Educating end users key to controlling online environments

Creating a secure and safe computing environment is never an easy task especially when you are responsible for the diverse requirements needed at one of Canada’s largest school boards.

David Klein, network analyst, computer services with the Toronto Catholic District School Board (TCSB) and his team are responsible for walking a fine line in order to create a solution which allows for high levels of protection for those students in elementary school accessing the Internet, yet lessens the controls for high school students’ and administrative staff access.

“We can not provide a one size fits all solution,” he said, “so we have to tailor our solution to specific needs.”

The fine line Klein’s team has to walk is the educational mandate which allows children to explore thoughts and ideas, while remaining in a safe and controlled learning environment. While a larger corporation can write generic, role-based access rules, in an educational environment controls have to be very specific. Access may need to vary from class to grade.

Speaking at an event held in Toronto on Thursday, Klein explained that the TCSB has three overall goals: to protect the system, to protect the students and to aid teachers and staff in delivering educational content.

To achieve this security the TCSB uses a variety of Symantec Corp.’s products from basic firewall protection to Web access control and content filtering software. With over 200 different physical sites, the ability to centrally manage security was an absolute necessity, Klein said. The TCSB uses a variety of other technologies to control computer access.

For example, using a technology called Visual Casel, a teacher can limit the software applications students can use in a classroom so they are focusing on the lesson at hand. “You don’t want them doing their math homework…in geography class,” Klein said.

One similarity with a large-scale enterprise is the need to monitor the overall IT system since internal threats are very real. Though the vast majority of the 100,000 plus students are “really good,” Klein admitted the TCSB has “about 100,000 potential little hackers.” Curious and inquisitive students are a potential threat even though it may be unintentional.

The diligence has paid off. One student brought in a hacking tool on a floppy disk. As a default the TCSB systems scans all floppies. The tool was detected and erased, and unbeknownst to the student an audit trail lead Klein’s team back to the individual. The student was suspended.

“We are doing pretty well but we could still do better,” Klein admitted. “We really need to improve on educating our end users.”

Letting students know the systems are being monitored helps, he said.

Kiron Bondale agreed that end-user education is key, and without it a company is incredibly vulnerable. Without educated end users “all the technology in the world won’t protect you from and incident,” he said.

At MDS Inc., where Bondale is a senior project manager, the company uses a combination of spot checks and auditing along with educational programs, to see how security awareness in progressing. If spot checks find that a certain educational message is not sinking it, say locking down a screen when a user leaves his or her computer, MDS can re-focus and improve the educational message.

MDS, a company which employees about 10,000 people in the health care and life sciences sector, also sends out frequent FAQs of the “are you aware of?” variety. The change is not overnight, he said, but “you get incremental improvement.” The company also uses tools to monitor these improvements, “where we are compared to our (security) baseline,” he said. But he was adamant, “we are not trying to be cops.”

Since MDS is in the health care industry, the fallout from security problems is not just a media relations nightmare – the industry is heavily regulated by privacy laws such as the Health Insurance Portability and Accountability Act (U.S.) and the Personal Information Protection and Electronic Documents Act (Canada).

Klein said end-user education is a little more difficult in an academic environment since IT is actually competing with teacher and staff for the finite amount of educational hours available in a day. And though no big fan of the suspension, Klein admitted it does work since word of mouth in the school environment travels pretty fast.

In the corporate world of course, suspensions for ignoring appropriate use of policies tend to be permanent.