The NYCDOE’s Information Security vision is of an environment in which the right people within the greater NYCDOE community have the right access to the right data, when and where they need it.
Goal and Strategy to Obtain Vision
This vision may seem somewhat unusual for a security organization. Where is the traditional cry of alarm over viruses? Spyware? Hackers? Too often, the focus of security is to act as a technology “cop,” playing whack-a-mole with specific technical threats, with the end result of “protecting” information by preventing access to it. This model is counterproductive, and runs contrary to the very purpose of information technology, which is to facilitate the creation of value from information. The NYCDOE’s information security strategy was conceived with this in mind, and its focus is on providing users with the greatest possible access to the information they need without placing that information at excessive risk. Are viruses still a problem? Of course they are, and they must still be fought off. But eliminating a virus infection does not, in and of itself, contribute positively to achieving the NYCDOE’s vision for information security, and therefore is not the primary focus of this strategy.
The traditional model for information security is that of the fortress: a highly secured perimeter into which users must be allowed in order to access data. This is exemplified at the NYCDOE by the physical separation of network access between classrooms and administrative offices. This model is adequate if all data use takes place in administrative offices, but once data needs to be accessed from locations that are less secure, the model falls short. This limits current access to such data to a relatively small number of individuals, and often bases such access more on work location than on actual need. A similar situation arises when there is a need to access data from outside of the NYCDOE’s infrastructure; a virtual door in the perimeter is opened, through which basic system and data access is possible. However, setting up this virtual entrance is complicated and cannot be reasonably sustained for more than a handful of administrative users. It is certainly not a practical option for students, teachers, or parents. The result, again, is that access to data is limited to a very small number of individuals, and often not those best able to further the NYCDOE’s instructional mission.
When looking at the applications and data themselves, things play out rather differently. Because security is controlled so tightly at the physical level, applications themselves have been developed with weaker built-in protections, relying instead on the fact that they could only be accessed from locations that were secure in and of themselves. This causes a serious problem when access needs to be expanded beyond the secure perimeter. Like a balloon squeezed at one end, application-level protections must be increased to compensate for weakened physical security. In most cases, the current application security is simply not strong enough to support the desired expansion of physical access.
All this is not to say that no progress has been made. As the NYCDOE began rolling out its Accountability initiative, a parallel effort was undertaken to improve the NYCDOE’s information security infrastructure. This effort resulted in a significant improvement of the NYCDOE’s security capabilities, particularly in the area of vulnerability management. These improvements allowed the NYCDOE to begin opening the door to sensitive data. However, to achieve the NYCDOE’s ultimate goals of widespread data access, additional work is required.
Target State (Future State)
Two primary drivers, common both to the NYCDOE and to the K-12 education industry at large, motivate the NYCDOE’s information security strategy. These are the desire to enable data-driven instruction and accountability at the school level and the increasing need for both students and staff to access data and applications regardless of whether they are in a classroom, in a central office, or at home.
One of the largest trends in K-12 education today is the increasing use of data by staff at all levels to make a wide range of instructional decisions and to hold schools accountable for results. The NYCDOE has embraced this strategy whole-heartedly with the Children First Accountability initiative and the first data-driven decision-making tool, ARIS, which made unprecedented amounts of student data available to school staff. ARIS, however, is only the beginning. Many features planned for the future include driving data access even further into the schools, whether by deploying school-based student systems (e.g., ARIS Local), by the expansion of periodic student assessment programs, or with the ever-increasing number of commercial third-party student data systems available to schools. Given the NYCDOE’s commitment to data-driven decision making at all levels, it is clear that data can no longer be “locked up” for use by the privileged few; it must be made available when and where it’s needed, without compromising security.
Ubiquitous Data Access
One of the NYCDOE’s most successful recent applications is the much lauded and award-winning FitnessGram, which allows physical education teachers to track fitness information for the students they teach. FitnessGram is so successful in part because it places relevant information about students in the hands of teachers when and where they can best use it – in the teaching environment. This is possible in the current security environment because the data presented by FitnessGram is not considered sensitive or confidential. It doesn’t take a major leap to realize the value that real-time access to student academic data could provide to a classroom teacher. However, because academic data is highly confidential and legally protected, it requires a greater level of protection. At the other end of the data access spectrum are students themselves, who frequently use school-based systems to do anything from taking a test to saving a homework document. Again, it is not hard to see the value of allowing students to access these systems from home – presumably where are located when they do their homework and thus where such access would be most valuable.
The Evolving Risk Landscape
As the uses of technology in schools have evolved, so too have the associated risks. The value of making data available to the right people is unquestionable, but the value of such data to the “wrong” people has increased considerably as well. Where the primary concern was once the productivity disruption caused by an otherwise-harmless virus outbreak, today’s malicious software is capable of finding and stealing sensitive data. The situation gets even grimmer when an active attacker such as a computer hacker attempts to gain access to steal – and sell – this data. Is this really such a big problem? Of what commercial value is student data anyway? A child’s stolen identity may not be useful for opening credit card accounts, but it can be quite valuable for defrauding entitlement programs such as Medicaid and public assistance. Not serious enough? There is also the internet trade in personal information about children used by pedophiles to locate victims. Finally, there are numerous federal, state, and local laws and regulations governing the use, transportation, and storage of sensitive data with which the NYCDOE must comply.