Risk Management for Technology Exposures National Charter Schools Risk Management for Technology Exposures National Charter Schools Pete Reilly [email protected]

Risk Management for Risk Management for Technology ExposuresTechnology Exposures

National Charter SchoolsNational Charter Schools

Pete ReillyPete [email protected]

http://edtechjourneys.pbwiki.com

Sponsored bySponsored byNYSIRNYSIR

mailto:[email protected]

http://edtechjourneys.pbwiki.com/

Student Security Network/Data Security

Foil/E-Discovery/Audits

Physical Security CWG Survey Results

Audit Case Study Security Vulnerability Survey

Employee Issues

Agenda

QuickTime™ and a decompressor

are needed to see this picture.

Student Security

Cyberbullying

Student Safety

Web 2.0

The Facts About Online Sexual Abuse

Enforcement and Strategies

RSS Blogs

Employee Issues

Personal Use

Privacy

Improper Access

Harassment

Copyright

Teacher Web Sites

Teacher Links

Confidentiality

Advertising

Politics

Fundraising

Spyware

Bad & Getting Worse

Spam

External Hacks

Web 2.0

Denial of Service

Common Security Risks

Internal Hacks

Phishing

Trojan

Prevention

Forensics

Recovery

BOTs

WAN

ServersNetwork

Desktops

ApplicationsPolicies

Educational Forum

Disclosure and disclaimers

Educational Restrictions

Enforcement

District Strategies

Managing Internet Risks

The Facts About Internet Sexual Abuse

Firewalls

Servers & Network

Desktops

ApplicationsPolicies

User Awareness

Managing Security Risks

Initial & Annual Security Audit

Open Meetings

FOIL & E-Document Policy

CIPA & E-Rate

Domain Names

FOIL & E-Discovery

E- Discovery

Comptrollers Audits

Software Audits

Security incidents are rising exponentiallySecurity incidents are rising exponentially

128,678 incidents from July 1-December 31128,678 incidents from July 1-December 31stst, , 20012001

8, 064 vulnerabilities reported – up from 1,090 in 8, 064 vulnerabilities reported – up from 1,090 in 20002000

41% of companies experienced “critical attacks”41% of companies experienced “critical attacks”

12.7% encountered 1 “emergency” and had to 12.7% encountered 1 “emergency” and had to use recovery measuresuse recovery measures

Source: Washington Post, January 28, 2002Source: Washington Post, January 28, 2002

Tension between security and ease of useTension between security and ease of use

Many/most serious security incidents are caused Many/most serious security incidents are caused by your own students and disgruntled employeesby your own students and disgruntled employees

Bad & Getting Worse

More data online than ever

More devices attaching to the network

More network complexity (ie. VOIP, wireless)

Security Incidents – Security Incidents – 2007 Alone2007 Alone

ARIZONA - May 2007:Ninety-one substitute teacher

names and Social Security numbers were stolen from a car

LOUISIANA - March 2007:Rosters containing Social

Security numbers of 380 school employees were accessed by a

search engine crawler

WEST VIRGINIA – June 2007:Computers containing the names and social security

numbers of district employees were stolen

OREGON - January 2007:Students hacked into the school

network and obtained confidential student and

staff information

According to the

Privacy Rights

Clearinghouse,

www.privacyrights.o

rg, more than 155

million records*

have been stolen

since 2005*Includes Social Security numbers,

account numbers, and driver's

license numbers

CONNECTICUT - August 2007:Computers containing the names

and social security numbers of former students were stolen

Months

Days

Weeks

2003 2004 2005

Avg. exploit in 2005 5.8 days.

Vulnerabilities Exploited Faster

2003 2004200520012002

Hours

Seconds

Minutes

2005 - 90% of the hosts

within 10-minutes.

Threats Propagating Faster

SPAM: 80% of Emails in 12/06

Botnet Launched DDOS on the Rise

Sources: CERT/CC, Symantec, NVD, OSVD

Pre-Nachi – ICMP/8 (Echo) 8/17 Pre-Nachi – ICMP/8 (Echo) 8/17 2200GMT2200GMT

Watch Here . . . Watch Here . . .


Watch Here . . . Watch Here . . .


What?


What?!


What?!


What?!


Whoa??Whoa??Wow!!


Nachi start8/18/03

Nachi begins decay1/1/04

Nachi Worm Lifecycle ViewNachi Worm Lifecycle View

Patch (MS04-011)(April 13)

Exploit Code(April 21)

Warning Spike(April 28)

Sasser Worm(May 04)

Sasser Worm (04/04/04)Sasser Worm (04/04/04)

Patch (MS05-039)(August 09)

Exploit Code(August 12)

Warning Spike(August 15)

Zotob Worm(August 16)

ZOTOB Worm (08/16/05)ZOTOB Worm (08/16/05)

Patch (MS06-040)(August 08)

Exploit Code(August 10)

Warning Spike(August 13)

IRC-Mocbot Worm(August 14)

IRC-MOCBOT Worm (08/14/06)IRC-MOCBOT Worm (08/14/06)

SpywareSpyware

Three Shocking Statistics on Spyware! Three Shocking Statistics on Spyware!

1. 8 out of 10 PC’s are infected with 1. 8 out of 10 PC’s are infected with some sort of Spyware, with an average of some sort of Spyware, with an average of 24.4 spies per PC scanned.24.4 spies per PC scanned.

2. Microsoft estimates that 50% of all PC 2. Microsoft estimates that 50% of all PC crashes are due to spyware.crashes are due to spyware.

3. Dell reports that 20% of all technical 3. Dell reports that 20% of all technical support calls involve spyware.support calls involve spyware.

SpywareSpyware * Severe Threat – 15% of spyware threats send private information * Severe Threat – 15% of spyware threats send private information gathered from the end user currently logged on to the infected gathered from the end user currently logged on to the infected system: logging the user's keystrokes, logged-on user name, hash of system: logging the user's keystrokes, logged-on user name, hash of administrator passwords, email addresses, contacts, instant administrator passwords, email addresses, contacts, instant messengers login and usage, and more.messengers login and usage, and more.

* Moderate Threat – 25% percent of spyware sends information * Moderate Threat – 25% percent of spyware sends information gathered from the victim's operating system, including the computer gathered from the victim's operating system, including the computer (host) name, domain name, logs of all processes running in memory, (host) name, domain name, logs of all processes running in memory, installed programs, security applications, client's internal IP address, installed programs, security applications, client's internal IP address, OS version, the existence and versions of service packs and security OS version, the existence and versions of service packs and security updates, TCP ports the spyware is listening to, Computer Security updates, TCP ports the spyware is listening to, Computer Security Identifier (SID) ,default browser's homepage, browser plug-ins, etc.Identifier (SID) ,default browser's homepage, browser plug-ins, etc.

* Minor Threat – 60% of spyware transmits gathered commercial-* Minor Threat – 60% of spyware transmits gathered commercial-value information about the end user's browsing habits. This includes value information about the end user's browsing habits. This includes keywords used in search engines, browsing habits and ratings of keywords used in search engines, browsing habits and ratings of

frequently visited websites, shopping reports etc.frequently visited websites, shopping reports etc.

