AUP, Your First Line of Defense.
Every new piece of technology comes with a population of individuals who will try to exploit it. Oftentimes, they aren’t prevented from their deeds until it is too late. Unfortunately, new technology often has no rules or regulations associated with it until it has “been out there a while”. In reality, this is a bit backwards; wait until a dangerous, damaging, or careless act has been committed, then create laws to prevent it from reoccuring.
When the automobile was first marketed to the public in 1886, there were no laws regarding its use. If you could afford to purchase an automobile, it was yours to do with what you wanted. It wasn’t until 1903 that the first city traffic code for New York was put into place. This was the first such traffic code in the world, nearly seventeen years later!
Fast forward to the year 1997, the year computers began to be heavily used in schools around the United States. Educators and administrators saw the potential behind using PC’s in their schools, but few realized the risks they opened themselves up to in doing so.
Case in point.
Skip to present day Pennsylvania. A high school secretary was just caught changing her daughter’s grades using the school’s computer system. Amazingly, this is an act she’s been doing unnoticed for the past four years. Administrator’s are just now realizing the damage that has been done to their school, but they still have no idea to what extent.
Caroline Maria McNeal of Huntingdon, Pennsylvania was recently caught tampering with the school’s grading database. For more than four years, Ms. McNeal has been increasing the grades of her daughter. She was also decreasing the grades of other students, to give her daughter an advantage.
The acts committed by Ms. McNeal are a serious breach of trust, not only between Ms. McNeal and her associates, but between the school district itself and its students. Every school district should be taking all possible measures to establish a strong security for its students, particularly where student grades are concerned. The large majority of student’s have no access to check their grades in a student database. This lends more to the fact that those in charge of the grading database, as well as the schools technology department, should be turning the schools network into an impenetrable fortress.
More disturbing is the way in which Ms. McNeal was caught. The situation was discovered only when an employee of the high school guidance office found that the SAT score she had listed for Ms. McNeal’s daughter was different than the one registered by the College Board.
The College Board reported a score of 1370, while the schools records showed a score of 1730.
It is not as if Ms. McNeal went through outrageous measures to access the school’s grading database. She simply asked her fellow co-workers for their passwords one by one. In each case, the secretaries saw little danger in trusting their fellow co-worker, and at times, the pretense was even helping out. Before long, she had accumulated quite an arsenal of vital passwords.
While Ms. McNeal now faces multiple third-degree felony counts and a fine of up to $15,000, the real culprit is the negligence and complacency shown by district personnel. That it took four years, and an offhand discovery of a discrepancy that led to the discovery, only shows the extent of false security and lack of monitoring the school experienced. No audit or system was in place by the district to catch such an infraction. It is the negligence of the school to not inform it’s staff and students of the safe practices of computing, and what was expected of them while using the districts computers. Certainly, Ms. McNeal is responsible for the wrong acts. But a district cannot abnegate their responsibility to oversee and protect its district and integrity.
Schools today implement what is called an “AUP” or an Acceptable Use Policy. An Acceptable Use Policy is a set of rules, often put forth by a network administrator, that restrict the ways in which the organizations (districts) computer networks or systems may be used.
A solid AUP should adequately convey the following:
- The most important points about what users are, and are not, allowed to do with the IT systems of a school district. It should also review safe computing practices.
- What penalties and sanctions will be applied if a user breaks the AUP.
- The method of regular audits that will be used to analyze the security of a systems network, as well as measure the effectiveness of the AUP policy.
Luckily, Ms. McNeals actions were discovered, and the grades were adjusted accordingly. But how many school’s have similiar situations taking place under their nose right now?
The best line of defense; a solid AUP which incorporates all of the topics discussed above. And of course, any policy is weightless without an effective training program to ensure that all personnel are informed and knowledgeble.
If you or your family member’s school does not have an AUP and an effective training program in place, I suggest you write your Superintendent to prevent the issues discussed in this article from happening in your neck of the woods.