STOP REACTING AND START IMPROVING YOUR SECURITY
How do you ensure your security is up to date and your security operations are functioning appropriately? The answer: continuous improvement. Here’s how two districts tackle the challenge.
The Park Hill School District in Kansas City, MO, is a prime example of a district that has made signiﬁcant gains across the board in school safety and security by looking ahead. During the last 10 years slow and stable student growth has allowed Brad Sandt, director of technology, to take a long view of any technologies deployed at the district. “We’re talking about doing netbooks here, maybe in a year or two,” he offers as an example. “We know that’s at least a year out. But many of our project meetings in IT are related around, ‘How do we take on the growth of as much as a 4,000 to 5,000 new devices in the district?’”
Planning for such a major undertaking, especially including protecting and securing all the devices, requires focusing on a few key areas. The district, which won the 2009 Missouri Quality Award (a statewide version of the Malcolm Baldrige National Quality Award), says that the key to keeping its schools safe is working toward continuous improvement in its processes.
That focus on process improvement can translate into broad mandates, such as incorporating stakeholder feedback into policies and plans, as well as small measures, such as checking key factors in verifying personal information when somebody calls in to get a password reset.
“A good process can help determine priorities,” Sandt explains, “including assessing the readiness of the department to take on that challenge. If it’s something like surveillance cameras, do we have the bandwidth both from a staffng and a network perspective?”
Planning ahead—even when the future is foggy—is also an essential aspect of Park Hill IT operations. “We put in ﬁber six years ago knowing that these types of hardware systems might need to be put in place,” he says. The same could be said for anything else that’s network intensive, such as an expanded IP video surveillance or access control system. The ﬁrst mistake a lot of IT people in school districts make is to approach security with a single project in mind, says Sandt. “What I’ll see happen in other districts is that somebody decides it’s important to do video surveillance cameras. So they buy cameras, then they say, ‘Oh, can our network support this?’ If you’re being reactive to those things, more often than not it will cost more money and take a lot longer than people will be happy with.”
To ensure strong planning and a systemic approach to continuous improvement, Sandt taps a service advisory committee that advises the IT organization. That group includes teachers, principals, technology reps, office staff , classiﬁed staff, and even a student from the high school.
In July 2009 the district implemented a service level agreement for all users. “We have complete criteria on every incident—how quickly we should expect to respond and how quickly they can expect to have somebody ﬁx it,” Sandt explains. The service committee provided input on timelines and incident types. “What we’re trying to do in our department is make sure we’re delivering clear expectations for our users. In the long run, we think that will reduce the number of service incidents and unsatisﬁed customers.”
Annually, Park Hill reviews its processes and relies on stakeholder input, including the service advisory committee, to help create positive change. An example is the recent decision to improve the process for how software and hardware gets approved for use in the district. Now users go through a self-service portal to make requests, removing the previous manual intervention.
Katy Independent School District in Texas is a much larger, faster-growing district. Pursuing continuous improvement while still keeping up with the pace of adding 2,000 to 3,000 new students demands a solid foundation encompassing knowledgeable staff and consultants and no-nonsense procedures, says CIO Lenny Schad.
One no-nonsense procedure is the district’s practice of locking down all desktops to control what’s installed on them. When a new security patch comes out, the systems engineering group or network management team follows an extensive change control process for reviewing the patch and performing the auto-installation of it. “We do it all through Microsoft,” says Schad. “Our patch management is ﬂawless.”
The IT department also continually looks for opportunities to review and rework its internal controls. Right now that’s happening as part of a new enterprise resource planning application deployment. Through that process, Schad expects to streamline a lot of tasks that used to be manual. Traditionally, for example, employee provisioning “always relied on word of mouth or e-mail to make sure that person was removed from the subsystems,” he says. “We’re not different from any school district out there. We have a lot of employee movement. So we’ve implemented a pretty stringent rights and access review each year. A person is a registrar this year, a secretary next year, and so on. Each one of those roles has completely different rights and access to systems.” With the ERP system those changes will be automated.
Another key procedure occurs when a new technology proposal comes to the table: It gets reviewed by Schad’s staff from a security standpoint. For major projects, he also seeks out opinions from internal and external experts.
For example, Schad has chosen a video surveillance system that works with both analog and IP-based cameras. “I wanted to ﬁnd a system that wouldn’t ‘ﬁx’ me to analog, and I wanted ﬂexibility as IP cameras work the kinks out and become more affordable,” he explains.
Since Katy typically opens between one and ﬁve new campuses each year, the district follows a standardized approach to camera placement. As a new school is designed or retroﬁtted, facility plans are sent to an external security specialist, who recommends where the security cameras should be. Then Schad’s team visits with the principal of each school to go over the plan and make tweaks. “We rely on a security expert to tell us where to put cameras as well as the experience of the principal on site,” he says. That approach reduces reworking the setup.
