1990s when we received federal payments to ease the pain of the closing of Fort Devins, the local military base. Before that, messages were delivered by tumbleweed. At that time, Ayer hired its first IT person. His assignment was just to throw things together and get it working, so in the interest of short-term results we made some horrible choices. For example, our ISP was sending us fragmented packets and our low-bid firewall couldn’t handle the requirements. So we put our web and email servers outside the firewall, which led to some interesting problems that were compounded by staff turnover, the lack of system documentation, and the loss of institutional memory.

Learning curve. For example, one day we found that our homepage had been replaced with a blank screen. The person could have done real damage, but it was during a period of high-tech layoffs and the person was actually looking for consulting work. He, or she, eventually sent me an email – which, back then, I was too naïve to track down – explaining that he was just trying to show us how vulnerable our system was and offering his services to improve the situation. Which caused us to rediscover that the servers were exposed. After some back and forth, during which time we upgraded the firewall and moved the servers behind it, I thanked him and let it go as a lesson learned.

Security upgrade – staff. A few years ago we were able to upgrade our staff, bringing Shaun Coon on as System Administrator, and then our systems. We standardized the OS we were using in the head-end room. We divided our servers into logical groups, isolating the ones used for network operations, setting up others specifically for applications and file sharing. All this took about three years. More recently, we’ve been building our own Linux servers for email and other purposes, which takes a lot of configuration and maintenance but does provide good security.

Security upgrade – network configuration. Access to the accessible servers is controlled by Windows group permission capabilities. So password control is the foundation. But we really don’t know to what extent students and teachers are sharing passwords. We tried to impose password controls – forcing people to frequently change their passwords and use difficult-to-guess characters – but there was a huge backlash. People simply stopped using the system and IT staff were deluged with calls for assistance. So we let it go. So far, we haven’t had a crisis.

Partly, we are protected by strictly limiting user functionality, which is not the optimal situation in terms of educational exploration. None of our students have district email accounts. We don’t have any wireless access points, no modems with network access, and only one landline into the district. Our filters block most incoming and outgoing peer-to-peer, IM, AOL, and other traffic. We use a VPN for our most sensitive internal data exchanges. We push virus definition updates out to all our machines.

Security to-do list. We still have problems...

• Traveling laptops. We worry about traveling laptops coming back with viruses, although we’ve installed anti-virus software on every machine. So far, nothing big has slipped through. But it might.
  
• Patch Management: Our patch management system is still mostly manual and we do it when we can. We’ve been sticking with Windows 2000 machines as long as possible, because we feel they are more secure – at least, they are less of a target and require fewer patches – or, at least, there are fewer patches released. But we’re slowly getting to the point that we’ll have to upgrade.
  
• Spam, pop-up ads, spyware: Spam and the pop-up ads are an on-going problem. It drives everyone crazy and really discourages general computer use. And no matter what we do it doesn’t seem to go away.
  
• Unacceptable use: A couple years ago, one female student found a way to use IM and email to run a small business selling her sexual services. Once we found that out, we shut down IM and cut off access to the web-based email she was using. Now, we only allow access to web-mail based on individual requests. Basically, most students can only use the file server and do web searches.

 Strategy for IT Security

• Real-world limitations: For little districts like ours that don’t have the resources, it is a lot easier and a whole lot less costly to just not let it happen, to shut things down. This is not where we want to be. It’s just the reality of what we have to do given our budget limitations. We still have very old Apples, lots of different operating systems, and more technical support work than we can handle.
  
• Tighten down or open up?: My preference would be to give all users full access to the internet, leaving to the faculty and the students the responsibility of monitoring information and activity. This would provide an excellent opportunity for learning about what is appropriate, what's not appropriate, and how to avoid the "bad" stuff.
  
• Increasing ‘bad stuff’ stymies innovation: At the same time, we want our community to be able to access the internet, their email service, their networked folders without worrying about all the "dangers". Unfortunately, this can't happen in the year 2004. It could and did happen in the year 1997 (for example). In 1997, you had to go looking for the "bad" stuff. In 2004 the "bad" stuff is looking for you, AND, most often you don't even know that any connection to your computer/network has even happened. So, we could have students, teachers, parents behaving very appropriately and still have inappropriate content come to them or viruses/spam loaded etc.

