An assistant principal at Willie J. Hargrave High School in Huffman, Texas, sits in front of a 46-inch monitor and scans through images captured by 75 IP surveillance cameras. Views of the campus perimeter, building entrances and locations where valuable, portable equipment is stored flash on the screen. Hallways and corners where students regularly congregate and mingle also are continuously monitored.
That's because physical security in schools involves more than thwarting intruders and curbing theft and vandalism, says Mimi Morrison, director of technology for Huffman Independent School District, of which Hargrave High School is a part. Protecting young people from their own worst impulses – and those of their classmates – is equally important.
“Our security officers and school administrators kept asking that we have more cameras inside, not so much to stop theft as to prevent fighting and bullying,” Morrison says. “Bullying is becoming a very big deal in education. We're here to provide tools to help solve problems.”
The range of problems that IT teams are being asked to address seems to increase by the day. For many, security-related responsibilities now extend far beyond the safeguarding of networks and digital assets. Securing the campus, often via IP surveillance or electronic access-control systems, and protecting students from inappropriate, exploitative or illegal Internet content also fall within the IT department's purview – not only for Huffman ISD, but for an increasing number of districts around the country.
According to Linda Sharp, project director for the Cyber Security for the Digital District and the IT Crisis Preparedness leadership initiatives at the Consortium for School Networking (CoSN), IT managers need to defend all these fronts – and probably more – if they want to ensure the safety of students, staff and information. “Schools are using technology for everything. It's become an integral part of the business of education,” she says. “Security that covers all that they do is critical.”
Securing educational facilities, the people who inhabit them and the resources that make learning possible requires a delicate touch, however. “Education is a different breed of cat,” says former military communications officer Jeff Kelley, who now serves as director of information systems for Camden County Schools in Kingsland, Ga. “In other environments, you can lock down networks and buildings almost completely. Here, we try to protect our users from themselves without getting in the way of learning.”
More than 90% of 1,600 K–12 technology coordinators, administrators and teachers surveyed believe cyberethics, cybersafety and cybersecurity should be taught in schools. But only 35% of surveyed teachers report that such topics are required components of their school districts' curricula.
Source: “The State of K–12 Cyberethics, Cybersafety and Cybersecurity Curriculum in the United States” (2010), National Cyber Security Alliance
By the time Huffman ISD finished installing its IP surveillance system last year, 243 Axis Communications cameras were monitoring the district's six schools. A Milestone Systems IP video management system links the cameras and lets an assistant principal or security guard quickly move from view to view and check the live feed against recorded images.
Morrison's team selected and installed the hardware and software and keeps the system up and running, but she says the most important step in the process was listening to school administrators to find out where the cameras should be located and what features would make the system most useful.
“We don't watch the monitors or confront the kids when they do something wrong, but we have to pay attention to the people who do,” she says.
“I see our job as providing the most exciting educational resources [we can] in a safe and secure environment, and that includes physical security.”
In the wake of terrorist attacks and school shootings, many districts have enhanced their facilities' physical security with increased surveillance, access cards, lockdown policies and automated emergency alert systems, CoSN's Sharp says. Given the proliferation of notebook carts in classrooms and one-to-one computing programs, they're also turning to technologies such as Absolute Software's Computrace LoJack for Laptops to track lost or stolen devices.
Kurt Madden streamlined Fresno Unified School District's technology infrastructure through select vendor partnerships.
Photo: Robert Houser
Huffman's IT department already has deployed proximity card access in some sensitive locations and plans further installations in the future, says Network Administrator David Carpenter. Access control is one area in which the school district's physical and network security are converging, he adds.
“We'll start by upgrading our physical access-control systems,” Carpenter continues, “but in 10 years, the same card might be used to get into the building, log on to the computer, take attendance and buy lunch.”
Kurt Madden, chief technology officer for the 106-school Fresno (Calif.) Unified School District, expects radio-frequency identification badges to one day be the norm. But for now, he'll settle for strong passwords.
“Network security systems keep getting better, but a lot of security has to do with raising awareness,” he says. “We talk about security, and we require eight-character passwords that get changed [regularly]. We also use the best tools we can find.”
