+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 45
MIS Systems Thread, Electronic Registration (a new one!) in Technical; When I came to my school almost 5 years ago we had two seperate domains, one curriculum & one admin. ...
  1. #16

    broc's Avatar
    Join Date
    Jan 2006
    Location
    England
    Posts
    2,046
    Thank Post
    104
    Thanked 401 Times in 265 Posts
    Rep Power
    150
    When I came to my school almost 5 years ago we had two seperate domains, one curriculum & one admin. A trust relationship had been established to allow SIMS access for teaching staff running on the curriculum domain to access SIMS (for Lesson monitor registration). Some admin staff and SMT had access to both domains and all got regularly got confused about which they were accessing and for what reason, leading to all sorts of issues with data & document version control.

    When the Admin (SIMS) server died a horrible death 3 years ago (slowly cooked in a steel box) I took the opportunity to move everything onto a single domain; it was easy to do and has greatly simplified everyone's access. Correct use of permissions and 'access based enumeration' in Server 2003 provides as much security as we had before; as someone pointed out earlier the biggest risk to our data comes from the staff member who is casual about their password and/or cannot be bothered to lock their computer when leaving it unattended. This risk remains regardless of how many domains you have.

  2. #17

    Join Date
    Feb 2008
    Location
    Wiltshire
    Posts
    878
    Thank Post
    274
    Thanked 139 Times in 112 Posts
    Blog Entries
    26
    Rep Power
    42
    I can seen I've re-ignited a debate here.

    I can see the benefits of a single domain, but also like having the two which has just been highlighted in a recent 'security' incident here. A number of files and folders were renamed by someone with the Staff area of the Curriculum network. Obviously a pupil having access to a staff login. Not a major issue, but if it was access to the SIMS area.......

    I've run a script to expire all staff passwords on the curriculum network to ensure that all staff reset their passwords and will send out a gentle reminder that pupils are not to use their logins and must protect their passwords.

    As always, the weakest element here is the human element.

    Pete

  3. #18

    Join Date
    Oct 2007
    Location
    UK
    Posts
    63
    Thank Post
    1
    Thanked 2 Times in 2 Posts
    Rep Power
    14
    broc: "Correct use of permissions and 'access based enumeration' in Server 2003 provides as much security as we had before; as someone pointed out earlier the biggest risk to our data comes from the staff member who is casual about their password and/or cannot be bothered to lock their computer when leaving it unattended. This risk remains regardless of how many domains you have."
    Yes, 'Password' is a user level security risk and this is totally irrelevant to 'network based' security. It is no better than a front door key for you house with no other security measure.

    As a network manager we need to focus on network vulnerability to hacking. In Northern Europe and Australia the rules are simple - keep two segregated networks. Use of domains still means a 'flat network' is deployed and through IP level hackers can walk through domains!

    FragglePete: " I can see the benefits of a single domain, but also like having the two which has just been highlighted in a recent 'security' incident here. A number of files and folders were renamed by someone with the Staff area of the Curriculum network. Obviously a pupil having access to a staff login. Not a major issue, but if it was access to the SIMS area....... "
    Well put! This is pricely why you should keep two isolated networks and only a "tunnel access" between Curriculum Network and Admin Network. All data security/civil liberty conscientous Northern Europians and Australians do.

    With 'tunnel access' restriction in place, even with password no one on Curriculum Network can access other files or wide range of sensitive information on Admin Network. Only authorised "client software" can access strictly limited information eg student attendance registration, behaviour and marks etc.. as per the subject of this thread which you started.

    Finally ...
    As always, the weakest element here is the human element.
    You do not need to leave it to the weakest element! A Network Manager's job is remove just such risks!

  4. #19

    Join Date
    Feb 2007
    Posts
    82
    Thank Post
    21
    Thanked 3 Times in 3 Posts
    Rep Power
    16
    Quote Originally Posted by FragglePete View Post
    Thanks for your replies. Glad I stumbled across this little forum!

    I've been seeing things about 'Web Parts' for SIMS; don't know if I'm barking up the wrong tree, but a web based solution that connects into SIMS where the teachers can access securely through a web browser would be ideal. Am I correct or incorrect in my assumption?

