Monthly Archives: February 2011

Establishing an ‘SEP’ field is not always the best answer!

I’ve previously written about the importance of having some understanding about Project Management within a school. Generally this has been centred around change management and communication strategies, but a recent, local project has highlighted another area that needs to be looked at.

There are a number of national systems which have some interesting security requirements, and if you have ever had a look at the requirements for connecting to a GSi family connection then you will know what I mean. Thankfully, this is a rare occurrence in schools but it does mean most schools can get away with some shocking security breaches. When I started talking to some schools about Data Protection a few years ago it scared me how little understanding there is about security with some senior leaders. It also made me realise why so few councils give definitive guidance about data protection to schools.

The usual argument is that to have systems completely secured they would become unusable for teaching & learning … And I do agree with that. I’ve seen schools go over the top with restrictions enforced by network managers (who are only doing their job … and usually trying to stop the Head and/or SIRO being left open to legal challenge!) and it mean that T&L suffer as a result (but it does mean the Head is not given a massive fine or sent to jail …. Choices, choices!)

It all boils down to risk … and looking at how much a school wants to accept, how much is mitigate by choices and implementation of technology, how much is managed by policies and procedures and how much can be dealt with by common sense (the usual answer here is “very little”!)

In this article I will be looking at the risk in a school when accessing a secure government website such as the National eCAF website, but also trying to point out areas which also need covering for the internal use of an MIS.

Risk Management in schools is not something which gets covered in great detail, and to try and give a complete course on it here would be difficult. Suffice to say that risk is a combination of the impact of something going wrong and the probability of it happening.

This chart gives you an indication of how to look at risk.

With risk you can choose to look at it as a threat or an opportunity. In the case of the areas we are looking at it is generally a threat and you can deal with it in a number of ways (Risk Responses)

AVOID – stop the activity which introduces the risk

REDUCE – take action to reduce either the probability or the impact

FALLBACK – put in place actions with reduce the impact

TRANSFER – Put in place things which reduce the impact and often only the financial impact

SHARE – allow the risk to be spread across different people or groups

ACCEPT – know the risk is there, monitor it but accept that you will carry on as normal.

In the scenario of having a wireless network in a school that does not meet the required security criteria it means that the impact is that someone could access your network and introduce something nasty onto it which could compromise the computer being used to access the eCAF system. The impact to use of eCAF would be medium-high but the probability would vary from low (eg if the wireless network is only just below the security criteria such as using WPA) through to high (if you are using an open, unencrypted network which you have told the local community to use)

Looking at the risk responses above here are some examples of approaches schools might take.

AVOID – The school stops the risk completely by purchasing equipment that meets all the security criteria. The school might also choose to turn off the wireless network completely. Both of these response will be a problem for most schools … they are expensive or make learning nigh on impossible. Neither is likely to be a good response to be honest so common sense would say to look at other responses.

REDUCE – The school knows it should do something, but cannot buy new kit or turn it off. Instead they may try things like segregating the wireless network from other chunks of the school (VLANs perhaps) or try to do what it can to increase security (Put some encryption in place and not share details with the local community)

FALLBACK – The school can’t afford to do much now, but it does plan to buy new kit over the coming year … so there is a plan for what to do for the future and the school keeps an eye on the machines being used for eCAF in the meantime to make sure strange stuff isn’t going on.

TRANSFER – The school might decide that it gets security advice in from a firm and follows their advice,knowing that should it go wrong they have someone who is to be held accountable, or they take out insurance to deal with any fines they may incur should it go wrong.

SHARE – It would be lovely to say the risk could be shared with the council, but this is about if you are sharing your network with someone like a charity, etc … and so are prepared to accept it as a combined problem.

ACCEPT – The simplest and highest risk option … the school knows there is an issue, but is happy to take the position that they are not worried, will deal with it if something happens and they will just try to be vigilant.

For those who recognise the above, yes, I know it is a bit of over-simplification but I am hoping it gives enough of an idea to how to approach things with SLT in schools.

There are some good resources around about risk management (HSE can be helpful here) but the stance on risk will vary from school to school.

Most people will work from the position on giving advice on the position for least risk. I am not saying you will be breaking the law if you don’t follow the guidance and, if we use the above example, I am not saying that you need to buy a dedicated machine which has to be in a locked room where no-one else has the key. Those are idealistic positions … and roughly translate to advice on physical security such as “Don’t walk away from the machine whilst you are logged in and using eCAF … if you have to then lock the door on the way out. If you can’t do that then log off eCAF and the machine … or lock the desktop … or have someone else in the office who keeps an eye to make sure no-one else goes on the computer …” and so on, down the scale of risk responses. Most of this is also pertinent when using an MIS too.

I don’t think I could give you examples of each and every scenario as that would mean a bespoke risk management plan for each and every school. However, since most things are common sense then by sharing things with colleagues in, or supporting, other schools you should be able to spot similar issues.