People, Policies, & Technology

Generally, people in our district are very pleased with what is being done. A tech savvy member of the School Committee is able to validate our efforts and keep his peers informed, although in general the district leadership doesn’t get very involved in our technology work. On the other hand, I think there is a legitimate desire among parents for us to do more on the education programming side. For example, people want our web site to be kept up-to-date. That takes staff time as well, although we’re trying to decentralize responsibility for data entry down to the schools.

In terms of staffing, we always need more. But we’ve found that it’s better to have one really good person than several people who don’t know what they’re doing.

We’re still struggling with defining policies around use of webmail services and how to deal with take-home laptops. Our AUP is out of date and as we revise it we’re including more security-related provisions. And we need to more explicitly document our security procedures.

The big technology planning issue for small districts like ours is deciding what to purchase versus what to build yourself. It’s never a fully either-or situation. In the long run, we think outsourcing is required. But we’re nervous about the effort needed to stay on top of what we’re getting from vendors. Sometimes it seems that if you are going to all the trouble to have someone on staff with sufficient expertise to evaluate the vendor, it might turn out to be easier to have that person build the application in the first place. Especially with all the great open source stuff now available. But then what do you do when that person leaves?

Wisdom of Hindsight

It is hard to know what advice to give others. We tend to muddle through rather than develop and follow grand plans.

• Standardization. If you can afford it, the biggest improvement would come from standardization. Buy in bulk. Limit your inventory to a very few operating systems and machines. Create a set of district-wide standard applications and keep all data files stored centrally so you can remotely and quickly fix machines using ghosted images. It would be great to have a situation in which any person can go to any machine and, through their log-on, get to everything they should have access to.

Of course, if your budget ever goes down you’ll be stuck in the same position we are – scrambling to keep old equipment alive while opportunistically adding new equipment and software until your system is a cacophony of requirements.

• Secure perimeter, managed by outside vendor:. If we could arrange it, I’d like to set up our system as a “bubble” with a "cleansing" door. This might be done with a company that would monitor and protect all activity going inside and out from the "bad" stuff. Anti-spam, anti-virus, anti-intrusion services that ensured all interaction with the electronic world outside the bubble was protected. But I fear that this will also move us towards big brother?  

• Limited choices: Unfortunately, this is the direction we are now being forced to go. We started to build this protective wall ourselves but it has become costly and, more importantly, requires high maintenance from a human resource perspective. We are now moving toward purchasing the services from company's that are providing the service. So, all email sent to our email server will first got through their anti-spam/anti-virus service and then come to us.  

• Cautious progress: Given our fiscal limitations, the strategic choice we struggle with pits trying to achieve equity by giving everyone the same (hopefully good) level of equipment and support versus supplying the right things for the most critical areas and making sure you have the long-term budgetary commitment to keep it operational -- not only through regularly upgrading the hardware and software but also having the staff required for the inevitable daily maintenance.

 back to top

CASE STUDY: Poway Unified School District

District: Poway Unified School District (PUSD); Poway, California

CTO: Charlie Garten, Executive Director of Technology

email: cgarten@powayusd.com

website: www.powayusd.com

District.PUSD is a relatively large district in southern California. There are 34,000 students, about 5,000 FTE employees, 34 sites including schools and other buildings, and over 8,000 computers.

Infrastructure. Each school has a LAN and we are tied together with a WAN.  All the schools have at least two drops with Internet access in every room, and phones and cable TV. About 70 percent of the schools have GB backbone and 10 or 100 have switched to the desktop.  The other 30% varies: two schools only have a 10 switched backbone and shared to the desktop.  All are being up graded to the standard of 6 drops in each room: four data, one phone and one TV----we passed a bond to do this 2 years ago

IT Organization. Technical support has 20 people and Information Services has 11 including clerks and administrative assistants.  We have never had a separate budget for security until this year; the firewall was put in as part of the District Office LAN budget.

Technology is important at PUSD. Even so, our culture simply did not take security seriously—we had no written policies and no security procedures—until there had been two serious hacks into our networks. We’ve also had problems with passwords and viruses.