    Pete
    Pete,

    Firstly; Please check my comments by speaking to Capita direct for updated information. I understand Sims have webparts out allready allowing various functions, in fact you can visit their site for a live demo site through sharepoint with the various webparts. This demo site has recently been updated so a little better than their first attempt.

    We have our own MOSS 2007 (sharepoint) VLE hosted internally. We are looking at getting the webparts very soon. This access can all be acheived via a browser. I think in feb some time they will be offering profiles (sims pupil reports) and attainment info through this. I also understand the realtime reporting for parents can be gained from this route also... see http://news.bbc.co.uk/1/hi/education/7176741.stm

    As for the single and split networks, this is clearly a topic that will never have agreement.

    I can understand the most secure method is to keep networks apart, perhaps one step further may be to keep the servers in a steel container, locked, placed in a 20m deep hole and concrete the hole in, then put some nasty dogs on guard??? Some types of Security can be seem extreme for some but normal day tasks for others!

    I think given todays security available and the need to keep business efficiant (we are here for the pupils, paid for by tax payers) merged networks are clearly being a more accepted choice! But we should not forget we must protect pupils too, that said we can only protect to a certain level- how many schools have a least one health and safty issue somewere!! I put a bet we all have quite a few - known or unknown!!

    My personal choice is now to merge our networks, we can leave the leaking security risks to MOD laptops left in pubs and data disks lost in the post!!

    We need to merge the networks as we have so many tasks completed on both networks; a "tunnelling " approach would be such a mess to manage!! I think a well designed security structure and sims access rights will do the trick fine, I think like someone pointed out the networks are joined at the internet allready anyhow - thats just a large network!!

  5. #20

    Join Date
    Oct 2007
    Location
    UK
    Posts
    63
    Thank Post
    1
    Thanked 2 Times in 2 Posts
    Rep Power
    14
    benIT: "We need to merge the networks as we have so many tasks completed on both networks; a "tunnelling " approach would be such a mess to manage!! I think a well designed security structure and sims access rights will do the trick fine, I think like someone pointed out the networks are joined at the internet allready anyhow - thats just a large network!!"
    All of sudden it appears as if decision on 'flat networks' vs "isolated networks" has become a personal choice or throw of a dice. Far from it.

    As a network manager and school SMT one needs make a decision on the basis of:
    1. Strict requirements to comply to Data Protection Act by the schools
    2. Implied recommendation by DCSF/Becta to comply with BS7799 as data security standard
    3. Take a good look at existing guide for education establishment http://www.ucisa.ac.uk/ist/agree/
    4. Use your own professional judgment in protecting 'vulnerable part of community' (ie children) for any consequence of infringment of data security against them.

    And good luck.

  6. #21
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,762
    Thank Post
    897
    Thanked 416 Times in 350 Posts
    Blog Entries
    12
    Rep Power
    86
    Separate networks are so 1990's

  7. #22

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,642
    Thank Post
    514
    Thanked 2,443 Times in 1,891 Posts
    Blog Entries
    24
    Rep Power
    831
    Quote Originally Posted by Tiger View Post
    All of sudden it appears as if decision on 'flat networks' vs "isolated networks" has become a personal choice or throw of a dice. Far from it.

    As a network manager and school SMT one needs make a decision on the basis of:
    1. Strict requirements to comply to Data Protection Act by the schools
    2. Implied recommendation by DCSF/Becta to comply with BS7799 as data security standard
    3. Take a good look at existing guide for education establishment http://www.ucisa.ac.uk/ist/agree/
    4. Use your own professional judgment in protecting 'vulnerable part of community' (ie children) for any consequence of infringment of data security against them.

    And good luck.
    Well, as our network is a 'standard build' following the specifications of our LEA, I would say that they have investigated the data protection act and its needs. They decided that all somerset schools should go single network, single domain. I would trust an LEA to make decisions, as they have a legal team who look into these things.

    On the electronic registers front, one thing you will need to look at is fire alarms. How will you enable registers to be taken in the case of an alarm going off?

  8. #23

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,590
    Thank Post
    109
    Thanked 762 Times in 593 Posts
    Rep Power
    180
    @Tiger: You have a fair point about the segregation of networks and you should probably make it impossible to see the sensitive data from computers that are used by pupils. However, if you put a tunnel in, you immediately bypass the efforts made by segregating. You would also not be able to follow all the new fangled plans to make information freely available to parents/guardians via the web.