All of the above is looking at security risks … but it applies to any project. Are you swapping your VLE provider? Are you doing a major upgrade of the Office Suite in the school? Are you moving more towards Open Source options? Every project has risks. Some are threats, some are opportunities … but you cannot plan properly until you have started to look at them.

The Ignorant Bliss Of The Idealist

It seems a bit strange to say this, but I may have said some stuff that was wrong. Yes … me … saying I could have been wrong. Then again I could have been perfectly right and this is just a cunning plan to make people feel sorry for me and make them pay attention to what I have written.

On Wednesday 2nd February 2011 a thread started on EduGeek.net around the fact that one of the respected regulars was happy to report that after some time they had been allowed to set up SIMS on staff laptops and then also allowed to remove full admin rights from Staff and lock them down. As a result they couldn’t install software, only change their background and add icons to their desktop.

Over the years this has been a continual battle for some members … to be able to take control and run their systems the way they should be run, with decent security, forcing staff to make use of the support team so that they can plan, stop viruses entering the network, and so on … I’ve been there myself and supported many others in similar positions. The problems that centre on Data Protection, security of files and data, prevention of network intrusion by non-school devices are real world problems …

But … and there is a big but … the simple fact was that I have a problem with people wanting to lock things down without due consideration for how it will affect the technology to be used for learning. I know that it might seem a bit strange for me to take this stance, but it is one born out of frustration.

My first point was that when software gets installed there is not time to test every single function, and quite often the first person to find these faults are teachers when planning lessons. By applying restrictions this can be made worse … from experience of macros in access and excel, templates in CAD/CAM software, preferences in Open Office, the ability to run embedded flash files. Now, you could argue that this is a good thing as they are likely to find the same flaws the students would do when they try the same activities during lessons, but that isn’t why it happens in most places. In fact, having talked about this with some people over the years this has even been put forward as an excuse to use to be able to force staff to accept lockdowns. Not in many places … but enough for me to worry about it.

The next worry raised was about license compliance. After all, if you give people the rights to install software then how will you know what is installed? How do you know they will not put on ‘dodgy’ software, possibly downloaded from interesting sites on the internet, possibly borrowed from a friend what they think is legitimate software they have purchased from the market but is, in reality, as black market as the movies we all get warned about in those wonderful “you wouldn’t steal a car” trailers we get on DVDs. They might even remove software the support team has spent ages getting set up. Turn off the automated software updates and the anti-virus. The risks are endless.

But these are adults we are talking about. Grown people who are capable of following instructions if they are explained to them. And so we hit the next barrier. The argument that SLT do not back up the support team when they explain to staff how stupid they are when they do any of the above. It goes into a downwards spiral of either blaming staff who follow this route or SLT with no backbone ….the only escape is to take control themselves … or convince others to allow them to do so.

Here is a key point. Read it carefully. If this is you, and you are doing it because you don’t having backing from SLT or you have far too much bitter experience of stupid staff … then you are only masking over the symptom. You are not fixing the problem.

Those of us who want to treat staff as knowledgeable users and ensure that SLT understand and accept the risks and benefits of technology feel your pain, we do, … you are not on your own. It happens in all aspects of a school. Go speak to your Bursar / Business Manager about why most staff are not allowed to do anything other than order items through them. Ask about why some departments get monthly financial reports, or even weekly at some points in the year. Ask pastoral staff about why they always have to deal with parents complaining about their child being sent out in a particular lesson but they are fine in others, by taking extreme control you ensure that the job is done.

But is it?
Who is it that thinks about how the kit and software will be used?
Most Support staff will shy away from giving educational advice to teachers. I know what the reaction would be from most teachers when a member of support or admin staff comes up to them and talks about T&L. Thankfully this is changing, but it is a two-way thing.

So, am I an idealist who thinks that Network Managers are being horrible to teachers or am I just trying to stop people ignoring the main problems?

I don’t think it is such a surprise that most people who reacted are from a secondary base. Talking to staff in primary schools or those who support primary schools there seems to be more trust, more freedom, both to make mistakes and to gain a lot more knowledge about how to use IT.

But … I know most people are not saying that I am wrong … just that in the real world it doesn’t work the way I think. I think it does and even if it doesn’t for you, then perhaps that this should be part of your targets … to look at how you can give staff more freedom and responsibility without creating too much work or putting IT systems at risk.

As a result I am setting myself a task to speak with as many people who do give more freedom to staff and find out about the journey how to get there. I will try to coach it in such a way that it will help SLT, IT Support and teachers speak a common language and try to develop an agreed goal. I am not saying there is any magic button that can be pressed … the Strategic Leadership of ICT course is sorely missed as a tool helping the process of change, often a long and sometimes stressful time, needing support, understanding and compromise on all sides.

Failing that it will also include a few hints and tricks about how you can work from the inside to make changes.