SpamSpam

Spam = 40%-70% of all e-mailSpam = 40%-70% of all e-mail

Spam floods overloading servers Spam floods overloading servers and acting like DoSand acting like DoS

IE Vulnerability For SaleIE Vulnerability For Sale

Web Attacker Toolkit – Web Attacker Toolkit – Order PageOrder Page

Drive-by, While visiting Drive-by, While visiting Web sitesWeb sites

Innocent Free Games site

Drive-by, While visiting Drive-by, While visiting Web sitesWeb sites

Innocent Free Games site

Exploits our desktop to install a Trojan

Case Study: Case Study: BotnetworkBotnetwork Hacker confirms price – “You wanna buy 0”

Internet

Enterprise DMZ

Enterprise Intranet

Service Provider Backbone

- Firewalls- IDS

- Anti-Virus - Anti-Spam

- Worm Detection

- Packet Filtering - LAN Filtering

- Security Patching - Policy Enforcement - Incident Response

- Network Management - Core Infrastructure Protection

- Manual Blackhole (Customer Initiated) - Manual Rate Limit (Customer Initiated)

EnterpriseSecurity

Responsibility

Large Enterprise Investment(People, Capital, Software)

Typical Perimeter Network Typical Perimeter Network

Prevention - FirewallsPrevention - Firewalls

Intrusion Detection SoftwareIntrusion Detection Software

5,000 port scans per day5,000 port scans per day

Apply update and patches immediatelyApply update and patches immediately

Review Firewall policies annuallyReview Firewall policies annually

Hole opened for server install - not closedHole opened for server install - not closed

Server decommissioned - hole not closedServer decommissioned - hole not closed

Prevention - WAN

Periodic Network Traffic Analysis

Prevention - WAN

Prevention - WAN

Prevention - WAN

Prevention - WAN

BOTs

Music Sites & other improper uses

Prevention - WANPrevention - WAN

Configure your routers with access listsConfigure your routers with access lists

Check hubs, switches and routers for web Check hubs, switches and routers for web management modules and change default management modules and change default passwordspasswords

Use security on your wireless networksUse security on your wireless networks

Prevention - ServersPrevention - Servers

Server maintenance and security Server maintenance and security patches immediatelypatches immediately

Nmda took advantage of known holes Nmda took advantage of known holes

Remove all generic and guest Remove all generic and guest defaults after installdefaults after install

Web server hacked via generic loginWeb server hacked via generic login

Check for inactive web modulesCheck for inactive web modules

They can be accessed and generic They can be accessed and generic setups abusedsetups abused

Prevention - NetworkPrevention - Network

Use Virtual Private Networks (VPNs)Use Virtual Private Networks (VPNs)

Require specific logonsRequire specific logons

Lab aid giving generic logons so Lab aid giving generic logons so students could bypass filterstudents could bypass filter

Pornography found on C: drive in Pornography found on C: drive in teachers’ roomteachers’ room

Prevention - Network

Periodic network and server scans

Consultant with website on school server

Secure remote access to networkSecure remote access to network

Maintenance done by third partiesMaintenance done by third parties

Prevention - DesktopsPrevention - DesktopsA: driveA: drive

Vulnerable to infected floppy disks, flash drives, Vulnerable to infected floppy disks, flash drives, and other non-authorized files and applicationsand other non-authorized files and applications

C: driveC: drive

Vulnerable to configuration changes, and Vulnerable to configuration changes, and access to restricted resources (students hide access to restricted resources (students hide Internet access)Internet access)

FTPFTP

Vulnerable to downloads of infected files or Vulnerable to downloads of infected files or other non-authorized files and applicationsother non-authorized files and applications

Prevention - DesktopsPrevention - DesktopsWindows ExplorerWindows Explorer

Students see all network resources Students see all network resources

Right ClickRight Click

Students can cut, paste, and delete Students can cut, paste, and delete important files including system important files including system configurationconfiguration

Prevention - Prevention - ApplicationsApplications

Microsoft Office – “save as” Microsoft Office – “save as”

Can student see network drives?Can student see network drives?

Downloads of plugins and other softwareDownloads of plugins and other software

Programming courses such as C++ and Programming courses such as C++ and Visual BasicVisual Basic

Have access to basic network functionsHave access to basic network functions

.exe files.exe files

Slow Internet and/or network performanceSlow Internet and/or network performance

Overwhelmed hard drives and network serversOverwhelmed hard drives and network servers

PasswordsPasswords

No policy on changingNo policy on changing

Fewer passwords for ease of use purposesFewer passwords for ease of use purposes

““Shoulder surfing” , yellow stickies, etc.Shoulder surfing” , yellow stickies, etc.

Disks from homeDisks from home

Technical vulnerabilitiesTechnical vulnerabilities

Copyright vulnerabilitiesCopyright vulnerabilities

Prevention - PoliciesPrevention - PoliciesLoading software locallyLoading software locally

Technical issues – not in “Ghost image”Technical issues – not in “Ghost image”

Printing and application support issuesPrinting and application support issues

Copyright issuesCopyright issues

Accidentally “blow out” systemAccidentally “blow out” system

Docking home computersDocking home computers

Students running “cracking” programs Students running “cracking” programs and access SASI passwordsand access SASI passwords

Keychain hardrivesKeychain hardrives

Removal of access when someone leavesRemoval of access when someone leaves

E-mail, Calendar, network logon, etc.E-mail, Calendar, network logon, etc.

Early notification of problems such as virusesEarly notification of problems such as viruses

What process in place to notify users of new viruses, What process in place to notify users of new viruses, etc.etc.

More than one person with key knowledge and More than one person with key knowledge and access.access.

Network backdoors setupNetwork backdoors setup

Secret backups and password changes done before Secret backups and password changes done before terminationtermination

18 months rebuilding system because of no 18 months rebuilding system because of no documentationdocumentation

Prevention – PoliciesPrevention – Policies

Log-off apps, log-off networkLog-off apps, log-off network

Students doing “high level” maintenanceStudents doing “high level” maintenance

May compromise security intentionally May compromise security intentionally or unintentionallyor unintentionally

Enforcement of PoliciesEnforcement of Policies

If practice doesn’t follow policy than If practice doesn’t follow policy than policies are not valid.policies are not valid.

ForensicsForensics

Log files:Log files:

Intrusion detection logsIntrusion detection logs

Firewall logsFirewall logs

Router logsRouter logs

Server logs Server logs

Application logsApplication logs

ForensicsForensics

Unique log-insUnique log-ins

Isolate systemsIsolate systems

Notify authoritiesNotify authorities

Print screens (IM’ing, chat, e-mail, etc.)Print screens (IM’ing, chat, e-mail, etc.)

Terror threat to local HSTerror threat to local HS

Hard Dive recoveryHard Dive recovery

Save to the networkSave to the network

Saving to the C: drive means Saving to the C: drive means no backupsno backups

Verify that backups are completeVerify that backups are complete

Who is responsible? Who is their backup?Who is responsible? Who is their backup?

• External backups vs internalExternal backups vs internal

Proper tape rotation - off site storageProper tape rotation - off site storage

Off-site storageOff-site storage

Periodic backup check before and emergencyPeriodic backup check before and emergency

Do you have a “Hot Site”?Do you have a “Hot Site”?

