Categories
education eSafety IT Management Security

The changing face of Data

Change never stops. There is always something else. Kyu Shin Do. Kaizen.

The latest thing I have a chance to work on, is to support schools as they get to grips with the changes that GDPR brings. But isn’t this another piece of red tape that will be a burden to schools? Well, yes, there are additional things schools will be obliged to do, but many things they should be doing already, if they are taking data protection and information handling seriously in the first place.

About 10 years ago I was sat on a working group for Becta, looking at Information Handling and Data Protection, and a lot of the advice was pretty full of common sense and those schools that picked it up, updated practices as further advice from the ICO was released and generally kept abreast of changes … well, for them the changes brought in by GDPR are an evolution, not a revolution … and this is important to remember.

Some improvements in processes; ensuring that you discuss with data processors about what they are doing with the data the school, as data controller, lets them process; having someone to have that oversight as Data Protection Officer; and so on … but these are all manageable with the right tools.

However, some schools are not up to speed. Some schools have only seen the scare headlines in some of the more sensationalist press (I won’t even link to them, they are that annoying and wrong). Some schools are being promised silver bullet solutions or are being told it will cost extortionate amounts of money to get the right experts in. In short, for some it is the Wild West.

It doesn’t need to be. There is good advice out there. There are people working to right the wrongs caused by these myths. The ICO has even started a series of blog posts around debunking these myths.

GDPR in Schools have already started to help schools understand their position and what they need to consider. They have developed a tool to help schools manage and record what data they handle, who and how it is processed and, possibly most importantly, why they are processing it. And this approach, to help schools fulfil a legal obligation in as simple a manner as possible, is one of the reasons why I am happy to announce I have joined GDPR in Schools as their Operations Manager.

Over the coming weeks we will discuss more around obligations, some of the legalities, some of the myths and how we need to make sure the dog is wagging the tail and not the other way around. We will continue discussions on EduGeek.net’s Data Protection & Information Handling sub-forum, join in discussions on LinkedIn and Twitter (#GDPRubbish can be an amusing yet illuminating hashtag to follow), and continue to publish advice through our blogs.

If you have any questions, please don’t hesitate to ask. Some questions can’t even be answered by DfE or ICO yet, but we will be there, on your behalf, asking the questions and pressing for answers.

https://youtu.be/sDZ5puggI2Q

Categories
eSafety IT Management Mobile Learning Uncategorized

DIGITAL PARENTING – TEACHING CHILDREN ABOUT TECHNOLOGY AND THE RISKS

(originally posted for Mobile Guardian)

We always welcome working with schools on eSafety, especially when it comes with supporting agencies and schools in their delivery of Get Safe Online. That is one reason why Tony Sheppard, our new Technology Manager, took a trip to Chesterfield last week as Chesterfield Safer Neighbourhood Team were invited into one of the local Junior Schools.

Supporting the Get Safe Online programme is an important part in our role of providing tools to support technology in schools and ensure the same ethos of classroom management can be applied with or without mobile devices and stop technology being a barrier to learning by giving ownership and control to teachers where appropriate.”

It is not just about turning technology off or blocking inappropriate content, but also about helping schools, parents and children make appropriate decisions in the all-encompassing digital environment.

Whilst the Safer Neighbourhood Team covered the stats and facts, the laws and the wherefores, Tony talked about the difficult task parents face with connecting with their children about technology and the risks.

“When we talk about Digital Parenting, we are really just talking about Parenting. We have to remember that magic triangle for Parental Engagement.”

Parental Engagement Triangle

(Becta: Exploiting ICT for Parental Engagement, May 2008).

“For most parents the important area is dialogue between them and their children. When we think about where we get advice about parenting, in general, we have a large number of options for us. School, family, friends, local services (such as the library or community services), online … and from our children themselves. Remembering that Monday was World Mental Health Day, it is important to remember that listening is an important part of parenting.”

Childnet has produced a number of suggestions for conversation starters with children

  • Ask your children to tell you about the sites they like to visit and what they enjoy doing online.
  • Ask them about how they stay safe online. What tips do they have for you, and where did they learn them? What is OK and not OK to share?
  • Ask them if they know where to go for help, where to find the safety advice, privacy settings and how to report or block on the services they use.
  • Encourage them to help. Perhaps they can show you how to do something better online or they might have a friend who would benefit from their help and support.
  • Think about how you use the internet as a family. What could you do to get more out of the internet together and further enjoy your lives online?

