Monday, 22 May 2017

Monetising Your School’s ICT Facilities


Independent schools spend a significant amount of money on ICT facilities both to enhance the learning environment and to ensure the smooth running of the school’s administrative function. Whilst most schools will look to incorporate messages about their ICT facilities into their marketing literature to attract new pupils, there is also the opportunity to leverage ICT to generate income from other sources too.

Technology plays an important part in most people’s lives nowadays, and when booking social, educational or leisure activities, having access to good technology, such as fast Wi-Fi and Internet connectivity, forms an important part of people’s decision making process in choosing a venue for such events. This is something which Independent Schools can capitalise on, since they have these facilities anyway, which are often lying dormant, or as a minimum under-utilised, during the school holiday periods.

ICT suite(s) are an obvious facility that can be let out in the school holidays to summer schools, clubs or local groups. However lettings do not need to be restricted to the ICT suite alone nowadays, since most independent schools now enjoy school-wide Wi-Fi and support for BYOD (Bring Your Own Device) which presents the opportunity to let out any classroom, allowing guests to bring their own equipment and effectively set up an ICT suite "on the fly".

Many Independent Schools have also invested in a music technology suite, which is a desirable facility which can be let to groups, clubs and budding local musicians during periods when the school is not using it.

Wi-Fi is also now considered a "must have" for events such as weddings, parties, summer schools or business conferences. Whilst they are not always aware of it, many schools’ Wi-Fi systems offer the facility to generate restricted-duration tickets for guest Wi-Fi access, as well as the ability to charge for Wi-Fi access in the way that many hotels do, typically offering a basic level of connectivity for free and then charging a fee for higher speed/capacity.

Most schools have also bitten the bullet and paid the charges needed to get high speed leased line Internet connectivity into their premises. However many smaller businesses or clubs in the area cannot necessarily afford these type of costs. This offers another opportunity to Independent Schools to provide a slice of their internet connectivity to a local small business/golf club/sports club etc as an income generator for the school.

So one way and another there is much that schools can do to leverage their ICT and create an additional income stream from it.

Naturally if you're planning to provide access to your school ICT facilities to outsiders, then some suitable security provisions need to be put in place. This is relatively straightforward though, since firewall policies can be set up and Wi-Fi configured such that guests are kept completely separate from the school's network traffic and systems.

If you would like more information on this topic, please do not hesitate to contact me on 0330-002-0045 or email schools@entrustit.co.uk.

Monday, 8 May 2017

Preparing for GDPR – Understanding and Securing your School’s Data


Following on from my recent blog, “GDPR – What’s it all about and how does it affect Independent Schools” I’ve had requests from several schools asking for more information, so I thought it would be useful to elaborate on some of the issues that GDPR raises for Independent Schools.

I wanted to start by further exploring the importance of understanding what personal data you hold and where that confidential data is stored. Bear in mind personal data can be as simple as a pupil, teacher or parent’s name or email address.

This may sound like an odd topic, as I'm sure many of you are thinking you know exactly where all your schools’ data is held. But do you really?

The scary reality nowadays is that your school’s precious data may already be widely scattered. Yes, some of it will certainly be residing (hopefully securely) on your in-house servers. But what about the proliferation of school, staff and pupil owned portable devices such as laptops, tablets and smartphones which now hold school data or emails? Or data that has been copied to removable media such as USB sticks? Or data that has been shared with business partners and other third-parties? Or copies of data taken for backup purposes?

Then there is the cloud. The cloud has revolutionised the way many schools store their data, but in doing so has also globalised the way data is stored, with many public cloud providers distributing data across servers worldwide in order to optimise costs.

So do you really know where all your data is held? And does it matter?

Well in terms of GDPR it certainly matters, as you need to be able to demonstrate that you are protecting your data and using it appropriately. The more widespread and less controlled your data is, the more vulnerable you leave your school to a breach of data security. So understanding what you have and where it is forms the first step towards compliance.

If, on reflection, you realise that your school’s data is already widely scattered, you may wish to bring it together in one secure, central repository in order to make it easier to control and manage. Luckily nowadays there are technologies that facilitate this; for example we have built our very own EducateIT desktop platform for schools, which is an onsite private cloud solution which allows a school to bring together all their data in one secure, central, onsite repository, where they and their authorised partners can access it securely wherever they are, without the source data ever leaving the security of the school. For other schools, where data is generally central, but perhaps also resides on some mobile devices too, we work to implement processes and technologies to prevent data leakage and manage mobile devices.

Either way, it is paramount to put the school back in control of its data, knowing both where it is and who has access to it. This in turn needs to be documented, both so that the senior leadership team team have understanding of, and control over, their valuable data and also in order to provide documentation for compliance and audit purposes. This not only puts schools back in control of their data, but minimises the risk of a security breach and takes the first step towards preparing for GDPR compliance.

Once you have this understanding, the next step is to understand how you secure your data. This broadly falls into two categories – access control (effective security for authorised users) and cyber security (protection against unauthorised access).

Today I am going to talk about the former, as having good access control systems lies at the heart of successfully protecting your school’s data, and forms an important part of preparing your school’s information systems for GDPR compliance.

GDPR places accountability on schools to have in place policies, procedures and documentation that demonstrates the personal data they hold is stored securely. Bearing in mind that schools hold a vast array of personal data, much of which is about children, whom the GDPR identifies as “vulnerable individuals” deserving of “special protection”, and it becomes clear that the legislation is likely to cover the vast majority of a school’s data.

Therefore, for each of your computer systems, it is important to understand, and have documented, who has access to that system and what level of access they have. Bear in mind that it is best practice to give each user the minimum access they require to the system. Allowing wider access to systems puts you at greater risk of a data security breach or data loss through incidents such as accidental deletion, a ransomware attack or malicious insider threats. As well as having SOPs in place to handle the ICT access control requirements of new starters, it is equally important that there are procedures in place to cover leavers (both pupils and staff) and what happens when somebody changes role within the school.

Password policies are always a bone of contention and an area where a fine balance needs to be struck. Policies that are too lax lead to easily guessable passwords which may not demonstrate due care of data under GDPR. On the other hand, policies which demand highly complex, long passwords which change frequently, may lead to dozens of forgotten passwords and/or the temptation to record passwords on sticky notes, which also certainly doesn’t demonstrate due care of data!

Nowadays, it is also likely that third parties such as freelancers, suppliers and of course parents will have access to some of your ICT systems or data. In this case this needs to be secured in just the same way, so you are clear who has access to what parts of the system, why this is needed and how it is controlled. There also need to be procedures in place to review, amend and remove access for third parties, as relationships evolve and change.

Mobile and remote working present a whole additional set of challenges to ICT security, with the potential for copies of data or emails to be residing on all kinds of devices, both school owned and personally owned, which do not necessarily conform to school security standards. So developing policies around mobile working and ensuring there is not leakage of data or unauthorised access to data form a critical part of compliance. Policies and technologies also need to be implemented to protect against data breaches from mobile devices that are lost or stolen.

Finally, bear in mind that it is not just your main school-wide IT systems that fall under the GDPR. Any indexed system that contains personal data is subject to the legislation, so do make sure you are also including in your access control procedures all those little databases or spreadsheets that have been developed by an individual or department and which contain personal data.

I hope this has given you a useful insight into some of the key areas to consider around readying your school for GDPR compliance. If you need help preparing for GDPR, or indeed with any element of your ICT system, please do not hesitate to contact me on 0330 002 0045 or email schools@entrustit.co.uk