Passwords. Our initial security problems arose internally when teachers gave their passwords to students. Teachers tend to be trusting – sometimes too trusting! -- and don’t realize the problems that giving students access can cause.  

• Security breach: We had two incidents where students used passwords, given to them by a teacher, to then break into the computer system. In one case a student was able to enter into our student information system and download sensitive information about other students. He then printed this to his web page. Luckily, it was quickly noticed and removed.
  
• Damage control: The potential lawsuits did not occur. But we knew that it could have been worse.

• Lost time: As in every case like this, the staff time searching for the breach and then working with the authorities took away from duties that support student learning---and that is the real shame.
  
• Remediation: We publicize these problems and that awareness raising seems to have really helped the lesson sink in. We’ve had no problems of this nature for the past three years.
  
• Acceptable Use: Interestingly, the new teachers entering the system seem to come in already understanding the need for password protection. We’ve now developed a new Acceptable Use Policy clearly describing our password policies and other related issues, which is currently being reviewed by the local Board of Education. Once approved, all employees must sign the AUP as a condition of working in PUSD. Ironically, the kids are already smart enough about password protection!

   

Viruses. The second type of attacks we have faced are related to viruses. Dealing with viruses, worms, Trojan Horses and the like requires constant effort.

• The cost: At various times we’ve been down for one to two weeks with the entire Technology staff working 14 hours a day, 7 days a week to clean everything up.
• The rising malware tide: For a while it seemed that every email virus that came out was hitting our server. We were in the impossible position of trying to stop the spread after it had already hit. That was unacceptable.
• Gaining control: New protection plans were evaluated and one selected that has proven to be able to stop the viruses at their introduction. We now seem to have good protection, but you never know.

Hackers. The third type of problem was hackers. We’ve only had three real hackers come after us.

• What motivates a hacker? One challenged us to find him.  He and his friend were sentenced to jail after school and had to pay PUSD for the time and trouble to catch him.  Another hacker was just trying to make some money selling hard drive space – on our computers.  He took advantage of a hole in some software we had on a server in the DMZ to carve out space and sell it to his friends.  It was a lucky accident that let us catch on to his racket – and to catch him. He was very good! 
• Gaining control: That is when we decided to have the security audit.

People, Policies, & Technology

Awareness. One of the biggest people challenges was getting the district’s thousands of employees to understand the importance of protecting their passwords. We also learned that we needed to pay more attention to keeping our IT staff trained and aware of security issues. We have created a four-person Security Committee, including the supervisors of Tech Support and Data Systems, as well as someone from the user training program. But even so, we know that the amount of specialized work required to stay on top of this issue requires us to outsource a lot of the work.

Governance. We simply didn’t have written policies or set procedures. We didn’t keep up with patches. Doing a complete review of what we did, adding the things we should be doing, and then documenting it all down in our policies and procedures lets us sleep a little better and monitor ourselves.

Technology. We needed to install new tools to monitor servers and increase the security around our wireless access points. As wireless became a popular alternative to hard wire, unapproved access points were installed and of course the firewall was compromised. We are setting up both software and hardware solutions to help make this environment more secure.

Management. At a deeper level, we discovered that we had trusted our vendors too much -- two times the enterprise software had holes that left us open to attack. Once a student was able to enter our network without our knowledge and erase teachers’ web pages. The second incident was only discovered by a team of auditors we hired to check our server vulnerability. We yelled and screamed -- in both cases the company did the fixes.  On one it was easy. They just eliminated the backdoor password. On the other the company had to rewrite that part of their software and do a “new release.”

The Wake-up Call

   It was the hacks that gave us the wake up call and the need to protect information that we were collecting for our NCLB reports. Unfortunately, our past culture of not worrying about security hurt us because I had to make a case for security after the hackers had already gotten in.

The power of a security audit.   The Security Audit was another key tool in expanding district support for increased security efforts. We knew we needed improvements, but the Audit showed us things we hadn’t thought of and gave us a prioritized action list. In a sense, the Audit helped us sell the need that we already knew we had. Since new security issues keep emerging, we plan to keep calling in the outside auditors every 18 months or so to get their opinion on where the next round of security problems are impacting us.