Childnet also provides an example of a Family Agreement that can be used to support the appropriate use of technology.

There are many scenarios around family use of technology, and we can look at these over the coming weeks, partly because there is often direct correlation between the struggles parents and their children have and the struggles with classroom management.

  • The Nag Factor
  • The Unexpected Gift
  • Always Switched On
  • Don’t Ever Switch It Off
  • Compromising Photo
  • But Just How Much Are You Costing Me?
  • The Packet Of Crisps

Once you have thought about what you want to do with technology, and how it is going to be used, only then do you think about what technical controls you need to put in place and who provides them.

The latest edition of Vodafone’s Digital Parenting magazine also provides a wide range of advice and information and the magazine is freely available to all schools.

With parents, they need to think about their Internet Service Provider, Mobile Provider, home networks (controls on the router for WiFi passwords, timed access, etc.), built-in tools (advice from Microsoft, Apple, etc.) and Commercial tools (covering timed access and location controls, web filtering, control which applications can be used, control installation / deletion / in-app purchases).

The same questions can be asked within schools and it is always best to be proactive about making sure the tools you choose match how you manage your classrooms and manage the learning.

At Mobile Guardian we provide a home MDM and parental dashboard, as standard, to all parents at school utilising our technology. That way parents can manage school and home owned devices – for free!

To find out more, ask your school about Mobile Guardian and follow us on Twitter to keep up to date with all our safeguarding tips.

Categories
eSafety Security Uncategorized

Why Information Security Standards make sense to School Leaders

Having worked with Learning Possibilities as a client, a consultant and as a Project Manager, I still find myself relating almost all my activities to the following phrase, “What Would School Leaders Think?”

For most people in schools, awareness of Information Security standards is limited, and usually only heard about when talking about data protection or when they have been told that they can’t or shouldn’t do something, by their IT Manager, the Local Authority or a Governor.

In fact, most schools should be able to easily understand not just the importance of Information Security but how it is assessed at companies like Learning Possibilities, and that understanding is all down to thinking like OFSTED.

As with OFSTED visits to schools, companies certified to ISO27001 (the principal Information Security standard) will have regular audits and inspections from an external body.

As with OFSTED, Leadership is key. It is not about recording security incidents or how quickly they are dealt with, it is not about recording how well your backups run and it is not about recording the results of penetration testing. It is about looking at how Leadership set objectives, evaluate them and justify subsequent decisions.

Yes, there is record keeping. Yes, there are processes and procedures that have to be followed. Yes, there is regular training on Information Management, Information Security and Data Protection. Yes, there are issues and risks to be dealt with. However, these are there to provide evidence to Leadership and the quality of work is more important than ticking boxes on the 114 controls across 14 groups.

Internal audits are the book scrutiny sessions and staff observations. External audits are the OFSTED visits. The Information Security Management System contains your Statement of Applicability (let’s call it your SEF), your policies and procedures, your record of decisions, your Objectives and Measures (5 year plan?).

It goes on. There are so many similarities and helps show School Leaders that Learning Possibilities understands the impact of OFSTED, not just because of the educational impact, but because we have our own version to go through. We also know all too well about it being about key decisions, not just weighing the pig!

External audits are done each year, and you recertify after 3 years. Out of the 3 possible outcomes only the top outcome, which is effectively a 100% adherence to the standard, gets you the certificate.

What does this mean for our customers? Well, the standard is a way of showing both the importance of Information Security to us as a company across all our work, and also that we put in the time and effort on it, ensuring that it is part of our core ways of working.

So, after a 13 month programme of work we are more than pleased to say that we passed our External Audits for this year and have now been issued with our certificate, after coming through with flying colours, the equivalent of Outstanding.

I say a 13 month programme of work … we have already started on the work for the next 3 years, including the work on the international update of ISO 9001:2008 to ISO 9001:2015, the standard for Quality Management. Another opportunity for us to hold ourselves open to inspection against the highest possible standards.

Categories
IT Management Sharepoint Uncategorized web 2.0

Do we *REALLY* know how much is spent on IT?

A tweet was posted by @MSETCHELL yesterday (mattianuk on EduGeek) about being asked to work out the cost of the entire network.

This didn’t strike me as a strange request to be honest. It just seemed to be a standard pain-in-the-backside, paper-generating, unread-report-producing exercise … probably needed because of some arcane bid proposal which schools sometimes get involved in to try to squeeze money out of any available pot or group. It is worth saying the businesses do the same thing when applying for EU funds, regeneration funding, moving locations, etc … so it happens all over the place.

I replied that

I thought that would be fairly easy to generate? Have asset library with original costs, calculate depreciation, etc

But Matt said he had a full inventory but not purchase costs.

It struck me about this being another example of where silos exist in schools, this time between departments of support / admin staff rather than between curriculum departments.

It also made me wonder what do people record in their asset library? How do them maintain it? Who is the ultimate owner?

At Learning Possibilities, we work based on ISO27001 : 2013 (part of our standard of working for a variety of contracts, as well as best practice) and knowing your assets is vital, whether they are physical, intangible or information assets. Whilst the standard is over the top for most schools it does clearly align with standards such as the Framework for ICT Technical Support (A school friendly Service Management IT Management regime based on ITIL v2 and v3, with elements of other good practices from areas such as PRINCE2 and LEAN).

An asset library should not just be about the make, model, serial number and location of a physical piece of kit; it should include other relevant information too. When you install a network in a school you spend a certain amount on cabling … this is also an asset that is often missed. Is the cabling infrastructure in your school suitable for the next 5 years? Are you expected to go Gig to the desktop? PoE?

I’ll be posting a thread on EduGeek to discuss this in more detail about what could and should be recorded but I thought I would set out the basic principles here.

  1. All assets have an initial value (on purchase), a replacement value (how it would cost to replace it based on whether you do like for like replacement or old for new) and a depreciated value (how much they are worth now with their value going down due to an agreed method … and there are a variety of methods).
  2. All assets have a set period of useful life. This might be set out when you purchase the device and be based on a variety of factors. Usually these will be the warranty and support periods for the product, how frequently it receives updates, an estimate on how long you think the functionality will fit your needs and so on.
  3. All assets should be associated with a purchase order, when a direct purchase was made.
  4. All assets should have an ‘owner’. This is the person who is responsible for them to the institute and not necessarily the person who manages them on a day to day basis. An example would be the MIS hold information about timetabling, personnel, students, etc but the SIRO is ultimately responsible. In the same way the iMacs being used in Music are ‘owned’ by the Network Manager, not the Head of Music.
  5. Assets have to be written off at some point in their life. This can only be done by an authorised member of staff.

There are probably more I could add, but this is a starting point for most people.

Some of the above information might be able to be held in the software you use for asset management. Some might already be held in other systems, such as the finance systems.

It will be up to each school whether there is any replication / duplication of the information held … and who updates the relevant asset libraries too.

From the above this should be enough so that the Head and BM can easily see what the value of the network is (in financial terms) and what the total direction is over a period of time, see what is about to be at end of supported life and what they need to replace like for like (in general terms).

Not only does this allow for SLT to plan, it helps them decide on whether maintaining a status quo with regards to IT is affordable or whether changes need to be considered on financial grounds. Changes on curriculum, or leadership grounds are a separate discussion, and that has a slightly different set of criteria and measurement.

There are plenty of ways you can check whether others you work with, as partners or suppliers, are following similar models … a basic tool for IT management. For us it is our work on ISO27001: 2013, but for others it could be ITIL v3 certification of staff, FITS certification,  ISO/EIC 20000 certification. At Learning Possibilities we ask it of some of our partners and are happily reassured.

Have a chat with your own school to see who manages what areas of assets, how the Facilities Management team monitor and write things off, how the Business Manager controls what is put down as needing covering for insurance? See what standards they look at when working with others?

 

Categories
adventure education Uncategorized

The College of Teaching – Thoughts from an Educationalist

I’ve never been one for being shy when I have had an opinion. This is a good and a bad thing. Because of my professional contacts and friendships, the areas where I have spoken out and some of the targets I have openly set people within the education sector some might be mistaken that I am a teacher.

I am not. I openly say that I am an Education Technologist. I’ve been a qualified coach (Judo, Ju-jitsu), a validated instructor and examiner for IT courses (aimed at IT Support staff and validated by the awarding body to instruct other instructors and examiners), a mentor dealing with the pastoral care of prisoners (soldiers) and a Play Leader (mainly specialising in working with children with special needs). I say this in the tone of talking about one of my favourite subjects (me!) and only so that my background and position is clear to those that may not know me that well.

This is related to the work by Claimyourcollege.org.uk, who have now published the proposal for start-up support for the College of Teaching.

The reaction from the teaching profession has been mixed.

Many are repeating the article from The Guardian, possibly as a show of support.

Andrew Old’s reaction is quite detailed and it seems a good number of folk agree about the proposal not being a good thing.

There are still those questioning political motives (3 main parties all *support* the idea), that it is just reinventing the wheel (isn’t there a National College of Teaching and Leadership?), that it has no real teeth or that it will fall short of membership targets.

For me, as an educationalist, it is a good proposal.

At the heart of it there is the recognition that the core of membership *has* to be practicing teachers, that this is recognised as a Chartered Status and that it has a collected approach to Professional Standards and Development.

The added bonus is that there is recognition that others also work in education. The idea of Chartered Teaching Assistant and Chartered Examination Officer sound good to me on paper, but I know they will be a long time in coming (if ever) and will be fought tooth and nail. As a start though, as soon as Chartered Teacher is in place I would expect professional recognition of any equivalent Chartered Status.

Why is this a passion for me? Simply put, it will help break down the two-tier mentality in many schools. There are many other organisations that have Royal Charters, and for IT Professionals working in education the most common one would be BCS, the Chartered Institute for IT Professionals. The days of getting chartered status and it being a lifelong right are gone with BCS. You have it for 3 years and have to be accredited again and again. Fail to adhere to the professional standards of BCS can see the status removed (and membership revoked) or simply the status is not renewed.

At this point I have to say the same should apply to Chartered Teacher status. Reapply after 3 years and prove you are worth it.

Some people will not like this idea as it attacks the comfort position that some teachers can get into, and the lack of unequivocally support from NASUWT makes me believe that this could be a problem down the line. But if people think about it for a minute … this helps to weed out those who have retired (more on this later), those who have left the classroom to become consultants, those working for commercial companies in sales/training/etc … and even SLT who have no timetable any more.

This is not too dissimilar to arguments against open membership to be honest, and a few folk have pointed out the gaps. There are those working with ITTs who deserve the same professional recognition, after all … they will be installing the standards in new teachers … and I think the proposal covers that well enough now.

What about those who are outside the classroom but have years of good practice and knowledge to bring? Looking at other bodies, that is why you have Fellows. Often a more academic slant, this can allow noted members to stay in a recognised position within the membership without stepping on purist toes, as well as giving those with Chartered status something to aim for.

The other side of the proposal is that it gets rid of the idea of needing a Master’s degree, of teachers with an already busy workload being forced into the typing hell of poorly thought out Action Research and standardises the CPD needed for recognised status in a world where political targets shift things about.

My recommendation for the varied folk who read my blog, follow me on Twitter or occasionally listen to my rants is to work with the current proposal, accept that this is a long term investment (so some existing teachers might never see the full benefit but those new or in the middle phase of their career should) and be proactive in your involvement.

Those who follow me who won’t get Chartered Status do not panic. If you feel that there is never going to be a chance of being recognised within the membership of the College, then aim for chartered status elsewhere. IT Professionals should now be pressing BCS to recognise the specialisms required to work in the education sector, and get BCS to press for equal recognition of Chartered Status between bodies.

Other than teachers then next Chartered Status I can see coming from the College of Teaching will be for School Business Manager. This is already a well recognised role, releasing senior and middle leaders from a lot of administration so they can focus on teaching and learning. It covers a wide range of specialisms and has significant levels of accountability. To do the job properly you *have* to understand schools though.

So, there you have my thoughts.

The proposals are workable, need to be viewed in the long term, have to have some measure of accountability for Chartered Status and has to include recognition for equivalent statuses (in my opinion).

Categories
alternative technology Conferences / shows IT Management Mobile Learning Uncategorized

There’s many a slip twixt the cup and the lip

“You can please some of the people all of the time, you can please all of the people some of the time, but you can’t please all of the people all of the time”.”
― John Lydgate

BETT always provides something to talk about and this year has been know different. Whether it is announcing to 500 people at a TeachMeet that you and your wife are having a baby (and using Skitch on the scan!) through to the content of some of the seminars on stands.

One of the final sessions today was on the Google stand by Dan Leighton, Director of Technology at The Grammar School in Leeds, where he was basically covering about change in tech in Education. His slide deck is available here.

And a quick note for reference, the Google stand was directly opposite the EduGeek stand (sponsored by Smoothwall).

And why is that important? Well, as someone with 11 years leading EdTech in schools, Dan covered a number of things but the one picked out by friend at EduGeek was that he put out significant challenge that there are Network Managers who resist and block change, who say things don’t work when they can do and who even do things in a certain way to protect their jobs.

Ouch.

As an advocate for the professional identity of IT Support in schools several members shared the situation with me and I dutifully queried it via Twitter, challenging Google on the stance (as this is linked, to some extant, to the classroom in the cloud).

Google came back and said it was not their stance, apologised and then Twitter conversation sparked up around it.

Context is king here, and after discussing in Twitter it was clear that it was not the challenge about resistance to change but the fact that it appeared a swipe was taken at the whole profession.

The problem is… well… we *all* know the people described above. We have even done it ourselves at times.

Change is a difficult thing and to have someone not in our profession have a go at us for blocking it, well it won’t go down well.

However, there are always two sides. As a friend put it, a different lens. I caught up with Dan on Twitter and then via the phone and it is clear that the intended challenge was not aimed at all and sundry, that he has high regard for technical staff (having work in data centres in product design) and that the large barriers are communication and understanding the other person’s perspective.

An apology on Twitter from Dan, and clarifying that he truly does see a good Network Manager as an amazing resource.

But in conversation with EduGeek friends it has become clear that a wider explanation is needed.

Having not seen the presentation or been in the Q&A I am having to sit on the fence between EduGeek and Dan.

Looking at the points complained about, that all NMs were tarred with the same brush of being blockers, that NMs lie about things not working and that NM resist change to protect their jobs … Dan and I discussed these in refreshing openness.

It was never Dan’s intent to tar everyone with the same brush, to upset or insult. Yes, the issue needed highlighting and if listeners thought it was covering everyone that was not the intent. Apologies have been offered and hopefully accepted.

The challenge that some Network Managers say things don’t work when they do? Yes, that is the case. I’ve done it and have seen plenty others do it. The context though is that this is short hand for, “what you are asking for is Techinical feasible but has significant issues… from the resources (people) taken to set it up, the disruption to all other users, the cost, the reduction in functionality compared to what is already in place, it is not part of the 5 year IT development and maintenance plan…” and so on.

Without people effectively communicating, both sharing information and listening in an open manner, all people will hear is, “computer says no!” Moving to cloud services is not a simple change but that doesn’t mean it should not be looked at by all staff, evaluated and an appropriate decision made. If it is against the recommendations of the IT team and they still resist or refuse then that is a personnel issue, not technology.

Mordac, preventer of IT services was used to demonstrate this (from the Dilbert comic strip) and whilst that may be seen as harsh, most of us would have been viewed as that by others … either because we have not communicated or the others have not listened.

That some NMs resist change to protect their jobs? This is an extremely valid point and this is not something unique to IT in schools. What is sometimes not understood is that the job description any IT staff have is poor. That there is an expectation to know everything about everything with a plug. If you have an established skill set based on what you do in the school, and you are paid accordingly.

Change that skill set, change what you do and your job changes. It is like asking a head of English who also coordinates literacy to become a main scale History teacher because literacy is now part of the Humanities focus. This has become evident through BSF managed services and the push of Single Status. In some places these have reduced experienced and highly skilled Network Managers to the equivalent position of a science technician or HLTA. Their sort of change all depends only the Senior Leadership of the school, and those who value their staff will promote the flexibility of technology change but the security of job and terms. This is not to say schools might not get rid people as tools change. In the same way the ICT curriculum changed and some teachers moved on or subjects no longer get taught, the same will happen for IT teams.

It is not unexpected that some, who have seen others damaged due to school choices, might be resistant and seek security. This is a personnel thing again.

The only way all the works together is by having Network Managers recognised for the expertise and professionalism they bring, Teaches recognised for the expertise and professionalism they bring, effective communication between all concerned and an understanding of how to manage change.

Dan’s presentation and challenge might have pressed some of the wrong buttons for some, but the follow up conversation should show how the challenge is needed for some, should be the norm for others and that no insult needs to be taken on either side if there is concern about the stance of either side.

Categories
eSafety IT Management Uncategorized

Cloud Storage – update

This is still an ongoing discussion in several places and occasionally I get a prod to look at something and respond. In this case it was a thread on EduGeek (again) and so I responded.

Below is a version of what I posted (with typos / language corrections)

When considering the use of cloud storage there are a number of areas to consider. 

  1. Under the Data Protection Act the most relevant of the 8 principles is principle 7.

    Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

    In previous years the ICO has talked about reasonable steps, but they now make it clearer that it is ‘appropriate’ measures, and consideration of this has to be based on the type of data being stored / processes and the likely impact / damage should it be compromised.

    Translation? Before you decide where you can store things you have to consider what you are storing.

  2. When looking at cloud based storage you need to complete a risk assessment of what is being stored, where it is being stored (location of actually servers, company history, T&Cs, etc), what measures are being taken (technical and organisational) to protect it and what are the alternatives?In the past there has been lengthy discussion about the suitability of certain services. Google Apps, Microsoft’s Office365, Dropbox and so on. The principles above stay the same. The ICO talks about data being processed outside of the EEA, companies that have signed up the Safe Harbor agreement between US and EU, advice on cloud computing in general and so on. The important differences between private cloud, community cloud and public cloud (and the resulting hybrid model that is possible with some use of all 3) should be considered here.Translation? Putting things in the cloud is fine, but you have to plan what you are doing and take care to make sure about the partner / service you are working with.

Previous conversations about the use of dropbox can be summarised in the following points

  • Do we know where the data is? Yes, we now know they use Amazon storage based in the US.
  • If the Data is outside of EEA can we still use them? DropBox have now signed Safe Harbor so there is nothing there stopping you anymore.
  • Is it safe? Yes, for a given value of ‘safe’ … the data when stored it is not so much how the data is transferred, or how it is stored when it gets there … more a case of how is access controlled. This takes us back to the ‘appropriate technical and organisational measures’ part of theDPA.

Now let’s look at what considerations should be taken for *any* cloud based service. This is not a definitive check list, but it is a darned good place to start from chatting with most folk.

  • Check where and how the data is stored.
  • Consider if it is within EEA or in US and with Safe Harbor signed. If it is with a US company who has signed Safe Harbor but there is no guarantee the data is held in EEA or US then you have to consider the locations where it is stored and the impact any local laws there may have (e.g is it stored in Australia, Brazil, Thailand, etc and do any local laws mean data could be seized differently to if UK / EU / US laws were applied?) and how this affects you.
  • What are the guarantees around the company? Anyone can set up a service but do you trust the company? Have they passed any security audits? If they are a specific education company do you need to consider DRS checks?
  • Now the data is stored outside of the school what are the restrictions on access / processing? Technical? Organisational? What are your audit trails for this?

Bringing it back to DropBox again … the main concern here is how the data is accessed and cached on local drives. Is the account a ‘personal’ account that is being used? What guarantee that you can control the data should that personal account no longer have the right to access the data?

  • Scenario 1 – HoD needs data to be shared with teachers in her department. She has a DropBox account, as do others. She uploads a coursework logging spreadsheet into a shared folder and others access / complete it. A member of staff leaves so that access needs to be removed. Who removes it? As the service used is personal then it has to be the HoD? Is she aware of this?
  • Scenario 2 – HoD needs data to be shared with HoDs for other departments to target intervention children. The spreadsheet will contain reasons for intervention, including details of personal circumstances (which can include Sensitive, Personal Data). A member of staff is suspended due to allegations … how is that data then secured? The school has no oversight of the methods used to share the data and is reliant on all staff taking ownership of controlling data. The audit trail for this is horrendous!
  • Scenario 3 – The same data is being shared between HoDs. One HoD installs the client on their home computer which is used by all family members. At this point the school has not control over how the data is controlled. Guidance is needed to be provided (using organisational measures rather than technical measures) but again, the audit trail on this is horrendous.
  • Scenarion 4 – The same data is being shared between HoDs. One HoD installs the client on a personal mobile device. The device is then stolen. Is this a data breach? How was the device encrypted? Can it be remotely wiped?

The above scenarios would make most people shy away from using *any* cloud service … but actually, the ways of dealing and mitigating the risk is pretty much the same as if you are using school hosted services.

  1. Make sure that your AUP for staff covers the use of cloud services and the personal responsibility that each member of staff has to ensure that they only share data by controllable means. The school needs to assess whether their staff have a good understanding of Data Protection and Information Management, and then they can chose appropriate training as well.
  2. Make sure staff understand what levels of data are being processed. DPA talks about two levels, Personal Data and Sensitive Personal Data. Becta also worked on the use of Business Impact Levels and the UK Govt still gives advice around this too. CESG has the specific information if needed.
  3. When using email make staff understand what sort of data can be shared on that service. Good practice is to store the data in a controlled location and email the link to it, rather than emailing the file around. This is also good practice for managing mailbox size too. win-win!
  4. Where cloud storage and email are accessed on a device then make sure it is encrypted, secure and wipeable. If desktops the physical security is taken into account, for laptops the device encryption, but for mobile devices (phone / tablets) there is a strong level of importance on device encryption, strong passphrase for access and the ability to remotely wipe. It might be that tablet devices need to have 3G access purely to allow them to be remotely wiped. The company position on how this is dealt with on personal devices (and the audit trail for verification too).

So, back to the question. Can you use DropBox?
Yes … but make sure you consider the above 4 points, factor in the cost (both technical and organisational) for implementing it (and yes, that includes training, checking staff personal devices, etc), the politics involved (not usually dealt with by NMs but by SLT …) and the timescales involved.

Make sure that SLT know and understand that this is to do with the application of a Law within the school … and that you are not being negative or trying to stop people doing things …

Look at alternatives. Remote access to school systems so that the data never leaves your walled garden are very good but can get very expensive.

Instead of using personal tool have a look at verified cloud based services. Some have not licence costs (O365) but you then get limitations on it being a free service, shared with others … and you have to factor in school staff time on it, and other have a cost but you then know that the service is backed up by SLAs, etc (declaration of interest … I do work for such a cloud-based service!).

I hope this covers off most of the areas you needed to look at, answered some of the questions that might arise within the school too.

Categories
adventure Uncategorized

Personal post with a smile

Sites and services like FB can allow people to take strength from each by sharing difficult times and happy times in their lives, so I thought I would add a happy one.

Having recently moved jobs, moved house with Martine Sheppard and our little J and dealing with the stress this can bring (and dealing with the fall out of possibly less than honest sellers!) I am also traveling 7+ hours a day at least twice a week to get into the office (essential at times when dealing with large scale projects) and my knee is giving me grief again. I know, I know … lose weight, light exercise, build up muscle strength and balance, etc … I am working on it.

This does mean that I am using my stick at times to get around. Partly to relieve the pressure on the leg and partly as protection to stop my leg getting bashed whilst crossing London.

And this is what restores a little bit more of my faith in human kind. A lot of us who have had to traverse London during rush hour have had good and bad journeys. The tube is busy and it is a fact of life. Yet, every time I get on the tube when using my stick there will be someone who offers me a seat. Since I only travel, at most, 4 stops before getting off and swapping to a different line there is actually little point in me sitting down but it really is appreciated. However, offerers always do it with a smile, usually a second look as if to say, “Are you sure?” and then another smile of acceptance. A smile in the morning or after a long day of work is a pleasure to experience.

I would consider making a log of how often this happens but I am terrible for things like that. I do think that it needs registering though, so all those who get a downer on human nature can think again.

Open to suggestions.

Anyway. I hope this also puts a smile on your face too … there are folk out there that are nice, helpful and for no apparent reason other than it is a good thing (TM).

Categories
adventure education Uncategorized

The Times They Are a-Changin’

avatar_fullTomorrow (well, in the morning actually) will see my last day at work at Northants County Council. It has been an interesting few years, with a number of interesting project and a chance to work with old friends and make plenty of new ones.

There has been good and bad along the way, and I am grateful for the opportunities I have had there, but with the direction things are taking it is only right that I move on (to bigger and better) and enjoy the future with my wife and our daughter as we move down south.

I only got involved with the LA because the school I was working at as Director of IT was a pretty vocal school. We had moved over the RBC for our internet connection as a political move to be closer to the inner workings of the LA to allow us to continue to bid for new buildings. We still ran most of our own services, we decided that the Standard Network Build was not a limiting bar but a platform to go well past (which we did on pretty much all occasions) and that we were happy to listen to the LA and RBC, but they had to listen to us too … and they did. Eventually we were told to put up or shut up … get involved with the changes or get what we were given. A working party for the procurement of the new RBC contract followed by similar for a Learning Platform, then a secondment for a day a week to help roll things out, then some extra days, then a year … and then a permanent post.

I was allowed a fair bit of freedom to continue to get involved in other groups and work with different communities so I got the best of all worlds.

We pump-primed many projects into schools and educational settings. The new RBC framework was designed to give flexibility and choice, and we helped schools by working with them on a decision-support toolkit … and whilst many moved away from the RBC they did so more informed … and they will make better decisions for it … and for some that will mean moving back to the RBC now they have realised what they had to start with and now they feel there is no political pressure about doing what the LA says. Some won’t but that is fine by me as long as they do what is in the best interests of their learners and other learners in the county.

