An Important Decision

• By Jim Romeo
• 12/01/11

Risk and vulnerability for today’s school environment is of great concern to not just school boards, administrators and teachers, but also to parents and other students. The technology behind IT security and vulnerability is often too much for a school IT staff to handle organically, and can force them to rely on the expertise of an IT consultancy. Choosing a consultancy and bringing them on as a partner can be challenging.

“Security issues should be high on the list of concerns for K-12 school systems,” says Mike Meikle, CEO of the Hawkthorne Group, located in Richmond, Va. “The security and privacy of student data, especially those who are underage is critical and is overseen by multiple federal regulations. These regulations come with substantial penalties if an entity is found to be in violation, as well as strict audit requirements around regulatory compliance. If student data is compromised it is a tremendous public relations blow to the school. An organization will incur monetary penalties. Also, the loss of trust from the student body and parents can come with unforeseen repercussions.”

“K-12 isn’t concerned with the same impact of security vulnerabilities as corporations,” says Michael Davis, COO of Savid Technologies, a technology and security consulting firm in Chicago. “Most corporations are attacked for money, whereas K-12 usually have larger Internet connections, more PCs and servers that can be used by attackers as proxies, jump points or to implement Denial of Service attacks. K-12 has to be concerned with the privacy of their students, and must approach their security policies, consultants and controls differently.”

Evaluating Potential Consultants
There are many facets of IT security management that should be integral to an evaluation of a potential vendor for a K-12 school system.

Mike Meikle emphasizes the importance of evaluating asset management, or knowing what hardware and software the organization owns or is responsible for. “This includes laptop and desktops, mobile devices [such as] iDevices, smartphones and software licenses,” he says. “Without an effective and consistently managed asset management program, other security initiatives will be seriously deficient and vulnerable to exploitation.”

Meikle also emphasizes the importance of data protection — which should include a good hard look at a potential vendor’s ability to manage and be around critical and sensitive data that might be found in the K-12 management setting. “In most scenarios, 20 percent of an organization’s data is considered ‘critical,’” he says. “This may include health care records or personal student data. This information has to be located, identified and secured to ensure that it is sufficiently protected from comprise. Also, a robust plan to protect sensitive or critical data assists with federal regulatory compliance.”

Finally Meikle posits that any evaluation of a potential IT security consultant must look at the vendor’s acuity in risk management. “An organization or school has to understand what the risks that could impact the institution are,” he says. “Once identified, these risks could then be managed, mitigated or accepted. This compilation of risks could then form the foundation of an overall strategic security plan for the organization.”

Part of the selection process will entail developing a specific evaluation matrix or list of criterion for which they can be evaluated.

“The top rating factors should include experience with regulatory compliance,” says Meikle. “Does the consultant have experience with HIPAA, FERPA, etc.? Do they understand how they impact educational institutions? Have they implemented strategies to meet regulatory compliance?”

He emphasizes that the selection team must also probe into the potential firm’s depth of experience. “Does the consultant or consulting firm have any education organization experience?” he asks. “Do they understand the cultural differences between state and federal organizations and private entities? What credentials does the staff hold and will the staff that is proposed in the RFP be the same that provides the onsite services?”

Another very important part of the selection criteria is the potential vendor’s project management ability. Do they have a project management methodology and do they have trained project managers on staff to guide their assigned projects to a successful completion?

Meikle points out that an unavoidable selection point must focus on technologies with which they are experienced. “Do they understand database, application, server and endpoint security?” he asks. “Do they have IPS/IDS, firewall, authentication and monitoring experience? What is their specialty?”

Organizing the Selection Team
When it comes to selecting a vendor in a multi-year contract for a public entity such as a school system, committees are inevitable and the way to organize the selection effort. “The makeup of the committee should reflect the major lines of business, project champion or executive and IT representation,” says Meikle.

Davis isn’t as keen on the use of a selection committee. He’d rather not see a committee, “unless all of those involved in the committee understand the topic or concern at hand. K-12 has such specialized people, it is difficult for a selection committee to look beyond price and focus on quality.”

“The organization that prepares the security policies, technology and processes must not be the same organization that audits the school for compliance,” says Meikle. He says to look for firms that are thought leaders or innovators in their space. “Security is an ever changing industry, and the best firms are the ones that provide whitepapers, articles or books on the latest security topics. K-12 organizations cannot control the type of threats that attack them, but they can control their vulnerability to those threats,” he says. “Having a consultant that is staying ahead of the threats that are out in the world will help the school understand their true vulnerability.” 

Jim Romeo is a freelance writer based in Chesapeake, Va. He may be contacted through his website at www.JimRomeo.net.