For the largest initiatives, such as one upcoming to deploy public Wi-Fi at all campuses, Schad bounces the plans off of three or four experts. “Then once we’ve implemented it, I’ll probably have some expert come in to review the strengths and weaknesses of the conﬁ guration,” he says. “Also, we can talk to them about what issues we’ve seen.”
The foundation of those security assessments is gaining an understanding of the district’s level of risk tolerance. “I just had an external company come in and do a risk evaluation,” Schad says. “It looked at our capacity for risk, then came back and said, ‘Here’s where you ﬁt.’ I was really pleased with the outcome of that.”
That assessment enables Schad to gauge what kind of appetite district stakeholders will have for particular undertakings — such as a project to allow students to use their own mobile devices on district campuses. “You have to get your staff and community to understand the need for and importance of security,” he says. “They need to understand that risk point they’re sitting at — and decide if they’re comfortable with it. If they are, you’ve done your job as CIO.”
THE VALUE OF A FEEDBACK LOOP
Although the goal of continuous improvement takes different forms at the Park Hill and Katy districts, their IT organizations share one common attribute: Neither works in isolation. They use district stakeholders and external experts to clarify the focus, and they establish a feedback loop for judging how effective their efforts are. That feedback allows them to adjust and ﬁne-tune direction. Plus, it conﬁrms the value and validity of new initiatives as they’re being developed and implemented.
BREAKTHROUGH SECURITY: TAKING A COMPREHENSIVE SECURITY APPROACH IN K-12
Your school district has firewalls up, acceptable use policies in place, and surveillance on the job. But how well are your cyber security and physical security mechanisms really measuring up? This report examines strategies for achieving greater impact from your security efforts by hitting on the challenge from multiple angles.
School districts have matured in their approaches to security. These days it’s the truly rare school that doesn’t have a ﬁrewall installed and a resource officer on watch. But the leading districts — those on the innovative edge of technology — have really excelled at improving their security operations even in the face of a growing number of security risks, diminished budgets, and increased staff workloads. The secret? Taking a comprehensive approach that encompasses cyber and physical security elements along with focusing on the users and their behavior. And, just as important, these districts are prepared to notify everyone, including the community, in the unlikely event of a disaster. Here are some lessons to help districts achieve greater security coverage.
SEEK BETTER INTERNAL SECURITY THROUGH EDUCATION
Achieving better internal security in the K-12 technology environment requires, at a minimum, applications for locking down computers so that no new applications get installed and limiting what websites users can access. But at the same time it’s no secret among IT professionals that bright students can cause the greatest security challenges. How can a district balance the need for controls with the educational advantages of a fairly open network?
Lenny Schad, CIO for Katy Independent School District outside of Houston, understands the conundrum. He recalls a conference where the speakers declared that the largest concentration of hackers in the country resided in K-12. “All it takes is a student to walk by a teacher’s desktop and plug in a thumb drive loaded with keylogger software,” Schad points out. “That kid has the keys to the kingdom.”
To prevent internal threats, the 57,000-student district relies on multiple layers of security monitoring and prevention software on its PCs and servers. But that’s just the start. Rather than simply trying to keep up with an ever-changing landscape of threats, Schad believes in educating district users to be responsible for their cyber security. That, too, takes multiple forms. The result, he believes, will be broader awareness of the problems cyber breaches pose to all users.
“I have a real problem with the controls we’re forced to do,” Schad says. “For seven hours a day we wrap our kids in this really tight cocoon. We tell them where they can go and prevent them from doing bad things. Then they walk out our doors and for 17 hours they’re playing in the real world. I understand [Children’s Internet Protection Act] compliance. I completely support it. But I think we’ve gone too far to the extreme. I want to talk about digital citizenship, so when kids walk out the door and go into the adult world, and they’re on laptops in their bedrooms, they’re better prepared than they are right now.”
During the current school year, Katy ISD created a centralized group of technology integration specialists, staff who were formerly dedicated to individual schools. Their complete focus is now on technology in the classroom. Part of their new mission, according to Schad, “is helping students, teachers, and parents understand what it means to be digital citizens and the responsibility that goes with that.”
Because these people were on speciﬁc campuses prior to the reorganization, they have a lot of inﬂuence among users at the schools, he adds. “It’s really helped to get depth and breadth out into the campus because it’s not just the IT people pushing the cyber security initiative anymore.”
That push for personal responsibility also permeates Katy ISD’s approach to acceptable use policies. According to a 2009 security survey by CDW-G, 40 percent of districts report that they’re enforcing their acceptable use policies in order to strengthen net work security. But simply setting rules isn’t enough, according to Katy’s Schad. “I want people thinking not just, ‘Here’s what you have to do,’ but also ‘This is how you behave appropriately in a digital world.’”
During the spring semester Schad is hoping to hold a community event in which high school students talk to parents about digital citizenship, “where parents can come in and kids will talk about what they do on Facebook. Then we’ll get up and show security settings on Facebook and MySpace to heighten the awareness. Incorporating students into this presentation will get much better turnout from a parent perspective than if we just host it and I sit in front of a group of parents.”
