Laptops, handhelds, and security

The ink wasn't dry on Chris Dawson's posts (Laptops for teachers and How about handhelds for teachers?) when yet another news report was brought forth admitting to the theft of yet another government-owned laptop containing tens of thousands of names of potential victims of identity theft.  Well just how stupid can these people be?  

When all of this technology was new, before Windows 2000, before WiFi and VPN, there might have been some reason why this data had to be stored locally to be useful but today there are many different ways to keep data secure yet make it available from pretty much anywhere in the world where those entrusted with that data might find themselves while performing their professional duties, so ... Is there any excuse whatsoever for allowing sensitive data to be stored on a mobile device?  Nope.  None.  Nada. 

While student records do not rise to the level of financial records (or even criminal records), before any teacher is issued a laptop or a handheld device, Education IT needs to establish guidelines for the prudent use of those tools, and clearly-defined sanctions for their misuse. 

But first, here are just a few 'common sense' settings which education IT should include with a laptop or handheld:

• Password protection.  Especially for laptops.  The person entrusted with the device should have to login to the device using a password only they know.  (Not even the IT department should know an individual's password.)  The Education IT department should have a separate administrator password assigned to the laptop as well.  This is critical to keeping the casual thief (or their fence) from accessing the data on the device.  It won't keep them from re-installing the OS so they can use the device but it will make it harder for them to access the data they stole when they stole the device. 
• Virus protection.  Every computer with any access to the web should have virus protection installed and updated at least weekly through an automated update process.  This keeps e-mail malware found in e-mail attachments and web downloads at bay.
• Spyware detection.  This is also an essential component of security to keep malware from invading these systems and snooping on the people entrusted with them. 
• Firewall.  Most modern operating systems come with firewalls installed.  Before connecting any device to the Internet, make sure the firewall is turned on!  Or alternatively, make sure that the network you are accessing is 'trusted' and has a firewall in place between the computer and the Internet. 

These are technical characteristics and really need not apply to handhelds in most cases but any laptop without these services in place is at risk. 

The data itself is another matter.  Education IT should make sure that all student data is stored on a central server which is itself sitting behind a firewall -- in a secure "machine room".  The data should be accessible only by a username and password known only to the individual seeking access.  Web-based applications are most convenient for providing this access to the educator because it requires no special software on the laptop or handheld.  Ideally, direct access to this data is blocked by your network firewall, requiring the educator who has been issued the laptop to use VPN when off-campus to gain access to the network where the data is stored.  This is especially useful in a WiFi setting.  If your local network has WiFi, you should even consider isolating your campus WiFi from your LAN and requiring VPN to get behind your network firewall.  This makes it harder for someone lurking in your parking lot to gain access to your sensitive data. 

And finally ... TRAINING, TRAINING, TRAINING! 

Teach your educators how to use these mobile devices.  If your educators understand why these safeguards are in place, they will be less likely to look for ways of bypassing them to save time.  Let your educators know the perils of leaving student data they are working on unprotected on their laptops and handhelds.  Stress that while these devices are incredibly useful for preparing and delivering curricula and lesson plans, they are not the best place to store data about students which could be used improperly by someone else. 

Encourage your educators to rely on your servers for longer-term data storage by providing them personal space on your servers. 

And of course, nobody wants to talk about sanctions -- especially when they involve honest mistakes, but ... 

How often these days do well-intentioned individuals in an educational setting get publicly raked over the coals because they didn't know what others (mainly politicians) thought they should have known all along. 

Our educators are not just 'disagreeable' users who are our adversaries.  They are the people that Education IT is intended to serve -- so they can better server our students.  We need to properly arm them with the tools they need to do their jobs the best that they can. 

Where sensitive data is concerned, it is our job to provide safe and secure tools so that educators can do their jobs but is it also our job to set expectations for the proper use of those tools.  Misuse needs to be addressed swiftly and fairly in order to avoid what starts out as a minor infraction turning into a full-blown incident involving the educator, the school district, and the legal system.