   Our first audit documented security issues in the areas of wireless access, the accessibility of the special education database we had created, in the protection of sensitive documents, in our lack of event logging, our uneven speed in updating patches, and our need for a full-time person focused on cyber security. It also helped us focus on the security needs of the data warehouse we are now building. The warehouse gives us the ability to organize and present a large amount of data to our teachers, and in the future students and parents. We have kept this information internal until we are confident a strong security system is in place to protect the data from being released to inappropriate people.

Wisdom of Hindsight

Take security seriously! And don’t assume you know it all or can handle it all yourself. Get an outside audit – what you don’t know can hurt you. An audit provides an independent and fresh set of outside eyes that can validate what you are doing well and help you build a case for investing in the areas that are weak. It provides a context for getting input and support from your staff, parents, students, and community.

Acceptable Use requires buy-in: We learned that you need to have a regularly updated AUP for both students and employees. To get top-level buy-in, we developed a set of policies for approval by our Board of Education. We have a regular schedule and process for dealing with upgrades and patches. We are reading a lot more articles about security. We’ve assigned someone to be our Chief Security Officer. Make sure your Security Committee includes a representative from the learning side of the house so someone can bring up the users perspective when the techs want to lock down everything so very tight! And we’re working with the CoSN Cyber Security Project!

More use requires more security. It’s our experience that as technology use increases and the user community's skill levels go up, the IT staff needs to pay much more attention to security, to do more testing, and to keep upgrading their policies/procedures? But this is a “problem of success” for all organizations. For example, as ATM card use spreads from just banks to stores and other places look how security problems arose.

Business people think that it is easy to lock down computers---but remember the only safe computer is one not turned on! We have all the challenges of business and the added challenge of meeting instructional needs.  We have more programs to worry about than most businesses and many more “curious” users.  But we need it open enough that teachers can use it for the job of education, which is learning.  That is the rub…Too much security will cause a backlash.

  back to top

CASE STUDY: Tomah Area School District

District:   Tomah Area School District; Tomah, Wisconsin

CTO:   Paul Potter, Director of Technological Infrastructure

Email: PaulP@tomah.k12.wi.us

Website:   www.tomah.k12.wi.us

Context

The District. Tomah Area School District is located on the western side of Wisconsin. The district has just over three thousand students and 450 staff in a high school, middle school, seven elementary schools, one alternative center, and several administration buildings. About 28% of our students are eligible for free and reduced lunch and we can’t assume that most students have access to much technology at home.

Infrastructure. The district ties its nearly one thousand Windows XP Professional workstations together via T1 lines and leased fiber optic lines. We have a T1 to the Internet connected at our district office. All of our buildings are hubbed back to our district office so that we have one control point for Internet access. We have 6 buildings connected to the district office with fiber (100Mb) and the remainder of the buildings are connected back to the district office with T1 lines.

In the high school and middle school the only classroom computers are teacher workstations. Student access is through two general purpose labs and seven subject specific labs. Some of the elementary schools have labs, others are fully wireless with laptops that rotate among classes, and others have a number of computers in each class. All kindergarten, first, and second grade classrooms also have mini-networks used to run the Waterford Early Reading program. We have had no pressure to go beyond this.

Students get regular technology training. K-2 gets a minimum of 1/2 hour per day. Grades 3 to 5 varies according to the specific teacher ranging from approximately 1 hour per week to an hour per day. At the middle school they receive technical training at a minimum of an hour per day. At the high school it depends upon the courses that they take but an hour per day is probably average.

IT Organization. The district technology department consists of a director and two technicians. Our focus is on keeping the system running at an optimal level. The entire technology department staff fields tech-help calls and emails throughout the day. We also do a weekly stop at each building and perform a walk through to help staff. What keeps us alive is using remote assistance as much as possible.

There are also two technology related committees: Technology Curriculum and Technology Advisory. The curriculum committee deals with what is being taught to students in regard to technology and the advisory committee works with issues between staff and technology.

We do training around how to use our internal administrative programs. However, we hire our local CESA to train teachers on instructional integration.

