Best practices for schools to avoid identity theft

After a string of security breaches at universities, identity theft has become a huge issue for IT administrators. In a recent issue of School CIO, two experts offer tips on protecting schools from identity theft.

Larry Wong, information technology security officer for the 140,000-student Montgomery County Public Schools in Rockville, Md., and Matthew Kinzie, director of information technology for the Stanislaus County Office of Education in Modesto, Calif., which supports 24 districts with a total of 70,000 students, give advice on how to deal with id thefts.

"Unless you know understand what ID theft is and how it happens, you really won't know how to handle it," says Wong.

Phishing (directing users to realistic-looking but phony Web sites), stolen equipement, and spyware (which pollutes users' computers with ads) are areas that most CIOs should be aware of.

But Kinzie says that most most ID theft is of the low-tech variety. Employees, not students, are its victims. One way to gain information is for someone to call a district office with only an employee's name, for example, and then ask for another piece of information, such as work site. One call might not seem suspicious but it all adds up, Kinzie says.

Make sure that your school has a chief information security officer, who's responsible for reviewing all sensitive information. The CISO should be in charge of deactivating accounts. The office should also conduct employee awareness programs, and give advice on what kind of information an employee should not give out.

The obvious precautions are to make sure operating system patches, firewalls, anti-virus software, and filters are in place and up-to-date.

Of course there is the tried-and-true shredder. Wong suggests hiring a service to make on-site visits to do the job.