    There will always be a trade off between the extent to which you secure your data and the accessibility of that data. I think what people have been saying is that SMT and the IT management team must come to a decision that best suits the needs of the school whilst not exposing the schools data to any unnecessary security risks.

  9. #24
    JohnCondon's Avatar
    Join Date
    Apr 2007
    Location
    Bromcom
    Posts
    282
    Thank Post
    47
    Thanked 63 Times in 40 Posts
    Rep Power
    25
    As Tiger dropped my name into the conversation a couple of times I thought I'd best at least chip in a little bit.
    There are quite a few different ways to securely provide information access across Admin/Curriculum networks that do not involve merging the two domains.
    Our solution is but one method of implementation and wouldn't, as Ric_ mentioned, prevent you from utilising any other web portal for parental data sharing (this does of course wholly depend on 'what' you are using for said portal).
    A properly configured/developed/designed solution should fulfill your school needs without causing any undue increase in Admin workload. Ideally the whole thing should be, once implemented, effectively invisible to all but the highest level admin user. Our own cross network solution is, to the teaching staff, completely invisible and restricts access such that only those processes that are relevant to attendance registration are capable of utilising the 'tunnel'.

    Nothing is completely secure however and, as others have already said, any system is only as strong as its weakest link and this debate will go on and on and on..
    Last edited by JohnCondon; 14th February 2008 at 02:18 PM.

  10. #25

    Join Date
    Feb 2007
    Posts
    82
    Thank Post
    21
    Thanked 3 Times in 3 Posts
    Rep Power
    16
    Quote Originally Posted by Tiger View Post
    All of sudden it appears as if decision on 'flat networks' vs "isolated networks" has become a personal choice or throw of a dice. Far from it.

    As a network manager and school SMT one needs make a decision on the basis of:
    1. Strict requirements to comply to Data Protection Act by the schools
    2. Implied recommendation by DCSF/Becta to comply with BS7799 as data security standard
    3. Take a good look at existing guide for education establishment http://www.ucisa.ac.uk/ist/agree/
    4. Use your own professional judgment in protecting 'vulnerable part of community' (ie children) for any consequence of infringment of data security against them.

    And good luck.
    Tiger,

    I certainly dont think split or single networks/domains should be a role of the dice, But at the end of the day the choice (as per my job description) lays on my shoulders.

    As you rightly say, there are many sources of information that must be considered before making choices, but ultimatly we may all look at that information in a different way - regardless of SMT or the like.

    We recently has a goverment audit team in school for a week solid, looking at the finest detail of school operations - finance, Disaster recovery plan etc, they were very thorough (we heard same stories from other schools in the area). My question is why would such a audit not reveal the single network being a problem? furthermore if dual networks are the goverments advice - its would clearly be backed by all LEA's, the truth is its not, i have worked for 3 LEAs - none of them had any advice to advise against, just that its secure!!

  11. #26

    Join Date
    Oct 2007
    Location
    UK
    Posts
    63
    Thank Post
    1
    Thanked 2 Times in 2 Posts
    Rep Power
    14
    benIT: "We recently has a goverment audit team in school for a week solid, looking at the finest detail of school operations - finance, Disaster recovery plan etc, they were very thorough (we heard same stories from other schools in the area). My question is why would such a audit not reveal the single network being a problem?"
    I assume you are referring to Ofsted -yes? Aren't you giving too much credit to Ofsted's technical skill set for such specialist area? Even on this forum technical spacialst are having difficulty agreeing on the basic principles of the issues.

    I am not happy to repeat my reference to Northern Europians and Australians but it appears that I have to. What goes against my grains is that what is not good enough for Northern Europians as if should it be OK for Brits. For Civil Liberties and Data Security/Protection and Privacy Laws, just like Health Care and Health and Safety, in the UK we appear that we have to put up with the 2nd rate standards!! Despite excuses for lower cost, simplicity or flexibity, they simply do not allow 'flat networks' in schools due to high risks schools will have in data security breach - why would we allow this in UK.

    It is up to Network Managers and SMT to aim at better because they we are responsible for complying to Data Protection Act in the schools and not DCSF or LA. Please check this with your Headteacher or Bursar.