The IT department has emphasized security since the beginning of the district’s network environment nine years ago. We have not had an outside audit, but we perform security tests throughout the year using a number of procedures. We have a number of disaster recovery plans in place with focus on core systems (such as student records). We maintain our entire student record system on three systems at all times (the main server, a laptop and an off site server). All servers are under lock and key which only technology staff have access to. In buildings that we don't have our own room we have cabinets that house the servers and they are locked at all times. The servers all have battery backup (power cleaning) systems. All of our buildings have a fire alarm system and our main server room has a heat detection system which triggers an alarm if the temperature gets at or above a set temp.

The district spends approximately $300,000 annually, of which approximately 10% is spent on security.

Our Story

Security delivers Reliability. “Security First” has been a motto of the Tomah Area School District since the beginning of our networked environment. Many educators would argue that students must come first; we believe that by putting security first we are doing just that. By maintaining a very secure environment Tomah Area School District is able to provide a very stable environment for teachers to teach and students to learn. As a result, we have not had a single virus or worm outbreak since the beginning of the district’s networked environment – a comment few networked environments can make. We have teachers come in from other schools and be amazed that our software works, our network doesn’t go down, and everything works the way it should!

A tightly-run ship. We don’t have an extremely high student-computer ratio. This is a very misleading number anyway, as many districts that boast a good student-computer ratio have ancient computers to make this possible. We believe in quality, not quantity. We liken the ratio to a train: for so many cars you need an engine. If you don’t have enough engines the train doesn’t move. With this in mind, we don’t want to have more than our staff can manage and sustain. We have a five year warranty and then we send machines to a recycling program. This keeps our equipment standardized and up to date. Our current minimum is an 850 MHz processor. We only have about one machine failure a month! If you have aging machines you will have problems that eat up staff time and discourage teacher use. Financially, we think we’re better off building the upfront cost of regular upgrades into our annual budget than having to pay for another staff person to run around putting out technical fires.

We have saved money by developing all our own administrative programs – accounting, student records, grades, attendance, budgeting, purchase orders, transportation, maintenance, some of which are now web-based over our Intranet inside our firewall. We’re now expanding those systems to allow teachers to create and give tests on-line, and for students to look at their grades, their food service balance, attendance, and more. We’ll also allow students to email their teachers and do some emailing among themselves – student email has been controversial because some people think it will only be another form of note passing and facilitate cheating.

Innovation requires cautious, evolutionary approach. We started by emphasizing administrative, everyday uses of technology. Then we moved to staff communication and email. We’re now at the stage where technology integration in the classroom is occurring, but that’s slow going due to staff members with varying skills and desires regarding technology. Of course, the technology classes have always been ahead of the curve – students in web design or MS Word classes have had accounts for years – and there are enthusiastic teachers whose students are active users and whose academic classes are coordinated with the computer classes. We’re beginning to see more elementary teachers using Inspiration, Smart Boards, and Internet resources for social studies. In the upper elementary grades technology is primarily used to reinforce academic skills. Learning how to use PowerPoint or other general programs is not a focus – what good is using PowerPoint if you aren’t reading at grade level! Learning how to use these generic programs picks up again in middle and high school.

Security Methods

• Remote maintenance. We do almost all maintenance remotely. Once they are installed, about half our machines don’t need to be physically touched again by us until its time to remove them.
• Desktop Lockdown. Our policy is to lock down those machines as much as possible. It’s just insanity to have to ghost a lab and re-image every night – its shouldn’t be that way. It’s reactive instead of proactive. We use Windows XP Professional Active Directory Group Policy Objects to prevent anyone from installing software except the IT department. No one can write to the local hard drive – every building has its own file server drive that staff and students can use.
• Relentless maintenance. We do nightly scans to check for new programs (often games), attempts to log in as administrator (which are often done in a way that allows us to figure out who did it), and file manipulations.
• Password discipline. From the beginning, we required everyone to change their passwords every 45 days. Staff has some issues with this, but it has become common practice now. We monitor daily the security logs on domain controllers for logon failure events in an attempt to find password brute force attacks – we lock down accounts after five logon failures. On occasion, we will also scan successful logon attempts by building, which is much more difficult to do, to attempt to find users logging on in "strange" places. (This is a bit like a credit card company calling you about usage in Africa.) Our plan is to maintain a listing of computers a user "normally" logs on to and when the scan is performed differences will be flagged.
• Laptop Limits. We don’t allow people to connect their own machines to our network or to take our laptops home. We want full control over anything that attaches to our system. They can bring their jump drives, CD RW Drives – but these are scanned when they reconnect. When the operating system can better handle security with newly attached equipment, we’ll allow it.
• Multilayer strategy. We take a multi-layered approach to security in all areas where it is possible. For example, we use Postini to provide email filtering/virus scanning and we back that up on the Exchange 2000 server with Trendmicro ScanMail, on workstations with McAfee, and keep it all monitored with EPolicy Orchestrator. We also have a Cisco PIX hardware firewall and an internal Microsoft ISA 2000 server running N2H2 Bess filtering. We use Software Update Server from Microsoft to push patches to all workstations.

