I’ve previously written about the importance of having some understanding about Project Management within a school. Generally this has been centred around change management and communication strategies, but a recent, local project has highlighted another area that needs to be looked at.
There are a number of national systems which have some interesting security requirements, and if you have ever had a look at the requirements for connecting to a GSi family connection then you will know what I mean. Thankfully, this is a rare occurrence in schools but it does mean most schools can get away with some shocking security breaches. When I started talking to some schools about Data Protection a few years ago it scared me how little understanding there is about security with some senior leaders. It also made me realise why so few councils give definitive guidance about data protection to schools.
The usual argument is that to have systems completely secured they would become unusable for teaching & learning … And I do agree with that. I’ve seen schools go over the top with restrictions enforced by network managers (who are only doing their job … and usually trying to stop the Head and/or SIRO being left open to legal challenge!) and it mean that T&L suffer as a result (but it does mean the Head is not given a massive fine or sent to jail …. Choices, choices!)
It all boils down to risk … and looking at how much a school wants to accept, how much is mitigate by choices and implementation of technology, how much is managed by policies and procedures and how much can be dealt with by common sense (the usual answer here is “very little”!)
In this article I will be looking at the risk in a school when accessing a secure government website such as the National eCAF website, but also trying to point out areas which also need covering for the internal use of an MIS.
Risk Management in schools is not something which gets covered in great detail, and to try and give a complete course on it here would be difficult. Suffice to say that risk is a combination of the impact of something going wrong and the probability of it happening.
This chart gives you an indication of how to look at risk.
With risk you can choose to look at it as a threat or an opportunity. In the case of the areas we are looking at it is generally a threat and you can deal with it in a number of ways (Risk Responses)
AVOID – stop the activity which introduces the risk
REDUCE – take action to reduce either the probability or the impact
FALLBACK – put in place actions with reduce the impact
TRANSFER – Put in place things which reduce the impact and often only the financial impact
SHARE – allow the risk to be spread across different people or groups
ACCEPT – know the risk is there, monitor it but accept that you will carry on as normal.
In the scenario of having a wireless network in a school that does not meet the required security criteria it means that the impact is that someone could access your network and introduce something nasty onto it which could compromise the computer being used to access the eCAF system. The impact to use of eCAF would be medium-high but the probability would vary from low (eg if the wireless network is only just below the security criteria such as using WPA) through to high (if you are using an open, unencrypted network which you have told the local community to use)
Looking at the risk responses above here are some examples of approaches schools might take.
AVOID – The school stops the risk completely by purchasing equipment that meets all the security criteria. The school might also choose to turn off the wireless network completely. Both of these response will be a problem for most schools … they are expensive or make learning nigh on impossible. Neither is likely to be a good response to be honest so common sense would say to look at other responses.
REDUCE – The school knows it should do something, but cannot buy new kit or turn it off. Instead they may try things like segregating the wireless network from other chunks of the school (VLANs perhaps) or try to do what it can to increase security (Put some encryption in place and not share details with the local community)
FALLBACK – The school can’t afford to do much now, but it does plan to buy new kit over the coming year … so there is a plan for what to do for the future and the school keeps an eye on the machines being used for eCAF in the meantime to make sure strange stuff isn’t going on.
TRANSFER – The school might decide that it gets security advice in from a firm and follows their advice,knowing that should it go wrong they have someone who is to be held accountable, or they take out insurance to deal with any fines they may incur should it go wrong.
SHARE – It would be lovely to say the risk could be shared with the council, but this is about if you are sharing your network with someone like a charity, etc … and so are prepared to accept it as a combined problem.
ACCEPT – The simplest and highest risk option … the school knows there is an issue, but is happy to take the position that they are not worried, will deal with it if something happens and they will just try to be vigilant.
For those who recognise the above, yes, I know it is a bit of over-simplification but I am hoping it gives enough of an idea to how to approach things with SLT in schools.
There are some good resources around about risk management (HSE can be helpful here) but the stance on risk will vary from school to school.
Most people will work from the position on giving advice on the position for least risk. I am not saying you will be breaking the law if you don’t follow the guidance and, if we use the above example, I am not saying that you need to buy a dedicated machine which has to be in a locked room where no-one else has the key. Those are idealistic positions … and roughly translate to advice on physical security such as “Don’t walk away from the machine whilst you are logged in and using eCAF … if you have to then lock the door on the way out. If you can’t do that then log off eCAF and the machine … or lock the desktop … or have someone else in the office who keeps an eye to make sure no-one else goes on the computer …” and so on, down the scale of risk responses. Most of this is also pertinent when using an MIS too.
I don’t think I could give you examples of each and every scenario as that would mean a bespoke risk management plan for each and every school. However, since most things are common sense then by sharing things with colleagues in, or supporting, other schools you should be able to spot similar issues.
All of the above is looking at security risks … but it applies to any project. Are you swapping your VLE provider? Are you doing a major upgrade of the Office Suite in the school? Are you moving more towards Open Source options? Every project has risks. Some are threats, some are opportunities … but you cannot plan properly until you have started to look at them.