RecoveryRecovery

Damaged servers & switchesDamaged servers & switches

RAID drivesRAID drives

UPS on all servers and switchesUPS on all servers and switches

Maintenance 24x7x7 contracts or sparesMaintenance 24x7x7 contracts or spares

Mirrored or backup serversMirrored or backup servers

Routers, switches, hubsRouters, switches, hubs

Maintenance 24x7x7 contract or Maintenance 24x7x7 contract or replacementsreplacements

RecoveryRecovery

Formalize a Hot Spot PartnershipFormalize a Hot Spot Partnership

Applications media archivedApplications media archived

Escalation procedure to move to recovery Escalation procedure to move to recovery quicker and to limit damagesquicker and to limit damages

Must notify if privacy is compromisedMust notify if privacy is compromised

May need to isolate problemMay need to isolate problem

May need to change passwordsMay need to change passwords

Internal HacksInternal Hacks



Internal Hacks



Internal Hacks

Internal Hacks

60%-80% of hacks are internal -FBI60%-80% of hacks are internal -FBI

Bypassing the filterBypassing the filter

- IP address (ping)- IP address (ping)

YouTube UKYouTube UK

Superintendent’s private filesSuperintendent’s private files

Employee w Backdoor accessEmployee w Backdoor access

Internal HacksInternal Hacks

Anonymous surfing - Port 443Anonymous surfing - Port 443

Inadvertent damageInadvertent damage

Loading software from homeLoading software from home

Deleting important configuration filesDeleting important configuration files

Attempting to help wiping our systemsAttempting to help wiping our systems

Denial of ServiceDenial of Service

In this type of attack, the attacker begins the process of In this type of attack, the attacker begins the process of establishing a connection to the victim machine, but establishing a connection to the victim machine, but does it in such a way as to prevent the ultimate does it in such a way as to prevent the ultimate completion of the connection. completion of the connection.

In the meantime, the victim machine has reserved one In the meantime, the victim machine has reserved one of a limited number of data structures required to of a limited number of data structures required to complete the impending connection. The result is that complete the impending connection. The result is that legitimate connections are denied while the victim legitimate connections are denied while the victim machine is waiting to complete bogus "half-open" machine is waiting to complete bogus "half-open" connectionsconnections..

BOT

Phishing

Trojan

Improper AccessImproper Access

Access to Obscene and Inappropriate Material Access to Obscene and Inappropriate Material from the School’s Systemfrom the School’s System

Inadvertent Access to PornographyInadvertent Access to Pornography

Julie Amero Story: 4 felony counts, firewall license expired,virus Julie Amero Story: 4 felony counts, firewall license expired,virus protection lapsed, no spyware defense, on an old Win98 system - protection lapsed, no spyware defense, on an old Win98 system - obscene popup.obscene popup.

““It was an innocent search”It was an innocent search”

Domain name spoofsDomain name spoofs

Hate Sites …How to Build a Bomb...Hate Sites …How to Build a Bomb...

Doom & Duke NukemDoom & Duke Nukem

Refers to the most recent generation of web Refers to the most recent generation of web technologies and products including:technologies and products including:

• BlogsBlogs• PodcastsPodcasts• WikisWikis• RSS NewsfeedsRSS Newsfeeds• Social networking (MySpace, Friendster)Social networking (MySpace, Friendster)• Web applications with rich, interactive interfacesWeb applications with rich, interactive interfaces

User created contentUser created content

What Is Web 2.0?What Is Web 2.0?

Hey - 19,241,561



Hahaha - 34,181,513



Dance - 71,712,140



What Is RSS?What Is RSS?

•RSS stands for Really Simple Syndication or RDF Site RSS stands for Really Simple Syndication or RDF Site Summary. Is based on XML and is simple to learn.Summary. Is based on XML and is simple to learn.

•Used by blogs, websites, browsers and applications to Used by blogs, websites, browsers and applications to deliver content to subscribers.deliver content to subscribers.

RSS in Plain English



Security Problems of RSSSecurity Problems of RSS

•As an avenue for automated delivery of web-based content, can be As an avenue for automated delivery of web-based content, can be easily used as a delivery method for spam and phishing.easily used as a delivery method for spam and phishing.

•Popularity of RSS syndication aggregators can make it easier to Popularity of RSS syndication aggregators can make it easier to subvert feeds and redirect them from originators.subvert feeds and redirect them from originators.

•But the biggest problem is the RSS enclosure capability, which is But the biggest problem is the RSS enclosure capability, which is the feature of RSS which enables things like podcasting. Nothing in the feature of RSS which enables things like podcasting. Nothing in the specification which limits this to MP3 files. Can also be used to the specification which limits this to MP3 files. Can also be used to deliver anything from Flash to executables. In most cases deliver anything from Flash to executables. In most cases downloads happen automatically.downloads happen automatically.•

How To Secure RSSHow To Secure RSS

• Verify accurate address of content delivery from your RSS Verify accurate address of content delivery from your RSS feeds.feeds.

Block downloads of executables and other high-risk content Block downloads of executables and other high-risk content at the gatewayat the gateway

•As a complex web application, blogs have the same potential As a complex web application, blogs have the same potential problems as most web applications, such as bugs and problems as most web applications, such as bugs and security holes which require patching, and susceptibility to security holes which require patching, and susceptibility to classic web hacking techniques.classic web hacking techniques.

•However, interactivity of blogs provides some unique areas However, interactivity of blogs provides some unique areas of attack, specifically in the typical ability for any reader to be of attack, specifically in the typical ability for any reader to be able to comment within a blog. At the lowest level this makes able to comment within a blog. At the lowest level this makes blogs susceptible to spam but also opens up more dangerous blogs susceptible to spam but also opens up more dangerous exploits.exploits.

The Security Problems of Blogs

•

New Storm Worm Spreading Via Blog PostsNew Storm Worm Spreading Via Blog Posts•A Storm worm variant using both e-mail and Web sites to infect A Storm worm variant using both e-mail and Web sites to infect Windows-based PCs is injecting itself into the responses people are Windows-based PCs is injecting itself into the responses people are leaving on blogs. leaving on blogs.

When infected systems visited blogs, worm inserted script into the When infected systems visited blogs, worm inserted script into the blog comments that linked to malware.blog comments that linked to malware.

Example: The Storm Worm Variant

How To Secure Your Blogging How To Secure Your Blogging InfrastructureInfrastructure

•Keep your blogging platform software fully patched and up-to-date

•Don’t allow unmoderated comments

• Configure blog to only allow straight text in blog comments

• Use software designed to block or limit what is know as “comment spam”. Examples of these include Bad Behaviour and Akismet



Cyberbullying Statistics

90% of MS 90% of MS students have students have had their had their feelings hurt feelings hurt onlineonline

42% have been 42% have been bullied onlinebullied online




35% have been 35% have been threatened threatened onlineonline

21% have 21% have gotten gotten threatening e-threatening e-mailmail




53% have said something mean or 53% have said something mean or hurtful onlinehurtful online

58% have not told their parents 58% have not told their parents about bullying incidents about bullying incidents

Cyberbullying

Bully

At school

Poor relationship with teachers

Fear of physical retribution

Cyberbully

At home

Good relationship with teachers

Fear of loss of tech privileges

Further under the radar than bullying

Copyright Copyright Infringement Infringement

Everything on the Internet is protected by Everything on the Internet is protected by CopyrightCopyright

If employer has the right & ability to If employer has the right & ability to supervise the actions of the employee & supervise the actions of the employee & has a financial interest in exploitation…has a financial interest in exploitation…even if the employer didn’t know…he even if the employer didn’t know…he may be liablemay be liable

SIA lawsuits, Record industry SIA lawsuits, Record industry lawsuitslawsuits

Copyright Copyright InfringementInfringement

Students cutting and pasting parts of Web Students cutting and pasting parts of Web pages onto their ownpages onto their own

Improper use of student materialImproper use of student material

District StrategiesDistrict Strategies

Supervise! Supervise!

Educate staff, students, and parents Educate staff, students, and parents

Develop a site limitation strategyDevelop a site limitation strategy

Develop a solid AUPDevelop a solid AUP

Keep policy decisions at the highest levelKeep policy decisions at the highest level

Establish an Establish an Educational ForumEducational Forum

Insure that policy and practice are alignedInsure that policy and practice are aligned

Insure that AUP is signed - affirmative Insure that AUP is signed - affirmative consentconsent

You can allow limited “self-discovery”You can allow limited “self-discovery”

If it is educational, access can’t be If it is educational, access can’t be denied,restricted or suspended without due denied,restricted or suspended without due processprocess..

Notice to student of alleged violationNotice to student of alleged violation

Opportunity for student to respond to allegationOpportunity for student to respond to allegation

No denial of an account in advance of a hearingNo denial of an account in advance of a hearing

Missouri suitMissouri suit

Arkansas suitArkansas suit

Ohio suitOhio suit

Pennsylvania expulsion upheldPennsylvania expulsion upheld

Court to school district: You can't stop a kid from creating a personal web site critical of your schools: Missouri school district

becomes the latest to learn the hard way

From eSchool News staff and wire service reportsSending a clear signal to educators everywhere, a federal judge ruled Dec. 28 that Woodland School District in Marble Hill, Mo., violated a high school student's free

speech rights when it suspended him for posting a personal web page criticizing his school. The ruling makes clear that schools have no jurisdiction over what their

students do in cyberspace, provided it's done on their own time and from their own computers.

U.S. District Court Judge Rodney Sippel issued a preliminary injunction that prohibits the district from using the suspension against student Brandon Beussink

in grade and attendance calculations. It also bars the district from punishing Beussink or restricting his ability to post his home page on the internet.

"Dislike or being upset by the content of a student's speech is not an acceptable

justification for limiting student speech," Sippel wrote in his opinion.

Newslines--Arkansas district settles lawsuit over student’s sexually explicit web page

eSchool News staff and wire service reports

Arkansas’ Valley View School District has settled a lawsuit involving a student’s internet site soit could begin the school year without the distractions of a court hearing, a school district

attorney said Aug. 18.

Dan Bufford said the court case was causing too much disruption. “We were looking at sending six to eight teachers, seven to eight students, and three sets of parents from Jonesboro to Little Rock to testify,” Bufford said. “The distractions and the expense of that was just too

much.”

The American Civil Liberties Union sued the school district, contending the district wrongly suspended Justin Redman for 10 days. He was suspended for producing a web site that

mirrored the school’s official web site, but included sexually explicit photos and text, some of which

named other students and administrators.

John Burnett, the ACLU’s state legal director, said the settlement doesn’t mean the organization

agrees with the district’s actions. “Every school board and every school board attorney in the state is going to know about this case,” he said. “The schools are going to have to come to realization that, just as they cannot visit discipline on students for something they said at a

weekend party, they cannot do it because of something a student said on the world wide web.”

District must pay teacher-bashing student $30K: Court overturns suspension and upholds protection of student speech

on the internet Gregg W. Downey

A school district will pay $30,000 to one of its students who was suspended for making fun of his band teacher on the internet, according to the Associated

Press (AP). In return, the student will drop his half-a-million-dollar lawsuit against the district for the 10-day suspension, AP reported.

Superintendent Beverly Reep of the Westlake school district in suburban Cleveland was ordered in March by a federal judge to reinstate16-year-old Sean O'Brien. O'Brien had been suspended for using his home computer to

create a web site disparaging a band teacher.

The superintendent said the district suspended O'Brien for violating a policy forbidding students from showing disrespect to employees. A federal court told

the school district to stop trying to restrict O'Brien's right to free expression.

Pennsylvania judge: Expelling student for web site threats is OK

From eSchool News staff and wire service reportsA Lehigh Valley, Pa., school district did not violate a student’s constitutional

right to free speech when it expelled him last year for allegedly threatening a teacher on his personal web site, a Northampton County Court judge ruled July

23.

Justin Swidler, now 15, was expelled in August 1998 after Bethlehem Area School District officials saw his web site, in which he allegedly asked for

donations to hire a hit man to kill Nitschmann Middle School math teacher Kathleen Fulmer. Swidler’s family described the site asan attempt at satirical humor, not a terrorist threat.

The long-since-dismantled web site reportedly had a heading saying “Why She Should Die” above a sentence reading, “Take a look at the diagram and the

reasons I give, then give me $20 to help pay a hit man.”

Enforcement - Enforcement - Consistency Consistency

Schools have double standard for computer Schools have double standard for computer vandalism and crimevandalism and crime

““It was just a joke.”It was just a joke.”

Nerd discipline Nerd discipline

School yanks Internet access School yanks Internet access

Legal punishmentsLegal punishments

Incident policyIncident policy

$10,000 damage award$10,000 damage award

The Evolution of 'Nerd Discipline'

As with most schools, our overall experience with computer technology,classroom applications, networks, and controlled internet access has been positive and

productive. There is, however, a small, smart, and venturesomesegment of our student population whose actions sometimes make it otherwise.

These are individuals who use school computers--occasionally in conjunction with computers at home--to test every rule, procedure, and established guideline ... and thus challenge

us to devise new and different ways of dealing fairly and effectively with a whole new category of "electronic" infractions. The infractions can range in severity from downloading

objectionable material to exchanging passwords, and from intentionally deleting student files to planting software devices designed to disable one or more targeted workstations, a whole

department, or the school's entire network.

Through constant monitoring and review of policies and rules, we can makeevery school's experience with computer technology as positive and productive

as it can and should be.

Jeannine Clark is an assistant principal at Clarkstown High School North in New City, N.Y., and the school's building coordinator for the district's technology initiative.

School yanks student internet access By Rebecca Flowers

A school in Cloverdale, Calif., is being criticized for its decision to shut down student access to the internet after two local teens were accused of hacking Pentagon

computers. Some charge the school overreacted in issuing the internet ban, but school officials disagree.

The two students, sophomores at Cloverdale High School, have not been charged with any crimes, and investigators are certain the school's computer network was not used during any of the attacks. But the fear

of sabotage or retaliation compelled school officials to close down access to the internet for all students at the school on March 5

Although the FBI had not contacted the school, John Hudspeth, the boys' computer science teacher, disabled the hackers' network accounts and froze their personal directories.

"We had tried to limit the privileges of only the two hacking students, to allow the rest of the student body and faculty to enjoy continued online services," said Bill Cox, president of the board of education. "But either

other students were helping our hackers out of friendship or because they saw hacking as 'cool’ or our hackers had captured other account passwords and were using those accounts in direct violation of our

Acceptable Use Contract that all network users sign."

Threats of further retaliation in the Wired article coupled with attacks on one of the ISPs were enough to convinced Cox that strong action was necessary. "Do we just wait around for our high school server to be

trashed?" he said. School officials said the temporary suspension was needed to allow them to regroup and learn more about security. Cox also felt that the student body needed to think about the hacking issues in a

more reasoned light.

Enforcement - Legal Enforcement - Legal ChargesCharges

Some of the Legal Charges Against Some of the Legal Charges Against Students/Staff Students/Staff

1st Degree Computer Tampering -Felony1st Degree Computer Tampering -Felony

3rd Degree Computer Tampering - Felony 3rd Degree Computer Tampering - Felony

2nd Degree Aggravated Harassment - 2nd Degree Aggravated Harassment - MisdemeanorMisdemeanor

1st Degree Attempt to Distribute Indecent 1st Degree Attempt to Distribute Indecent Material to MinorsMaterial to Minors

EnforcementEnforcement

Who do I call?Who do I call?

When should I escalateWhen should I escalate

How do I secure the evidence?How do I secure the evidence?

How do I limit the damage?How do I limit the damage?

Do I have to notify users of the breach?Do I have to notify users of the breach?

What long term actions are needed?What long term actions are needed?

Personal UsePersonal Use

““School computers, networks, and Internet access School computers, networks, and Internet access are provided to support the educational mission are provided to support the educational mission of the school. They are to be used primarily for of the school. They are to be used primarily for school-related purposes. Incidental personal use school-related purposes. Incidental personal use must not interfere with the employee’s job must not interfere with the employee’s job performance, must not violate any of the rules performance, must not violate any of the rules contained in this policy or the student AUP, and contained in this policy or the student AUP, and must not damage the school’s hardware, must not damage the school’s hardware, software, or communications systems.”software, or communications systems.”

• NSBA Legal Issues and Education TechnologyNSBA Legal Issues and Education Technology

PrivacyPrivacy

Parents & Public can access Web LogsParents & Public can access Web Logs

Exeter SchoolsExeter Schools

Indiana SuperintendentsIndiana Superintendents

E-Mail and all electronic data is discoverable in litigation E-Mail and all electronic data is discoverable in litigation

Utah lawsuitUtah lawsuit

School Board’s e-communications may be in violation of School Board’s e-communications may be in violation of state’s Sunshine Lawsstate’s Sunshine Laws

South CarolinaSouth Carolina, , Pennsylvania,Pennsylvania,

Improper AccessImproper Access

Images from web pages are stored in Images from web pages are stored in cache and can be accessed from hard cache and can be accessed from hard drive even without Internet access drive even without Internet access

Physics Teacher firedPhysics Teacher fired

Dean of Harvard Divinity SchoolDean of Harvard Divinity School

Amero TragedyAmero Tragedy

N.J. district sues teacher for allegedly viewing web porn

From eSchool News staff and wire service reports

The Bergenfield, N.J., board of education is suing a physics teacher to recoup wages it paid him while he allegedly viewed computer pornography during school hours.

The viewing took place in a school physics room and included times when students were in the room, school officials said.

According to the Associated Press, Alan Ross, who taught 11th- and 12th-grade chemistry, physics, and earth science before being suspended without pay last year, also has a tenure challenge pending. If Ross is found guilty, he would lose

tenure and the board would be allowed to fire him.

A report on computer-stored information viewed from Nov. 3 through Dec. 19, 1997 showed visits to about 2,900 sites, more than half of which were categorized as

adult or personal.All of the online visits occurred during school time--and about 55 percent while students were present in the physics room, school officials said. No

sites were visited on the three days Ross was absent during that period, they said.

HarassmentHarassment

Off color and potentially offensive Internet Off color and potentially offensive Internet jokes and e-mails circulating among staff jokes and e-mails circulating among staff may create a “hostile” environmentmay create a “hostile” environment

Teacher suspendedTeacher suspended

Harassment rules apply equally to Harassment rules apply equally to electronic communicationselectronic communications

Report abuse Report abuse

Take immediate stepsTake immediate steps

Newslines--Judge upholds teacher’s suspension over sexually explicit eMail

eSchool News staff and wire service reportsA judge has upheld the three-week suspension without pay of a Scottsbluff,

Neb., middle school teacher accused of repeatedly sending sexually explicit materials on the school district’s eMail system.

Gerald Schmeckpeper was suspended in December for insubordination when he disobeyed repeated requests to stop his eMail practice. The

school board upheld the suspension in January.

Schmeckpeper argued that he was told only to use caution when opening eMail. But District Judge Robert Hippe on July 13 said there was sufficient evidence to suspend Schmeckpepper. Schmeckpeper was receiving and sending eMail with crude jokes and cartoons and had several sexually

explicit pictures stored electronically, Hippe said.

CopyrightCopyright

LA Schools sued for $4.8 million in LA Schools sued for $4.8 million in copyright abuse casecopyright abuse case

LA Schools settle copyright suitLA Schools settle copyright suit

Fair Use suit could influence what schools Fair Use suit could influence what schools can publish on the webcan publish on the web

Alleged software piracy could cost LA schools $4.8 million eSchool News Staff Reports

A coalition of software makers that includes Microsoft Corp. has targeted the Los Angeles Unified

School District (LAUSD), alleging its teachers and other employees have illegally copied software

programs.

The charges of piracy could cost the nation's second-largest school district (after New York City)

nearly $5 million over the next three years.

Under a proposed settlement, the district would pay $300,000 to the Business Software Alliance

(BSA), a trade group based in Washington State that was formed by Microsoft and other software

producers to protect their copyrights.

But the real cost of the settlement, which at press time was still subject to board approval, is the

estimated $4.5 million the district would be forced to spend to replace the unlicensed softwarethat allegedly has spread throughout its classrooms.

Newslines--LAUSD school board settles software piracy charge eSchool News Staff and Wire Reports

The Los Angeles Unified School District (LAUSD) will pay a computer trade group $300,000 to settle a lawsuit alleging that copyrighted computer programs were being unlawfully duplicated

for use in schools.

The settlement, approved Feb. 9 by the LAUSD school board, also requires the district to spend $1.5 million over the next three years on an eight-member team to find and eliminate any

unauthorized software and to train staff and students on district policy prohibiting the unlawful duplication of computer programs.

The Business Software Alliance, an organization formed by Microsoft Corp., Novell Inc., and other computer software companies, alleged that the West Valley Occupational Center in

Woodland Hills used unauthorized copies of numerous types of software, including Microsoft Word and Adobe Photoshop.

The group said it had found at least 1,399 copies of software that it contended were being used without authorization and asked for more than $562,000 in compensation.

LAUSD officials admitted no wrongdoing, but their legal counsel recommended settling to avoid an even more costly court battle.

Newspaper 'fair use' challenge could limit what schools and others post on the web: LA Times and Washington Post sue web site for

copyright infringement From eSchool News staff and wire reports

In a case with broad implications about what you can post on your schools' web sites, the LosAngeles Times and the Washington Post have filed a copyright-infringement lawsuit against

the operator of a site that posts their stories without permission.

The lawsuit, filed Oct. 1 in a federal court in Los Angeles, accuses the Free Republic site of using hundreds of stories from the two newspapers, violating their copyrights and diverting

users and potential revenue from their own sites.

Rex Heinke, an attorney for the newspapers, said the Free Republic site has been posting the stories "on a very large scale for a very long time.” Reproducing the stories without the

publishers' consent is financially detrimental to the newspaper companies, Heinke said. The newspapers rely on hits to their own web sites to generate advertising sales, he said.

The Free Republic site, based in Fresno, Calif., posts the stories and allows users to writecomments about them. The site's operator, Jim Robinson, said he has ignored warnings from the newspapers because the practice is protected by the First Amendment and the "fair use"

doctrine of copyright law.

Teacher Web SitesTeacher Web Sites

Sites created by teachers for their students Sites created by teachers for their students that are not hosted on the school’s that are not hosted on the school’s computer system may expose the teacher computer system may expose the teacher to risk.to risk.

Whenever possible migrate the teacher’s Whenever possible migrate the teacher’s site to the school system where he/she is site to the school system where he/she is protected by the schools AUP, and protected by the schools AUP, and computer use policiescomputer use policies

Teacher Assigned Teacher Assigned LinksLinks

““The links in this area will let you leave the The links in this area will let you leave the school district site. The linked sites are not school district site. The linked sites are not under the control of the district, and the district under the control of the district, and the district is not responsible for the contents of any linked is not responsible for the contents of any linked site, or any changes or updates to such sites. site, or any changes or updates to such sites. The district is providing these links to you only The district is providing these links to you only as a convenience, and the inclusion of any link as a convenience, and the inclusion of any link does not imply endorsement of the site by the does not imply endorsement of the site by the district.”district.”

• NSBA Legal Issues in Education TechnologyNSBA Legal Issues in Education Technology

ConfidentialityConfidentiality

The Family Education Rights and Privacy The Family Education Rights and Privacy Act (FERPA) requires schools to have a Act (FERPA) requires schools to have a policy that grants parents the rights to policy that grants parents the rights to inspect and review the educational inspect and review the educational records of their children within 45 days of records of their children within 45 days of a request.a request.

FERPA also requires a parent’s written FERPA also requires a parent’s written consent before disclosing personally consent before disclosing personally identifiable information about a student. identifiable information about a student.

AdvertisingAdvertising

School employees are often involved in School employees are often involved in outside businesses and they may find it outside businesses and they may find it tempting to advertise or solicit using the tempting to advertise or solicit using the school’s e-mail. school’s e-mail.

Prohibition should include sending Prohibition should include sending messages from home or other outside messages from home or other outside computer to school district e-mail users.computer to school district e-mail users.

PoliticsPolitics

Any e-mail sent from the school computer Any e-mail sent from the school computer system contains the school’s return system contains the school’s return address. It is the same as using the address. It is the same as using the school’s letterhead. Accordingly, school’s letterhead. Accordingly, employees should be put on notice not to employees should be put on notice not to have their own opinions mistakenly have their own opinions mistakenly attributed to the district.attributed to the district.

Superintendent’s e-mail sparks state Superintendent’s e-mail sparks state inquiryinquiry

Newslines--Middle school principal suspended for eMail violation eSchool News Staff and wire service reports

A Massachusetts middle school principal was suspended for 10 days because she sent an eMail message to her staff urging them to vote for a political candidate. Mary

A. Toomey, principal of the South Lawrence East School, might also have violated state ethics laws.

“As a result of the investigation, I determined that Mary Toomey exercised poor judgment,” said Lawrence Public Schools Superintendent Mae E. Gaskins.

Toomey eMailed the school’s staff soliciting their votes for Nancy J. Kennedy, who was running a sticker campaign for school committee. She sent the eMail the day

before the Oct. 5 primary election.

The eMail said Kennedy needed voters to place stickers printed with her name directly on the ballot. The stickers would be available at the school’s front office,

according to the eMail message.Kennedy received the votes she needed and went on to win a spot on the committee. School committee spokeswoman Martha E.

Previte said Toomey should have received a harsher punishment.

FundraisingFundraising

Schools may decide to permit fundraising Schools may decide to permit fundraising with prior approval or they will prohibit it.with prior approval or they will prohibit it.

If they permit fundraising activity they If they permit fundraising activity they must be careful not to discriminate and bar must be careful not to discriminate and bar any speakers based on the message.any speakers based on the message.

FOILAre e-mail, web logs, spreadsheets & word Are e-mail, web logs, spreadsheets & word processing documents considered records processing documents considered records under FOIL?under FOIL?

Web site logsWeb site logs

Policy directivesPolicy directives

Correspondence and memos related to businessCorrespondence and memos related to business

Work schedules and assignmentsWork schedules and assignments

Agendas and minutes of meetingsAgendas and minutes of meetings

Drafts of documents circulated for comment Drafts of documents circulated for comment

Any document that initiates, authorizes or Any document that initiates, authorizes or completes a business transactioncompletes a business transaction

FOIL FOIL

Parents & Public can access Web LogsParents & Public can access Web Logs

Exeter SchoolsExeter Schools

Indiana SuperintendentsIndiana Superintendents

E-Mail, IM, Voice Mail, etc. is discoverable in E-Mail, IM, Voice Mail, etc. is discoverable in litigationlitigation

Utah lawsuitUtah lawsuit

FOILFOILAdministrators must plan for and design a Administrators must plan for and design a filing structure that can adequately support filing structure that can adequately support operational needs and record keeping operational needs and record keeping requirements.requirements.

You will have to retrieve everything - no You will have to retrieve everything - no matter where it is stored in mandatory matter where it is stored in mandatory Discovery.Discovery.

If you keep everything it’s a problemIf you keep everything it’s a problem

If you delete everything it’s a problemIf you delete everything it’s a problem

Generally, records transmitted through e-mail Generally, records transmitted through e-mail and electronic systems will have the same and electronic systems will have the same retention periods as records in other formats.retention periods as records in other formats.

Court: Schools must let parents view internet-use logs

From eSchool News staff and wire service reports

In a decision with broad implications for schools nationwide, a New Hampshire judge has ruled that the Exeter school district must make public copies of its

internet history logs so a father can check whether officials are doing enough to keep pupils away from the web’s seedy side.

James Knight, a father of four whose children attended district schools until recently, filed a lawsuit asking a judge to force the district to hand over its internet

logs after educators decided not to use filtering programs on computers children use.

The programs, which have been criticized for their accuracy, block access to objectionable internet sites. The district decided to use supervision and spot checks

by teachers instead

Superintendents’ use of school computers questioned From eSchool News staff and wire service reports

An investigation of computer records from 49 Indiana school districts by the Indianapolis Star has raised questions about what constitutes appropriate use of computers by administrators. In a Feb. 18 story, the Star reported that superintendents who are in charge of enforcing their districts’ web-surfing policies often violate their own rules. While many school internet policies

say web surfing should be for educational use only, some Indiana superintendents are shopping for cars, planning trips, and looking for other jobs on their district-issued computers,

the Star reported.

In fact, one superintendent’s internet records reportedly included two sites with pornographic material—an apparent violation of common school district internet policies, and one that cost

former Hamilton Southeastern Superintendent Robert Herrold his job in September. It was Herrold’s example that prompted the Star’s investigation.