• Wireless. Our biggest worry is the wireless access points. The Mac Filtering and Web encryption are both beatable. It keeps out the average Joe, but we rely on our deeper levels of security to protect us. Our servers are locked down with no public access or guest accounts.
• Users. Our other big concern is user sloppiness. Kids give their passwords to someone else. A teacher will leave their room unlocked with the computer running and logged in. We run a script that turns everything off at 6 PM and we then contact the person in the morning to remind them of Board policy about not allowing unauthorized access. Fortunately, so far none of this has led to a major problem – at least, none that we’re aware of!

Balancing security and functionality

• User and Leadership Support. We don’t get a lot of complaints anymore about our security policies. People compare the level of functioning of our system with the virus and span problems they experience at home, and they appreciate what we’ve done. Whenever a major new problem arises, we send an email to the staff telling them about it and also giving them suggestions about how to safeguard their home systems. This makes them both aware and more appreciative of what we’re doing. Many of these emails then get forwarded to other people in the community, and we sometimes get emails from them thanking us for the information.
• In Tomah, you may have to wait a bit to get a new program loaded, but it will work. By testing software before it is installed, our IT staff doesn’t have to waste all its time dealing with post-installation problems.

• Control. We attempt to control everything that we can control, which we believe creates an environment free for student learning. We could get tighter, but it’s a balance. We block access to web sites that aren’t deemed educational because we are an educational system not a computer system provider. We want students who graduate from Tomah to be security aware, to understand the reasons why security is important, which we think will be better for our community and country.
• Political support. Our School Board fully supports our approach. All important security policies have been passed by the Board. If students, or staff, violate things too much, they loose their access. We trust no one. This may come across as a harsh statement but the safety of your network cannot rest upon your users. Tomah Area School District believes that user knowledge regarding security is important and it proactively informs its staff about security issues but it in no way relies upon that knowledge for the security of its network. A case in point: there is no reason why teachers need to receive executable files in emails! Blocking these emails from entering your network removes the need to rely upon users to make the correct decision.

Wisdom of Hindsight

• Test Software Before Purchase. One of the major hurdles we deal with is the lack of security support from educational software vendors. Many of these vendors developed software to run on Microsoft Windows 98 (or previous versions), which has no form of security. With the transition to a secure environment their software “breaks”. A perfect example of this is software vendors writing temporary files to the root of the hard drive a program is running on or the Microsoft Windows system folder. These are major design flaws vendors need to address. With this in mind our environment requires extensive testing of software to make sure it will run correctly in a “locked” down system.
• Allow Technical People To Make Technical Decisions. One of the largest mistakes educators have made is to allow non-technical people to make technical decisions. Hire a highly skilled technical person and trust their judgment regarding the technical side. Allow your non-technical people to make decisions that operate within the parameters defined by your technical staff.
• Read. Technical staff needs to have time to read and expand their technical knowledge base. Informed technical staff is key.

Some of the Products and Services Used in Tomah:

• Microsoft Windows 2000 Server

• Microsoft Windows XP Professional

• Microsoft SQL Server 2000

• Microsoft Exchange Server 2000

• Microsoft ISA Server 2000

• Microsoft Software Update Services

• McAfee VirusScan Suite

• TrendMicro Scanmail for Exchange

• Cisco Callmanager

• Cisco Unity voice mail

• Postini email filtering service

Board Approved policies: www.tomah.k12.wi.us/policy/EDCA2.pdf