Given the district's size, Madden chose to streamline its technology infrastructure and standardize products from Cisco Systems, Microsoft, Hewlett-Packard and AT&T. The IT staff also simplified network security by implementing Microsoft Forefront Threat Management Gateway, a unified threat management solution that protects against spam, viruses and other intrusions.
“For a long time, you had to buy antivirus, antispam, and intrusion detection and prevention as separate tools, which takes more management and integration,” Madden says. Forefront's “built-in antispam feature catches about 10 million pieces of spam a day, and we also use it to push out antivirus updates to all our PCs.”
When it comes to security, Camden County Schools' Kelley believes standardizing and centralizing technologies are essential. “When I came here, there was a mishmash of operating systems and hardware, and every school was choosing its own antispam and antivirus solutions,” he says of the 12-school district near Georgia's coast. “We standardized on Microsoft Windows XP, HP and Cisco, and then we started blocking and filtering and pushing out antivirus updates. Before that, we had entire systems go down at schools every few weeks because an infected computer spread a virus through their network.”
Network Engineer John Bailey says Camden County Schools also struggled with a general lack of awareness of security issues. Not long after he and Kelley joined the IT department, they discovered that 1,100 of the district's computers used “the same login and password – the admin setting,” he says. “We're working to raise awareness as we work on getting the right tools in place and doing the monitoring and management we need.”
CoSN's Sharp says security doesn't receive the focus or funding it needs in many districts because administrators underestimate the value of the information on their networks. “It's not just student assessment data,” she warns. “You've got Social Security numbers, addresses, staff bank account numbers for direct deposit. The IT people recognize the potential damage and loss that can take place, but administrators have to understand the legal liabilities they're facing.”
Taming the Wild, Wild Web
One source of damage that has received much attention in recent years is inappropriate Internet content and its effect on young people. The Children's Internet Protection Act of 2000 requires districts receiving E-Rate technology funding from the Federal Communications Commission to block pornographic, deceptive or illegal content.
Barring students from the nasty regions of cyberspace while simultaneously supporting their desire to explore and learn is a big part of Mark Choi's job. As the manager of instructional technology for the Bellevue (Wash.) School District, which serves approximately 17,000 students in 27 schools, Choi works to ensure that all content transmitted through district resources is suitable for all audiences.
“You have to provide filtering and restrictions,” Choi says, “and the technology is there to do that pretty easily. Management is key, however, because you need to update sites frequently.”
Content-filtering technology can block sites by category, which reduces management time. Different filtering policies apply to different types of users, and a good tool should allow the IT department to set policies on an account-by-account basis. “Granularity and flexibility are important,” Choi adds. “We've been using filtering technology for a decade and Websense since 2003, with lots of updates to stay ahead of the kids.”
For a checklist of questions to ask in a security audit, go to edtechmag.com/k12/security310.
Almost every aspect of security is a balancing act between safety and access to information; content filtering is especially difficult. “There's a growing trend to lower filtering as students get older,” Fresno USD's Madden says. “High schools request more and more access. We have an advisory committee that reviews filtering decisions. There's a lot of gray in security. It helps to have a group of individuals decide what's educational and what's harmful.”
With buildings full of tech-savvy students, K–12 districts have no choice but to embrace new technologies and communication methods if they want to keep students excited about learning, Huffman ISD's Morrison says. “We're open to blogs, wikis – anything within reason,” she says, “but we also need to safeguard students as they use them.”
The simple reality, Huffman's Carpenter adds, is that all aspects of a successful security strategy hinge on vigilance among IT staff and general users. “The real job,” he says, “is changing the mentality so that security is a prerequisite to everything we do, rather than an afterthought.”
Lines of Defense
A school district's size and budget often dictate the breadth and depth of its IT security infrastructure, but some components are essential.
For network security:
- Antispam software or appliances
- Antivirus technology
- Content-filtering technology
- Authentication and access-control technology
- Backup systems
For physical security:
- IP surveillance systems
- Smart-card access control
- Tracking tools for mobile devices