Internet Filtering - Staff Access to Controversial categories

[GrumbleDook]

I'd add data protection to that list @GrumbleDook

I did stick it in as a specific bit (referring to File Sharing and Data Protection) but I am now tending to see that DPA, FoIA, Record Management, etc cover a variety of areas within Safeguarding, repetitional damage, etc ... consider the latter areas to be themes which take from key areas such as DPA, etc.

It all depends on the target audience and the best ways of getting information and concepts to them.

[Roberto]

I'm concerned that if we allow/endorse staff to use sites like the ones above then we literally won't know if they're being mis-used until something goes wrong.

All comes down to risk vs flexibility at the end of the day I guess...

Yes it does. If you allow staff to use memory sticks, I bet you don't subject them to a full body search each day to make sure they're not mis-using personal memory sticks to take confidential data off site. That's substantially the same as taking data off site via dropbox really, is it?

While there can be specific legal nuances in some cases, the issue is what they're doing, not how they're doing it. If your safeguarding procedures say that no student data should leave site then how it leaves site is less important than the fact that it has. This is a human resources issue, not a technical one.

[flyinghaggis]

Yes it does. If you allow staff to use memory sticks, I bet you don't subject them to a full body search each day to make sure they're not mis-using personal memory sticks to take confidential data off site. That's substantially the same as taking data off site via dropbox really, is it?

It's funny you should mention that actually as another staff member said the same about USB sticks which is a fair point. My response was that in an ideal world staff shouldn't really have to take school files off site. Going forward we should be looking at methods of staff being able to access school resources remotely rather than taking them off site or uploading them to other 3rd party websites. That way when staff leave they immediately lose access and sensitive/confidential data doesn't leave the premises.

We do have it written in our AUP that staff taking sensitive files off site on USB memory stick are expected to encrypt the contents but I suspect that very few people actually bother hence my concerns about them mis-using dropbox and other file sharing websites. Being practical blocking USB storage devices isn't something that's really feasbile so I suspect the answer to that one (and file sharing sites) might be to do something like making sure school files are stored in something like sharepoint rather than file shares so we can be more granular about what staff can do with confidential files (eg blocking printing, copying to USB, etc.)

[Roberto]

It's funny you should mention that actually as another staff member said the same about USB sticks which is a fair point. My response was that in an ideal world staff shouldn't really have to take school files off site. Going forward we should be looking at methods of staff being able to access school resources remotely rather than taking them off site or uploading them to other 3rd party websites. That way when staff leave they immediately lose access and sensitive/confidential data doesn't leave the premises.

We supply staff with a remote desktop service that's available over the internet from home for precisely this reason. Data files never needs to leave our site.

We do have it written in our AUP that staff taking sensitive files off site on USB memory stick are expected to encrypt the contents but I suspect that very few people actually bother hence my concerns about them mis-using dropbox and other file sharing websites. Blocking staff/pupils using USB storage is actually something that I think would be a good idea in future providing we can make sure they still have other means of accessing the data remotely.

It's not for me to say what the right answer is to this online vs. USB (or email attachment or whatever) issue. Just that you should be consistent; if you block dropbox because people might abuse it then you should block USB sticks because people might abuse them. The threat hasn't changed just because the method has.

[Geoff]

Do you have any sort of policies for BYOD such as USB sticks, phones, tablets, etc?

[flyinghaggis]

We supply staff with a remote desktop service that's available over the internet from home for precisely this reason. Data files never needs to leave our site.

It's not for me to say what the right answer is to this online vs. USB (or email attachment or whatever) issue. Just that you should be consistent; if you block dropbox because people might abuse it then you should block USB sticks because people might abuse them. The threat hasn't changed just because the method has.

We have remote access for staff as well via a similar method but there are always going to instances where staff claim they dont have an internet connection or compatible hardware/software at home to log into it.

I agee with you on the point about consistency. The whole USB stick/Dropbox scenario basically boils down the the same problem of how to secure school data hence my thoughts that trying to secure the files/data at source and educating staff on the risks will probably ultimately be far more effective than blocking access to USB sticks and file sharing websites.

[IrritableTech]

Someone once said to me, create policy that stops people losing their job, rather than stops them doing their job. Really important to remember that.

The technology or the social networks themselves are not bad, they are just sometimes used badly. It's usually a behaviour issue, not a technology one. I think that works for both sites that should be blocked, and ways of transporting data off site to be honest.

Training is key, backed up by a sensible, and workable policy.

[Roberto]

We have remote access for staff as well via a similar method but there are always going to instances where staff claim they dont have an internet connection or compatible hardware/software at home to log into it.

At this point, especially if what you had set up was what was agreed with your SLT as the one true way of doing things, I'd suggest that they enjoy the valuable learning experience on how you can't always get what you want. Our current RDP solution doesn't natively support mac clients which is a PITA for me personally as a Mac user, but that's the way the cookie crumbles.

I agee with you on the point about consistency. The whole USB stick/Dropbox scenario basically boils down the the same problem of how to secure school data hence my thoughts that trying to secure the files/data at source and educating staff on the risks will probably ultimately be far more effective than blocking access to USB sticks and file sharing websites.

I'd agree with that. It is a case of evaluating the risk v. reward as you stated earlier. It would be a shame to stop people being able to work on lesson plans or other innocent stuff how they want purely because of what someone else might do, and whether you put a ban/block into place or not, there's still a training issue as to why which for me suggests good quality training and a reasonably open stance are the way to go.

[elsiegee40]

You can have all the policies in in the world you like, but without training and regular refresher training they are useless.

Staff must understand the need to protect their personal identities, safeguarding risks and their obligations under the Data Protection Act.

The DPA training needs to thoroughly rub in the financial penalties to which they, personally, will be liable in the event of a breach.