    PLEASE CHECK IT OUT: DCSF's policy on Data Protection relies on schools yearly returns which include declaration on BS7799 for Data Security. Then on DCSF passes the buck onto BECTA saying that BECTA is responsible for providing guidance to schools on IT Data Security. And yet BECTA guidelines on IT Infratuctures has no reference to BS7799 on Data Security. So if there is a breach, the buck stops with the school - ie Headteacher/Bursar and Network Manager.

    This is why many of us take Data Security and 'two network solution' so seriously.

  12. #27
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,427
    Thank Post
    10
    Thanked 488 Times in 428 Posts
    Rep Power
    111
    Quote Originally Posted by Tiger View Post
    All of sudden it appears as if decision on 'flat networks' vs "isolated networks" has become a personal choice or throw of a dice. Far from it.

    As a network manager and school SMT one needs make a decision on the basis of:
    1. Strict requirements to comply to Data Protection Act by the schools
    2. Implied recommendation by DCSF/Becta to comply with BS7799 as data security standard
    3. Take a good look at existing guide for education establishment http://www.ucisa.ac.uk/ist/agree/
    4. Use your own professional judgment in protecting 'vulnerable part of community' (ie children) for any consequence of infringment of data security against them.

    And good luck.
    From the ucisa page "as a starting point from which to derive a set of policies
    appropriate to higher and further education."

    This means the documentation isn't aimed at most of us. I simply do not have the time or the money or staff to split networks in a totally secure way, the requirements placed on me by the school for what information they want available and where makes it almost imposible.

    Taking MIS as an example, to use it for registration the teacher will require access to it in the classroom. Now you have introduced a weak point in the seperation of networks, you have a terminal with access to the admin network within the classroom. I would also point out that parts of bromcom are only authenticated using a quick ntlm check against a domain, so it doesn't ask for a username and password serperately and of course also needs access to the admin domain in the classroom, as does sims.

    The government and becta give out huge amounts of recomendations, which they faithfully ignore themselves too. We are often instructed to send our broken databases on a CD in the post for example.

  13. #28

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,642
    Thank Post
    514
    Thanked 2,443 Times in 1,891 Posts
    Blog Entries
    24
    Rep Power
    831
    Quote Originally Posted by Tiger View Post
    I assume you are referring to Ofsted -yes? Aren't you giving too much credit to Ofsted's technical skill set for such specialist area? Even on this forum technical spacialst are having difficulty agreeing on the basic principles of the issues.

    I am not happy to repeat my reference to Northern Europians and Australians but it appears that I have to. What goes against my grains is that what is not good enough for Northern Europians as if should it be OK for Brits. For Civil Liberties and Data Security/Protection and Privacy Laws, just like Health Care and Health and Safety, in the UK we appear that we have to put up with the 2nd rate standards!! Despite excuses for lower cost, simplicity or flexibity, they simply do not allow 'flat networks' in schools due to high risks schools will have in data security breach - why would we allow this in UK.

    It is up to Network Managers and SMT to aim at better because they we are responsible for complying to Data Protection Act in the schools and not DCSF or LA. Please check this with your Headteacher or Bursar.

    PLEASE CHECK IT OUT: DCSF's policy on Data Protection relies on schools yearly returns which include declaration on BS7799 for Data Security. Then on DCSF passes the buck onto BECTA saying that BECTA is responsible for providing guidance to schools on IT Data Security. And yet BECTA guidelines on IT Infratuctures has no reference to BS7799 on Data Security. So if there is a breach, the buck stops with the school - ie Headteacher/Bursar and Network Manager.

    This is why many of us take Data Security and 'two network solution' so seriously.
    The problem as I see it is this:

    Schools simply don't get the funding to maintain a seperate network infrastructure. This would require 2 sets of switches, 2 sets of servers etc...

    What about physical security? Would your comments on BS7799 (which I might point out, pretty much no school in the UK will be fully compliant with) mean that cabinets based in class rooms themselves be non-compliant? As there is physical access to that room? If this is the case, our school simply would not have the space to have cabinets in locked store cupboards, so all cables would have to be rewired to a single place where the main cabinet is - at a cost around 100k.What about access to ports? Would there have to be some form of network access control in place also? Much of this technology is outside the reach of most schools - especially primaries.

