By Dr. Ramiro ZunigaThere is no doubt that just about everyone has been thinking about data and network security across the K12 spectrum. I have had recent conversations with School Board Members, parents, school district auditors, solutions vendors, and many school district security personnel. It seems that every conference that I have recently attended has some presentation of discussion on security protocols.
If there is one thing that I can say about network and data security as it relates to school districts is that it is complicated. There are a lot of software products, hardware appliances, activities, and personnel involved. I have found that IT security personnel have always struggled with the process of organizing and documenting the security protocols that they carry out.
One of the more difficult things to accomplish is to organize the processes involved in securing a school district and its data. Regardless of this reality, Technology Directors will often be called upon to explain their security protocols. These collective protocols are referred to as a Risk Management Plan.
Board members, parents, and other public school administrators want to feel confident that the IT Department is actively protecting the District. It is not enough for software and hardware to be in place. There must also be confidence that security personnel are comprehensive and constantly active in all their efforts.
Over the years, I have developed a simple way by which to organize these protocols. Although the concept is simple, the payoffs are many.
I have guided my security staff in the creation of a document that lists all the activities that they normally carry out. I then ask them to list them separately as activities carried out daily, weekly, monthly, and annually. I explain to the staff that these listings will be living documents in that activities will be added, removed, or modified over time. Needless to say, this exercise absolutely requires time and thought in order to do this properly, but it can be done.
So, what are the benefits?
First, IT security personnel generally react to this exercise in a positive manner. This exercise allows them to take inventory of their procedures. Often times, this leads to tweaking of processes simply by consciously reviewing their activities happening at different intervals. IT security personnel also like the benefit of being well prepared for an IT audit.
A second benefit, is that these listings can be compiled and converted into a formal Risk Management Plan. This plan, which illustrates processes and the ongoing nature of security, works well when given to an auditor during an IT audit. Ultimately, positive IT audits lead to the building of confidence in the IT staff.
Another benefit is that these listings can literally be used as checklists to ensure that the protocols are carried out. Security staff can print these out, go through the processes, sign off and file these checklists. Technology Directors can easily follow up with personnel by spot checking to see that processes are being carried out in accordance to the plan. This type of easy follow up eventually creates a higher level of consistency in practice.
And finally, a Risk Management Plan, as I describe is easy to understand. It is easy to explain that security personnel carry out activities daily, weekly, and so on. It is not necessary to provide highly technical jargon. Most administrators are simply interested in knowing that IT security personnel, “are on top of it.”