The Star’s review of 6,691 web sites on superintendents’ computers showed that half of the sites clearly were education pages. But 3,000 other sites—some of which also could have been viewed for educational purposes—ranged from the popular Amazon.com shopping site to more

obscure

sites.

DA eyes agency's failure to release school internet logs: Utah Education Network faces sanctions for overwriting data it was

ordered to disclose

Failure to hand over certain logs that track the wanderings of school computer users on the world wide web--including records showing attempts to visit sexually oriented or other banned sites--could result in a criminal investigation by a county

district attorney in Utah. The target of the probe: the Utah Education Network (UEN), a public/private consortium that provides internet service to Utah's K-12

schools districts.

In April, Michael Sims, an anti-censorship internet activist, filed for access to the school computer logs under Utah's sunshine law. He wanted to check what web

sites were being blocked by internet content filters used by Utah schools.

At first, UEN officials refused Sims' request, claiming they didn't own the logs. They said those records belonged to the individual school districts. Sims appealed that denial to the State Records Committee. At a hearing last month, the committee

agreed with Sims and ordered that the computer logs, purged of any confidential material, be released.

Electronic Discovery Electronic Discovery Overview Overview

Pre-trial conference and preparation (what do you have?)

Produce electronics records, if requestedCost allocation for producing records (Undue burden?)

Duty to Disclose

Preserve Evidence

In December 2006, Civil procedures for discovery were updated to include more specific guidance on the production of electronic records.

Prevent document spoilagePrivilege work product waiver

Sanctions and Safe Harbor

E-Discovery

Create an enforce an e-Document policy that minimizes the time Non-FOILable information is kept.

Create a litigation response that preserves data at the outset of litigation.

Educate employees on the need for a business approach to e-documents.

NSBA Legal Issues and Ed Tech

Duty to DiscloseDuty to Disclose

•Define the environment and data controlsDefine the environment and data controls•Restrict data storage locations Restrict data storage locations oEmail & Voice mailEmail & Voice mailoShared folders and filesShared folders and filesoDatabaseDatabase

•Data classification, handling and disposal Data classification, handling and disposal policypolicy•Document Retention Schedules Document Retention Schedules (especially email)(especially email)

•User trainingUser training•Audit and assessment to validate controlsAudit and assessment to validate controls•Forensic Analysis capabilitiesForensic Analysis capabilitiesoInternal discoveryInternal discoveryoOpposing counsel - "come and get it."Opposing counsel - "come and get it."

Preserve EvidencePreserve Evidence

•Records Management SystemRecords Management SystemoEnterprise wideEnterprise wideoLitigation support onlyLitigation support only

•System controlsSystem controls•EncryptionEncryption•Backup RecordsBackup Records•Notice to stop operations or Notice to stop operations or restrict data disposalrestrict data disposal

Open Meeting & Open Meeting & Sunshine LawsSunshine Laws

The use of e-mail and The use of e-mail and conferencing tools have raised conferencing tools have raised questions. questions.

If one Board member e-mails another about If one Board member e-mails another about school board business is that a violation of school board business is that a violation of the state’s sunshine laws?the state’s sunshine laws?

How about when board members use the How about when board members use the telephone, e-mail, or faxes to poll one telephone, e-mail, or faxes to poll one another about board business?another about board business?

What about soliciting feedback from the What about soliciting feedback from the public electronicallypublic electronically??

Open Meetings LawOpen Meetings Law

Electronic distribution of Board packets:OKElectronic distribution of Board packets:OK

E-mail between members considered a E-mail between members considered a written memo and is discoverable.written memo and is discoverable.

Interaction via e-mail, bulletin board, chat, Interaction via e-mail, bulletin board, chat, instant messaging, or video conference instant messaging, or video conference most likely constitutes a meeting and is in most likely constitutes a meeting and is in violation. violation.

Open Meetings LawOpen Meetings Law

Resource:Resource:

Robert FreemanRobert Freeman

Committee on Open GovernmentCommittee on Open Government

www.dos.state.ny.us.coogwww.htmlwww.dos.state.ny.us.coogwww.html

[email protected]@dos.state.ny.us

Board’s web feedback criticized Elizabeth B. Guerard, Assistant Editor

A Pennsylvania school board’s use of comments received over the internet has set off a controversy involving the state’s sunshine laws, which require

open access to public meetings.

When Central Bucks School District officials were faced with tough decisions that would uproot and place some 2,800 students in new schools, they solicited feedback from parents over the internet instead of using the

traditional, face-to-face format of a school board meeting.

Administrators at the Doylestown, Pa.-based district—the third largest in the state—say the process made it easy for them to see where the greatest

need for change was. But some parents who were unhappy with the proposed changes have questioned the validity of transferring the

democratic process online.

For one thing, the hundreds of electronic comments that were posted to the district’s web site were not made public. Barry Kaufmann, executive

director of Common Cause Pennsylvania, a state public interest lobby, said parents should be concerned that comments made online were not shared

with others in the community.

Private web forum snags school board eSchool News staff and wire service reports

Members of the Beaufort County (South Carolina) School Board and district Superintendent Herman Gaither have come under fire for using a private internet

bulletin board to discuss school district matters. The private electronic forum might constitute a violation of the state’s freedom of information laws, a South Carolina

media attorney says.

The issue raises questions about how existing laws meant to ensure the open exchange of public information should be applied to modern technologies such as

eMail and the internet.

Gaither said he set up the bulletin board so he could share information with board members on “sensitive or semiprivate information.” Only Gaither and board members had access to the site, which let them read and respond to internal

messages.

Jay Bender, the attorney for the South Carolina Press Association, said the state’s Freedom of Information Act prohibits public agencies from using technology to

conduct their business in private and that the bulletin board might violate the law.

Domain NamesDomain Names

Norwichschools.org vs Norwichschools.comNorwichschools.org vs Norwichschools.com

Purchase all available namesPurchase all available names

Maintain all school domain names rigorouslyMaintain all school domain names rigorously

Porno site appears under school namePorno site appears under school name

High cost of re-purchaseHigh cost of re-purchase

Legitimate third parties have put up school Legitimate third parties have put up school web sites that many parents believe is the web sites that many parents believe is the “official” school site.“official” school site.

Irate e-mails that school didn’t respondIrate e-mails that school didn’t respond

CIPA & E-RateCIPA & E-Rate

Must certify that Must certify that all usersall users are protected from are protected from inappropriate materialsinappropriate materials

Must have public meetingMust have public meeting

Must have AUPMust have AUP

Software AuditsSoftware Audits

LA SchoolsLA Schools

RICs/Schools/BOCESRICs/Schools/BOCES

P.O.’s, Licenses, Hard drive snapshotsP.O.’s, Licenses, Hard drive snapshots

Data MonitoringData Monitoring

Q2a) Does your district monitor access to student records? N=381Q2c) Does your district monitor student e-mail? N=381

Monitoring student e-mail, as well as who is accessing that data, is a first line of defense in

keeping networks and students safe, yet: • 56 percent of districts do not monitor student e-mail

• 16 percent do not keep track of who is accessing student information

Percentage of districts monitoring student e-mail

Percentage of districts monitoring access to student data

Network AccessNetwork Access• Access Access

3939 percent of districts allow outside devices on the network, percent of districts allow outside devices on the network, increasing the chance of introducing viruses and other malware to increasing the chance of introducing viruses and other malware to the network.the network.

