Creating a secure and safe computing environment is never an easy task, especially when you are responsible for the diverse requirements needed at one of Canada’s largest school boards.
David Klein, network analyst, computer services with the Toronto Catholic District School Board (TCSB), and his team are responsible for walking a fine line in order to create a solution which allows for high levels of protection for those students in elementary school accessing the Internet, yet lessens the controls for high school students and administrative staff access.
The TCSB cannot provide a one-size-fits-all solution, he said, so it has to tailor its solution to specific needs.
The fine line Klein’s team has to walk is the educational mandate that allows children to explore thoughts and ideas while still in a safe and controlled learning environment. While a larger corporation can write generic, role-based access rules, in an educational environment controls have to be very specific. Access may need to vary from class to grade.
“We have three overall goals,” Klein said: to protect the system, to protect the students and to aid teachers and staff in delivering educational content.
For security, the TCSB uses a variety of Symantec Corp.’s products, from basic firewall protection to Web access control and content filtering software. With over 200 different physical sites, the ability to centrally manage security was an absolutely necessity, Klein said. The school board also uses a variety of other technologies to control computer access.
For example, using a technology called Visual Casel, a teacher can limit the software applications students can use in a classroom so they are focusing on the lesson at hand. “You don’t want them doing their math homework…in geography class,” Klein said.
One similarity with a large-scale enterprise is the need to monitor the overall IT system since internal threats are very real. Though the vast majority of the 100,000 plus students are “really good,” Klein admitted the TCSB has “about 100,000 potential little hackers.” Curious and inquisitive students are a potential threat even though it may be unintentional.
The diligence has paid off. One student brought in a hacking tool on a floppy disk. As a default the TCSB systems scans all floppies. The tool was detected and erased, and unbeknownst to the student, an audit trail led Klein’s team back to the individual. The student was suspended. “We are doing pretty well but we could still do better,” Klein admitted. “We really need to improve on educating our end users.”
Letting students know the systems are being monitored helps, he said.
Kiron Bondale agreed that end-user education is key, and without it a company is incredibly vulnerable. Without educated end users “all the technology in the world won’t protect you from an incident,” he said.
At MDS Inc., where Bondale is a senior project manager, the company uses a combination of spot checks and auditing, along with educational programs, to see how security awareness is progressing. If spot checks find that a certain educational message is not sinking in, say locking down a screen when a user leaves his or her computer, MDS can re-focus and improve the educational message.
MDS, a company which employs about 10,000 people in the health care and life sciences sector, also sends out frequent FAQs of the “are you aware of?” variety. The change is not overnight, Bondale said. “You get incremental improvement.” The company also uses tools to monitor these improvements, “where we are compared to our (security) baseline,” he said. But “we are not trying to be cops.”
But since MDS is in the health care industry, the fallout from security problems is not just a media relations nightmare. The industry is heavily regulated by privacy laws such as the Health Insurance Portability and Accountability Act (U.S.) and the Personal Information Protection and Electronic Documents Act (Canada).