BUILD A BUSINESS CASE FOR PHYSICAL SECURITY
Cyber security is no longer the only kind of security focus for IT staff. Physical security is a growing area of responsibility as physical breaches become more common occurrences on campus. Two-thirds of respondents to the CDW-G survey reported break-ins, unauthorized people in a school building, and vandalism. Lest one thinks these events don’t concern IT staff, more than half of the reporting districts said they’d lost both physical assets and IT staff hours in dealing with the repercussions of the breach. An additional IT concern is that physical security often relies on the district’s networks to transport images and data. But investment in this area—for either access control systems or video surveillance—is being delayed for lack of funds at 69 percent of districts surveyed. How does a district get the money it needs to implement the measures it wants?
The IT organization at Park Hill School District in Kansas City, MO, wasn’t alone in making the business case to its school board to improve its physical security. The district also had the support of its parents. Data regarding parental concerns came from a survey performed among district patrons by a capital planning committee about four years ago.
“Part of what came out of that survey was that security was a really important item for them in their child’s education,” says Brad Sandt, the district’s director of technology. That same committee also put together a plan for a districtwide project to control access to buildings and provide video surveillance.
Park Hill uses surveillance cameras in its hallways and offices at every campus to transport images via the district network. But this year the district implemented a full-time video monitoring center, staffed from 6 a.m. to 11 p.m. To help the center do its job better and to address the “handful” of incidents that occur externally each year, the district had begun to add video surveillance on the outside of buildings as well. As Sandt explains, however, “The funding for that was coming out of the annual operating budget, so it was a slow implementation.” Now the district has received a $280,000 infusion from the American Recovery and Reinvestment Act (ARRA), which will be used to expand the camera system to exteriors as well. (See sidebar: “Funding Source: COPS Safe Schools Grants.”)
To ensure that the district received optimal value from its access control efforts, Park Hill debated long and hard about what it should consist of, Sandt recalls. The ﬁnal decision: Only some doors have badge readers to allow authorized people to open them; but every external door (450 of them across the district) has an access control mechanism on it. “The purpose of monitoring your front door with an access control system becomes less worthwhile if the back door can be propped open and nobody knows about it,” he says. “It was important for us to have a total view of our facility on any external entry point.”
MOVE BEYOND PHONE-BASED EMERGENCY NOTIFICATION
Before adopting newer forms of communication, such as texting, a district still needs to assess its community’s preferences. Katy ISD doesn’t use text messaging currently. CIO Schad says that it’s far less a “technology issue” than it is expense. “When you start to text, you get into costs. How do you handle all the various customizations? Some people aren’t on unlimited texting plans. They say, ‘You’re charging me. I’m paying for your messages. I don’t want them.’”
Until those issues are worked out, Katy ISD relies on an automated call service and a web portal available to parents for notiﬁcation. But the district has also discovered the power of social networking, speciﬁcally, Facebook and Twitter. Recently, the district’s ﬁber-optic cable was cut to one of its facilities, taking out phone and internet service in the building. Most staff have cell phones, Sandt explains. “So the principal got the message out via Twitter to about 50 to 60 percent of the staff .”
LEAN ON VENDORS FOR HELP
The CDW-G survey reports that 88 percent of respondents have wireless networks in their districts. Schad says. “I don’t think public education has a choice anymore about wireless and embracing this mobile concept.”
But a less common—some would say risky—initiative that Schad is working toward at his district would allow students to use their own wireless mobile devices on campus. Although student-owned technology is the norm in institutions of higher education, K-12 is still in the early adopter stage.
“We’re fortunate in Katy,” Schad says. “I think there’s going to be a high percentage of kids out there with internet-enabled devices, whether cell phones, netbooks, or laptops, that they could bring into the classroom.” Letting students use their own gear would minimize the need for the district to fund a 1-to-1 initiative. On the other hand, such a program will introduce new security challenges, such as the coexistence of both private and public Wi-Fi networks at every school, and the need for network access control to keep out rogue devices and update user devices to safe standards.
Schad is looking at implementing the new program in fall 2011; but first he has to work with his networking partner, Cisco, on getting the infrastructure set up correctly. That includes getting the vendor to help chase after grant money to fund the project. “I’m telling my vendors, ‘It’s in your best interest to help me get this grant. It’s going to be your product that I’m using. So why am I doing all the legwork to write this grant?’” he says. “And I think that’s what more school districts need to do. We’ll be relying on grants and alternative funding sources beyond the state and bonds. We need to bring vendors into that mix to help us. They need to be out there identifying opportunities and helping us write grants.”
STAYING SAFE FROM ALL DIRECTIONS
School districts all face comparable security problems and funding challenges. But the leading districts have figured out creative ways to use a variety of resources to layer on their security solutions. That requires examining all aspects of the security plan, making sure the infrastructure—both technology platforms and staffing—will support the new initiatives, getting buy-in and participation from the district community, and drawing help from whatever resources are at hand, whether they be vendors, advisors, or staff and peers. The payoff—safer, more secure schools—is worth the effort.