    And what about teachers who simply leave their computers unattended with the MIS open? Or have such a session open and let a pupil use it for something? These are situations that happen regularly in schools across the country.

    Remember, the system is only as strong as its weakest link - the people using it. They *will* have their passwords written on post-it notes, or in their diaries. They will leave their machines unattended. Every school has policies outlining that this is against the rules, along with policies outlining many other rules - many of which are ignored by individual members of staff.

  14. #29

    Join Date
    Feb 2007
    Posts
    82
    Thank Post
    21
    Thanked 3 Times in 3 Posts
    Rep Power
    16
    Quote Originally Posted by localzuk View Post
    The problem as I see it is this:

    Schools simply don't get the funding to maintain a seperate network infrastructure. This would require 2 sets of switches, 2 sets of servers etc...

    What about physical security? Would your comments on BS7799 (which I might point out, pretty much no school in the UK will be fully compliant with) mean that cabinets based in class rooms themselves be non-compliant? As there is physical access to that room? If this is the case, our school simply would not have the space to have cabinets in locked store cupboards, so all cables would have to be rewired to a single place where the main cabinet is - at a cost around 100k.What about access to ports? Would there have to be some form of network access control in place also? Much of this technology is outside the reach of most schools - especially primaries.

    And what about teachers who simply leave their computers unattended with the MIS open? Or have such a session open and let a pupil use it for something? These are situations that happen regularly in schools across the country.

    Remember, the system is only as strong as its weakest link - the people using it. They *will* have their passwords written on post-it notes, or in their diaries. They will leave their machines unattended. Every school has policies outlining that this is against the rules, along with policies outlining many other rules - many of which are ignored by individual members of staff.
    I could not agree more localzuk, Physical access is now a big news item for security, I have seen numerous articles about firms beefing up pysical access, So much so banks often had more money lost from cash machines being pulled away from the wall by vans and chains, than by network breaches (not including identity theft!)

    I think however tiger has a good point, that in an ideal world we in the UK should not be such a push over on being "politically correct" or accepting "less value" but in the realword, or todays world, we need to access everything from everywhere - this is what people are expecting more and more......Example: .... How annoying is it when you can not get mobile signal - we just expect it should always have one .... truth is we could walk to a phone box but we dont....because we expect anytime anywhere access

    Back to my point, this is why networks are merged, this is why banks, NHS, Councils, Goverment, MI5, you name it all have shared networks RING FENCED by security.... This is the solution for schools, in a nutshell - Keep it secure to modern day standards thats all their is to it!!! Then this provides access when users expect and need it!!!

  15. #30

    Join Date
    Feb 2008
    Location
    Wiltshire
    Posts
    878
    Thank Post
    274
    Thanked 139 Times in 112 Posts
    Blog Entries
    26
    Rep Power
    42
    Well, this is turning into an interesting discussion.

    I've come from a MoD background were they still keep in place seperate networks depending on the security level.

    Here, the networks aren't really seperate, just two seperate Domains existing on the same infrastructure. Either way does not bother me at present. Other Schools in this area are moving over to Single network structures, whereas I hear that some schools are wanting to get back to two networks.

    Anyway, the original topic of discussion was Electronic Registration, and with some more investigating I'm impressed with the SIMS Online Learning Gateway demonstration which really does what we need; Access to Electronic Registration via a web interface (ie. Sharepoint). We've still got to look at a mobile/off-line solution but this is looking promising.

    Let the debate continue..... ;-)

    Pete

SHARE:
+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast

Similar Threads

  1. Electronic Registration
    By Sylv3r in forum MIS Systems
    Replies: 9
    Last Post: 30th November 2007, 05:48 PM
  2. Electronic registration
    By Sylv3r in forum MIS Systems
    Replies: 22
    Last Post: 7th November 2007, 04:48 PM
  3. Supply Teachers & Electronic Registration
    By pete in forum MIS Systems
    Replies: 16
    Last Post: 5th April 2007, 09:14 PM
  4. Electronic Bulletin Board
    By jonbones in forum How do you do....it?
    Replies: 5
    Last Post: 12th January 2007, 09:59 AM
  5. Electronic Document Storage
    By ICTNUT in forum Windows
    Replies: 7
    Last Post: 28th May 2006, 02:50 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •