1 Understanding Your IT Environment

Basics

The number of resources a school district provides to staff and students can be numerous. These include hardware such as:

  • laptop and desktop computers running different operating systems,
  • mobile devices like tablets and Chromebooks,
  • printers,
  • scanners,
  • whiteboards,
  • and many other devices that all need to connect to your network.

Then there are all the software applications and online resources that run on those devices, and of course, the network that you provide to support all these resources.

Additionally staff, students, and visitors may also bring their own devices and want to connect to your network while they are on one of your campuses, and staff and students may need remote access to your network to continue their work. Your IT Department has to know what devices are on your network--every single one whether it’s a district-owned device or not--where those devices are, and what resources they are using.  As the Center for Internet Security® states in their Critical Security Controls® (version 8), “Enterprises cannot defend what they do not know they have” (p. 8).

You should know the following terms:

  • Anti-virus software
  • Application whitelisting
  • DHCP logs
  • Inventory
  • Levels of access
  • Malware
  • Mobile Device Manager (MDM)
  • Multi-factor Authorization (MFA)
  • Network topology
  • OS deployment tools
  • Personally Identifiable Information (PII)
  • Standard operating procedures (SOP)
  • Switches and routers
  • System Center Configuration Manager (SCCM)    
  • Virtual Private Network (VPN)
  • Wireless controllers

Inventory and Control of Enterprise Assets

Inventory and Control of Enterprise Assets is the CIS (Center for Internet Security) Critical Security Control 01. Schools and districts must maintain an accurate inventory of the devices they provide to staff and students. Entry-level technicians often play a role in helping to maintain hardware and software inventories, including deploying and collecting devices from staff and students, imaging devices with approved software, and sometimes working with supporting systems, such as security, HVAC, and phone systems. You should know where to access your district’s hardware and software inventory and any standard operating procedures (SOP) that you may be required to follow to maintain it.

Your district may utilize multiple products depending on the types of devices that are supported. Your inventory may be managed through one or more of the following:

  • System Center Configuration Manager (SCCM) provides inventory and control of most computers.
  • Mobile Device Manager (MDM) provides inventory and control of mobile devices you own.
  • Microsoft Intune is a cloud-based management system that helps manage users, applications, and devices
  • Google Workspace is used to manage Chromebooks and the suite of Google applications, like Gmail, Drive, Calendar and others.
  • Snipe-IT is an open source asset management resource that is cloud hosted.

Inventory and Control of Software Assets

In addition to hardware, IT Departments can better protect their network and improve security by maintaining an accurate software inventory system. This is CIS Critical Security Control 02. Various open-source or for-fee products are available to help you maintain a software inventory, including mobile apps, and online systems. Any approved software should be kept up-to-date to prevent malicious attacks on the vulnerabilities of outdated software.

To better maintain the integrity and security of your network, most districts will limit staff and students from installing software or apps. Others may provide a secure method for staff to select from and install approved apps, such as a district online software center or other resource. To securely manage devices, IT staff often create images of the OS that contains only approved software for staff or students that can be deployed on devices. There may be different images for different user types. These can then be loaded onto any district-owned devices using OS deployment tools, including a MDM for mobile devices.

Your district likely incorporates anti-virus software on its devices but can also use application whitelisting to ensure staff are using approved applications and websites. Applications not on the list, including malware (malicious software), can be prevented from running or installing itself on devices and causing harm.

Teachers, especially, will hear about and find many different websites and apps they’d like to use from friends, colleagues, or simply by connecting with others online or at meetings. Just because a teacher finds a new application that may seem valuable doesn’t mean they should be able to install it or use it without some type of district review. 

Any resources used in the district should first be reviewed to understand how it works, how it is or isn’t similar to other district-supported resources, the types of data it collects, and whether and how it shares that data. Your district is legally required to protect some student data, including personally identifiable information (PII) when students are working online or with digital devices. The IT Department should be involved in the process used to review potential new resources that may be recommended by staff, both free and for-fee products This process may also involve curriculum and instruction staff, media specialists, those in charge of adopting textbook materials, teachers, administrators, as well as the legal department.

Network Operations

Your network team should be able to quickly locate, identify, and control any device that connects to your network, whether on campus or remotely. They can obtain an inventory of devices that are connected at any one time by reviewing live data within switches and routers, wireless controllers, and DHCP logs. Additional resources are available to maintain historical records of devices that have accessed your network. While you may or may not be required to manage your network and the devices on it, you should understand your district’s basic network topology. You should be able to read any charts, diagrams, spreadsheets or tables that document your network and its resources in case you are called upon to support the network team. 

Your network may be divided into separate networks that support the needs of different types of users. These users may be assigned different levels of access, such as a teacher versus a student, or a teacher versus staff that have access to confidential personnel or financial records. Some users may actually connect to a separate network, such as a guest network, that has limited access. Your district’s guest network should not allow guests using it to access internal devices, for example network printers. It may also have stronger security and filtering settings than the network staff have access to. You may be asked to test these restrictions on your guest network and you should understand how guests can access the network. Some guest networks have fairly open access, but others may require a guest account or agreeing to acceptable use on a network landing page. Know how your guest network operates and the services it does and should not provide.

When off-site, staff may need to access the resources on your network. While not necessary in all cases, some access to network resources may be necessary as teachers work on lesson plans or develop other materials. A Virtual Private Network (VPN) connection may be used to provide secure access to network resources to qualified users. VPN connections should require multi-factor authorization (MFA) to ensure only approved users are logging in. 

Here are additional resources you may find useful:

Complete the following task or self-assessment:

Find and review your district’s hardware and software inventory; work with others on your team to understand the SOP you must follow to help maintain it.

  • What controls does your district employ to maintain the integrity of your network and manage software?
  • Which of these fall under your job description?
  • If there are systems that you will be working with but have limited expertise, what resources are available to help you better understand how to use them effectively and efficiently? You may be able to find and complete online tutorials or review vendor support websites to increase your knowledge and skills.