Q3) Does your district allow non-district owned devices to access the district’s network? N=381

“In the last year, we’ve prevented faculty and students from installing

software. We now remotely push out software because it can be very

dangerous when they do this on their own.”

User AuthenticationUser Authentication• AuthenticationAuthentication

Without proper authentication, districts may not Without proper authentication, districts may not become aware of holes or intrusions until it’s too latebecome aware of holes or intrusions until it’s too late

1111 percent of rural districts and percent of rural districts and 1919 percent of western percent of western districts do not authenticate usersdistricts do not authenticate users

Tactic: Authentication limits the threat of malicious activity on the network. Consider

dual-factor authentication with password and revolving key for access to sensitive data

Q3) Does your district authenticate users to the network? N=381

•While acceptable use policies (AUP) are nearly universal While acceptable use policies (AUP) are nearly universal ((9999 percent of districts report having one), percent of districts report having one), 5555 percent of percent of districts update AUPs no more than once a year.districts update AUPs no more than once a year.

Tactics: AUPs should be treated as living documents, posted on district Web sites, and updated as often as

necessary.

All users should sign an AUP before receiving access to district computers and networks.

Educate students and teachers throughout the year about online

safety.Q5b) How often is the AUP updated? N=381

EducationEducation

Network ProtectionNetwork Protection95 percent block or limit Web sites95 percent block or limit Web sites

89 percent place computers in view of adults89 percent place computers in view of adults

81 percent monitor student Web activity81 percent monitor student Web activity

38 percent maintain a closed district network38 percent maintain a closed district network

Q9b) Does your district do any of the following to protect students while they are online at school? N=381

Tactic: Many districts are turning to closed networks to limit access to only filtered content and

to monitor e-mail communication.

Districts can also evaluate Web sites on a regular basis to block them or make sites available,

protecting First Amendment rights.

Tactics

•Districts rely on filtering software as a primary defense Districts rely on filtering software as a primary defense method. More districts could benefit from using safety method. More districts could benefit from using safety education as a tool to improve security.education as a tool to improve security.

Tactic: Filtering software is not a substitute for educating students,

parents and staff about the dangers of the Internet. Districts need to

engage the entire community in the IT security process.

Q10) What are some additional ways your district protects students while they are online? N=375

Network ProtectionNetwork Protection

“I would say that we’re constantly looking for ways to improve. At a

minimum, [these new technologies] take a lot of management. What we’re looking for as technology evolves are

new ways to defend.”

IT Security Defenses

IT BreachesIT Breaches•99 percent of districts report at least one IT security percent of districts report at least one IT security breach in the last 12 months.breach in the last 12 months.

Q7) Have you experienced any breaches in IT security in the last 12 months?

Breaches by Metropolitan AreaBreaches by Enrollment

Urban and large districts are at greater riskUrban and large districts are at greater risk66 percent of districts say their networks are somewhat or very percent of districts say their networks are somewhat or very vulnerable to attackvulnerable to attack

Respondents say that a lack of funding and sufficient staff Respondents say that a lack of funding and sufficient staff resources are the biggest barriers to improving district resources are the biggest barriers to improving district security.security.

Q11a) What are your district’s main barriers to Improving IT security?

What are the biggest barriers to security?

IT BarriersIT Barriers

IT Breaches & Barriers – Tool UsersIT Breaches & Barriers – Tool Users 2323 percent of tool users reported an IT breach in the last twelve percent of tool users reported an IT breach in the last twelve

monthsmonths

““Lack of budget” and “too few human resources” come out as top Lack of budget” and “too few human resources” come out as top barriers to improving IT security at barriers to improving IT security at 7474 percent each percent each

Q) Have you experienced any breaches in IT security in the last 12 months?Q) What are your district’s main barriers to Improving IT security?

Campus AccessCampus AccessAt 63 percent, security cameras are the preferred access control

method among districts.

•Cameras, restricted entry and access cards are cited as having the most effective impact on physical security

•Retrofitting older buildings can be costly, hampering improvement efforts, forcing many schools to still use traditional locks and keys

Q19) Does your district currently use any of the following methods to monitor or control access to the buildings in your district? N=381

Q22) What changes implemented by your district have made a positive impact in physical security? N=381

Tactic: Most districts do not have real-time access to sex offender

registries. Districts can add another level of security by cross-checking

visitors with the registry before granting visitors access to

campuses.

Effective Security Tools

•During an emergency, real-time access and instant During an emergency, real-time access and instant communication with local authorities improves response time and communication with local authorities improves response time and the ability to quickly address situations. the ability to quickly address situations.

Only Only 35 35 percent of districts are connected to authoritiespercent of districts are connected to authoritiesIs your district connected via the Internet to

local authorities?

Tactic: Work with local fire departments and police to coordinate

emergency plans and communication.

Run regular mock drills to work out issues ahead of time.

Consider IP security cameras to give authorities an “inside view” of

schools.

Q24) Are the schools in your district connected via the Internet to local police and fire departments in case of emergencies? N=381

Local AuthoritiesLocal Authorities

Faculty CommunicationFaculty Communication•Districts rely heavily on traditional communication Districts rely heavily on traditional communication methods, like the phone and intercom, to reach faculty methods, like the phone and intercom, to reach faculty during emergencies.during emergencies.

Less than Less than 3 3 percent of districts use cell phones as a toolpercent of districts use cell phones as a tool

Weather-related Faculty Communication Emergency-related Faculty Communication

Q25) In a weather emergency, during school hours, how does your district communicate with faculty? N=381

Parent CommunicationParent Communication•To reach parents during emergencies, districts use the To reach parents during emergencies, districts use the phone far more than any other communication tool.phone far more than any other communication tool.

Weather-related Parent Communication

Q26) In a weather emergency, during school hours, how does your district communicate with parents? N=381

Emergency-related Parent Communication

Only Only 1 1 percent of districts report that they are considering emergency percent of districts report that they are considering emergency alert/notification systems that send e-mail and text messages to alert/notification systems that send e-mail and text messages to pre-selected groupspre-selected groups

•2121 percent of districts report experiencing a physical percent of districts report experiencing a physical security breach in the last 12 months; security breach in the last 12 months; 5050 percent of percent of urban districts have had a breach.urban districts have had a breach.

Q23) Has your district experienced any breaches in physical security in the last 12 months? N=381

Physical BreachesPhysical Breaches

“Physical security has definitely been on our radar screen for a

while. Columbine was, I think, the catalyst that has really increased

security awareness.”

Respondents say a lack of budget, tools and staff are the Respondents say a lack of budget, tools and staff are the biggest barriers to improving physical security.biggest barriers to improving physical security.

Q11a) What are your district’s main barriers to Improving physical security? N=381

What are the biggest barriers to physical security?

Physical BarriersPhysical Barriers

“We’ve done a lot of planning and thinking and some practicing, and what

led to all that was our growth. We’re growing so fast that we’ve had to sit

down and really think about the issues we will have to face in the future.”

Documents

Risk Management for Technology Exposures National Charter Schools Risk Management for Technology Exposures National Charter Schools Pete Reilly [email protected]