Skip to main content
Add as a preferred source on Google

An Important Decision

  • By Jim Romeo
  • 12/01/11
Risk and vulnerability for today’s school environment is of great concern to not just school boards, administrators and teachers, but also to parents and other students. The technology behind IT security and vulnerability is often too much for a school IT staff to handle organically, and can force them to rely on the expertise of an IT consultancy. Choosing a consultancy and bringing them on as a partner can be challenging.

“Security issues should be high on the list of concerns for K-12 school systems,” says Mike Meikle, CEO of the Hawkthorne Group, located in Richmond, Va. “The security and privacy of student data, especially those who are underage is critical and is overseen by multiple federal regulations. These regulations come with substantial penalties if an entity is found to be in violation, as well as strict audit requirements around regulatory compliance. If student data is compromised it is a tremendous public relations blow to the school. An organization will incur monetary penalties. Also, the loss of trust from the student body and parents can come with unforeseen repercussions.”

“K-12 isn’t concerned with the same impact of security vulnerabilities as corporations,” says Michael Davis, COO of Savid Technologies, a technology and security consulting firm in Chicago. “Most corporations are attacked for money, whereas K-12 usually have larger Internet connections, more PCs and servers that can be used by attackers as proxies, jump points or to implement Denial of Service attacks. K-12 has to be concerned with the privacy of their students, and must approach their security policies, consultants and controls differently.”

Evaluating Potential Consultants
There are many facets of IT security management that should be integral to an evaluation of a potential vendor for a K-12 school system.

Mike Meikle emphasizes the importance of evaluating asset management, or knowing what hardware and software the organization owns or is responsible for. “This includes laptop and desktops, mobile devices [such as] iDevices, smartphones and software licenses,” he says. “Without an effective and consistently managed asset management program, other security initiatives will be seriously deficient and vulnerable to exploitation.”

Meikle also emphasizes the importance of data protection — which should include a good hard look at a potential vendor’s ability to manage and be around critical and sensitive data that might be found in the K-12 management setting. “In most scenarios, 20 percent of an organization’s data is considered ‘critical,’” he says. “This may include health care records or personal student data. This information has to be located, identified and secured to ensure that it is sufficiently protected from comprise. Also, a robust plan to protect sensitive or critical data assists with federal regulatory compliance.”

Finally Meikle posits that any evaluation of a potential IT security consultant must look at the vendor’s acuity in risk management. “An organization or school has to understand what the risks that could impact the institution are,” he says. “Once identified, these risks could then be managed, mitigated or accepted. This compilation of risks could then form the foundation of an overall strategic security plan for the organization.”

Part of the selection process will entail developing a specific evaluation matrix or list of criterion for which they can be evaluated.

“The top rating factors should include experience with regulatory compliance,” says Meikle. “Does the consultant have experience with HIPAA, FERPA, etc.? Do they understand how they impact educational institutions? Have they implemented strategies to meet regulatory compliance?”

He emphasizes that the selection team must also probe into the potential firm’s depth of experience. “Does the consultant or consulting firm have any education organization experience?” he asks. “Do they understand the cultural differences between state and federal organizations and private entities? What credentials does the staff hold and will the staff that is proposed in the RFP be the same that provides the onsite services?”

Another very important part of the selection criteria is the potential vendor’s project management ability. Do they have a project management methodology and do they have trained project managers on staff to guide their assigned projects to a successful completion?

Meikle points out that an unavoidable selection point must focus on technologies with which they are experienced. “Do they understand database, application, server and endpoint security?” he asks. “Do they have IPS/IDS, firewall, authentication and monitoring experience? What is their specialty?”

Organizing the Selection Team
When it comes to selecting a vendor in a multi-year contract for a public entity such as a school system, committees are inevitable and the way to organize the selection effort. “The makeup of the committee should reflect the major lines of business, project champion or executive and IT representation,” says Meikle.

Davis isn’t as keen on the use of a selection committee. He’d rather not see a committee, “unless all of those involved in the committee understand the topic or concern at hand. K-12 has such specialized people, it is difficult for a selection committee to look beyond price and focus on quality.”

“The organization that prepares the security policies, technology and processes must not be the same organization that audits the school for compliance,” says Meikle. He says to look for firms that are thought leaders or innovators in their space. “Security is an ever changing industry, and the best firms are the ones that provide whitepapers, articles or books on the latest security topics. K-12 organizations cannot control the type of threats that attack them, but they can control their vulnerability to those threats,” he says. “Having a consultant that is staying ahead of the threats that are out in the world will help the school understand their true vulnerability.” 

Jim Romeo is a freelance writer based in Chesapeake, Va. He may be contacted through his website at www.JimRomeo.net.

About the Author

Jim Romeo is a freelance writer based in Chesapeake, Va. He may be contacted through his website at www.JimRomeo.net.

Featured

  • How a Portable Sink Helped an Art Classroom Run More Smoothly

    Classroom design decisions can have outsized effects on instructional time and safety at schools juggling mismatched infrastructure, strict budgets, and crowded schedules — particularly in the arts. Between spilled paint and dirty brushes, art classes run smoother with a sink in the studio. But many schools don’t have a sink in every art classroom.

  • Photo courtesy of Kraus-Anderson

    Minnesota District Completes $49.7M Addition, Renovation Project

    St. Paul Public Schools in St. Paul, Minn., recently announced the completion of a $49.7-million addition and remodeling project at two district schools, according to a news release.

  • KWK Architects Announces Full Transition to Lawrence Group Branding

    KWK Architects recently announced that it will complete its transition to the Lawrence Group brand effective July 1, according to a news release. The merger marks the end of a three-year strategic integration process that began in March 2023 to unite the firms.

  • Architectural Power for the Modern Campus Landscape

    For generations, an outdoor classroom only required a textbook and a patch of grass. Today, not only has the laptop replaced the printed pages, the rise of agile learning has turned campuses into study halls with students listening to lectures and researching topics from quads, gardens, and plazas. The challenge for architects and facility managers is to provide connectivity without cluttering the landscape with visual eyesores or creating safety hazards with extension cords.