Case Study: Premier Collegiate School
You are the new director for Information Technology at PremierCollegiateSchool. The school teaches grade 7 through grade 12 with 300 students and 30 staff members and faculty. Each of the 10 administrative staff members has a dedicated desktop computer. The school’s principal has a notebook computer that she takes home and when traveling to conduct both school business and personal tasks. She maintains a Facebook account and has opened a MySpace account to monitor the activities of the students who also have such accounts. The teachers have 10 computers that they share in the teacher’s lounge to record grades and do all work associated with conducting their assigned classes (daily lesson plans, research, handouts, tests, quizzes, and final exams).
The school has two file servers. One is for administration business and the other serves student computing needs. The administration server has dedicated storage for each of the teachers and both hardwired access and wireless Local Area Network (LAN) access throughout the school. The student server has applications the students might need for their schoolwork, and provides wireless access for student-owned laptop computers. All students are required to have a laptop computer with wireless access. In addition, the school has a dedicated computer lab with 25 desktop computers for the students to use in computer science classes.
In your Lab Report file, list the risk elements at the school.
The following risk elements are apparent at the school:
Principal conducting business and personal tasks on same computer
Shared teacher computers – what levels of control/access are applied?
File Servers – levels of control/access are applied?
Network – can any systems be connected or is approval needed?
Wireless – can be an insecure connection method. Is authentication and transmission of information encrypted?
The school’s principal has requested that you prepare an IT asset list and a high-level prioritization or ranking of the IT assets given the function and purpose for administrative or student computing requirements. Fill in the table as follows:
Family Educational Rights and Privacy Act (FERPA)
Based on your experience and knowledge of schools, create a comprehensive asset list. Keep in mind that assets include more than just physical objects you can hold. Do not forget that assets include electronic information, such as student records, lesson plans, test banks, and so on. Assets also include key personnel, such as knowledgeable instructors and important administrators.
Determine the importance of each asset to the school function by ranking its placement on the list (starting with 1 as the most important, 2 as the second most important, and so on).
Using Figure 1 that follows the table, identify which of the seven domains of a typical IT infrastructure each asset resides in. The data, systems, or applications may have student privacy data elements.
Perform a high-level FERPA compliance assessment identifying where student privacy data resides and assessing the security controls protecting that data.
Prioritize each asset by assigning it a Critical, Major, or Minor classification
List three recommendations for IT security policies to help mitigate the risk exposures in the school’s IT infrastructure
Which IT assets did you prioritize as critical to administrative or student computing?
List your top five (5) risk exposures for which you believe this school should have specific risk-mitigation strategies.
Given the potential risks that you identified, what IT security policies would you recommend that the school create to help mitigate each of the identified risk exposures you listed in question #2?
True or false: FERPA compliance law is about protecting students’ privacy data, including personal information, grades, and transcripts. The law itself defines a privacy requirement but it does not specifically address security controls and security countermeasures.
Given that student privacy data is typically housed within administrative computers, systems, and databases, what can you do to mitigate the risk exposure that a student or someone on the student or school’s network can access these systems?
For a school under FERPA compliance law, do you think the administrative computing or student computing network infrastructure is more important from a business and delivery of education perspective?
The school monitors the use of student social networking on Facebook™, MySpace™, and Twitter™. What should the school define and implement if it wants to define acceptable and unacceptable use of school IT assets, Internet, e-mail, and use of personal laptop computers on the school’s network?