We worked to roll-out a county-wide learning platform … and many schools have come to realise that a blog is a blog, a wiki is a wiki, a discussion is a discussion and a document repository is just that. It is how you join it together, support the use in the classroom and collaborate within the school and between schools that makes the difference. Working with people that can do this makes all the difference.

That is why I still look on with wonder at the work for Tom Rees and Peter Ford … their able recruits … because the work of NorthantsBLT is integral to this ethos and has improved so much of what goes on in our schools. The Mobile Tech Toolkit was an interesting way of getting schools sharing ideas and resources.

However, working with the technical folk across the county has been my biggest pleasure. I am a geek at heart … even if I have gone to the dark side and become manglement … and then onto project management. Seeing schools getting staff trained in FITS, helping schools appoint new Network Managers, seeing the profile of support staff in schools grow  so that they are recognised as valuable contributors to the school … that has been a pleasure. Working with them on Security Analysis of their systems, seeing the local NetworkNorthants community be taken over by the schools themselves … wonderful.

Being able to ring a few up and point out that they have made stupid change requests is also fun, and I promise not to mention anyone by name when doing any after-dinner speaking later on in life. Most of you know who you are and have also laughed when I have told you the silly things I used to do when working in a school too. Thank you for your patience when dealing with someone who *isn’t* a hands-on techie anymore.

I leave a team at the LA which is slowly going. LAs restructure all the time and they have to do so to reflect the needs of customers, the direction for central Govt and the available funds, no matter where they come from. I am sad to see such a thriving hive of ideas and expertise diminish … and have enjoyed working with pretty much everyone at the LA.

Good luck to those still in LAs, who work closely with LAs and those who still rely on the essential services many LAs can (and do) give.

I will be working for LearningPossibilities as of 1st April (no … don’t laugh), primarily on the Hwb project in Wales. It is another exciting project and the work I have done on it so far fills me with hope that people still see the benefit of collaboration, planning, thinking of others and actually considering tech as a tool to plan for, make use of and not as a magic bullet, getting all starry-eyed about the shiny!!!

My blogging has been slow recently anyway and that is unlikely to change in the future. I will still talk about things that fill me with passion, and hopefully people will still read with equal interest.

Categories
adventure Conferences / shows education ict vision Uncategorized

Naace Impact Awards pt 2

It was quite a lovely shock to find that I won an award today.

20130308-203438.jpg

Last year Naace took the brave step of introducing an award aimed at technical staff in schools. At the time, when speaking with some peers from the technical community, some expressed concern about how a “bunch of teachers and LA folk could every work out how hard technicians and NMs work” and considering how difficult that can be within schools I can understand that a minority had some scepticism about it.

The award is an Impact Award, designed to see what impact you make on learning, and it is up to you to sell yourself against the criteria of “how do you make a difference in schools and with learners”… and that can be a daunting task. You are asked to measure what a difference keeping servers running makes, asked about why it is important to communicate about the services you help the school provide and how it can be used to support / deliver the curriculum, asked about the lengths you have gone to when making sure that the child with a visual impairment is not simply “catered for” but truly feels included due to assistive technology you provide, asked about how you work with teachers and SLT to generate ideas about emerging technologies or simply better use of existing tools, asked about business tools, asked about extra-curricular groups ranging from coding clubs through to bee-keeping … I can go on but you get the idea.

This year I was lucky to be nominated by a friend (a teachmeet legend) and since I am not in a school anymore I fell back to thinking about what I really do.

I work with and support communities of people. All those things above? That is what they do … day in, day out … and I am lucky enough to help some of them flesh out those ideas, give encouragement so they will go to meetings with SLT about their ideas, work with them to help come up with standards in schools … but most of all I am a part of these communities. I am mere mortal without them.

Most of those short listed are regulars and contributors to these communities, whether via twitter or mainly via EduGeek.net. On the whole we should say that these communities have won the award for me (not false modesty but a true statement) …

So I dedicated my award to the communities … #ukedchat, TeachMeet, NetworkNorthants, NorthantsBLT … but most of all to EduGeek.net.

Next year I will be nominating someone from EduGeek.net … and this is not a challenge for folk to up their game, or any other manglement jargon, it is just to say that you all should keep doing what you at doing, hold your heads up high and be proud of the difference you make. It is recognised and I am thankful to Naace to recognising this.

Thank you all.