+A-A Login Contact Home Español Shop

• Home
• ABOUT
  • Organization
  • Mission Statement
  • Contact
  • Directors
  • Affiliations
  • Site Map
  • Board Election
• EVENTS
  • CETPA/CoSN CTO Clinic
  • Digital Learning Imperative
    • Overview
    • Governor's Digital Textbook
  • Calendar
• CONFERENCE
  • President's Message
  • Conference Overview
  • Accommodations
  • Keynote Speakers
  • Sessions
  • Venue
  • Registration
  • Golf Tournament
  • Exhibitors Services
    • Exhibitor Listing
    • Exhibitor Opportunities
  • Past Conferences
• PROGRAMS
  • MS Licensing Program
  • CTO
    • Curriculum
    • Qualifications
    • FAQ
    • Certified Professionals
    • Mentors
    • Instructors
    • Forms
    • CTO Recertification
  • Nimbus
  • Corporate Affiliate Program
  • CETPA/CoSN Chapter
    • CETPA Awards
  • Scholarships
    • Scholarship
    • 2011 Scholarship Recipients
• MEMBERSHIP
  • Overview
    • Educational Memberships
    • Affiliate Memberships
    • Retiree/Student Memberships
  • DataBus
    • Subscribe to the DataBus
  • Nation-State-Local News
  • Resources
    • Job Descriptions
    • Multimedia
    • Grants, Legal, Legislative
    • Bid Documents
  • Listserv
  • Blogs
  • CETPA Wiki
  • Member Directory
  • Your Membership Profile

HOME - MEMBERSHIP - DataBus
Databus Issue: 2008 1 01/28/2008

---

Best Practices

Phil Scrivano Vice President of Customer Service
What Are We Trying To Secure? PDF

One of the first and most often overlooked steps when planning technology security is to figure out and articulate what you are going to secure. When we first felt the need to purchase firewalls the reason given was to protect our children from the evils of the Internet. Now, 15 years later, most security issues seem to be focused within our own networks. For example, changing grades on your student information system is the “Holy Grail” for students who want a reputation as a hacker. The SIS system is a particular target because it must be accessible to administrators, teachers, and parents. The first step is to identify this issue and all the other security issues you may have such as wireless access and library computers. Once you have articulated what needs to be secure, then you can plan and budget for the security it will take to give you some level of comfort in the reliability of the systems you are responsible for. Remember though, the highest level of security most often means that no one can use the secured service. Try to always strike a reasonable balance.

In order to demonstrate the type of work that needs to be done I ask a good friend, Brad White, to respond to securing an SIS system. Here is his response:

It is very important to think through just exactly what “securing the SIS system” means. You have to consider all possible vectors of an attack. If you only secure the server running the SIS application, but allow users to have weak passwords then the system is less secure than it could be. You must be sure to spend some time thinking about the entire “system”. If the SIS server is secure, and all users have strong passwords, and all users have been trained about how to use the SIS application in a secure manner you may still not be secure. What about the network elements the SIS application traffic travels across? If you didn’t secure those, a student might be able to mirror SIS traffic to a sniffer workstation and obtain valid user credentials that they can then use to access the SIS application. As you can see, each attack vector exposes another part of the network to greater scrutiny. A good security policy begins with a clear and precise definition of what you are trying to protect.

• HOME
• ABOUT
• EVENTS
• CONFERENCE
• PROGRAMS
• MEMBERSHIP