Larger enterprises have the resources to not only afford the technology needed to grow in the digital age, but they also have the budget and manpower to build security into their overall ecosystems.
K-12教育部门是否有同样的方法?随着技术在公立学校的使用变得越来越普遍,收集更多数据可能会增加K-12行业的网络安全风险?
今年秋天早些时候,数据创新中心发布了一份报告,Building a Data-Driven Education System in the United States,in which they said 93 percent of teachers are regularly using digital tools to assist classroom instruction in some capacity.
研究人员希望利用这些数据来改变教育;但是,这些不断升级的计划使用数据收集来推进公共教育,引发了有关学校风险的问题。
全球安全情报公司Nuix USG高级副总裁Keith Lowry说:“ K-12在州和地方一级运行,他们将单独负责保护这些基础设施。”
Who then, at the state and local level, is thinking about security in education? "In general terms," said Lowry, "most people and organizations including government agencies are either turning a blind eye or are not technologically tuned in to the tremendous threat that happens to be at our doorstep in our digital world."
安全begins with administrators and leaders. Before schools start collecting this myriad data on students, they have to spend some time and write policies and work out processes and procedures to plan for an attack, but are they too late?
现实情况是,学校目前没有运作,没有数据。
Daniel Castro, director, Center for Data Innovation, said that in some ways the challenges in education aren’t too different from what you see in other industries. "We know there’s a lot of best practices from thinking about authentication to vulnerability testing, but school districts don't have to have all that expertise."
[ ALSO ON CSO:学校跟踪学生的在线行为,但父母甚至知道吗?这是给予的
除了云服务外,卡斯特罗还说,许多安全性将来自供应商本身。卡斯特罗说:“学校,学区,合作伙伴和州政府可以对不同的供应商进行监督,以便当系统有安全漏洞时,他们会被广泛识别和分发。”
Being able to differentiate between secure and insecure products and having model clauses for cloud computing within the education sector are other ways to think about risk, said Castro, but "The solution can’t be each school needs to do X, Y, and Z. It has to be looking at how do you get vendors to secure the quality of their products?"
为供应商建立认证系统,以确保对安全性的广泛承诺,并使行业同意相同的做法,这是卡斯特罗说的另一个解决方案,可以取得巨大的成功。
Daniel Castro, director, Center for Data Innovation
卡斯特罗说:“这种情况有可能使教育得以更好地标准。”"The other challenge is authentication, and that goes beyond education as well. Without it, there’s not much you can do on the security side. I’m not terribly optimistic that the US is going to solve it, but schools can put more pressure to resolve those challenges."
卡内基Learning的首席产品建筑师史蒂夫·里特(Steve Ritter)表示,不幸的是,法规并没有跟上技术的步伐。“费尔帕是一项非常古老的法律。即使对于最善良的人来说,它也很难映射。它具有该模型,学校正在向第三方提供数据,但学校没有数据并选择选择将其发送给供应商,”里特说。
Two kinds of potential problems include technical security and standard practices of being encrypted so that data isn't sent unencrypted. There's also privacy protection in general.
Developing a common standard around how data is collected, for what purposes it is used, with whom it is shared, how it is stored, and how it is eliminated would help to bring everyone onto the same page because there seems to be some discrepancy over what kind of data has the greatest value.
里特说:“不要收集您不需要的任何信息。要小心的问题。如果您被黑客入侵,那么后果应该尽可能最小。”
Koedinger, professor in the Human-Computer Interaction Institute at Carnegie Mellon's School of Computer Science said, "If vendors are using the data to improve the curriculum, they don’t need to know who the students are. If the data is vigorously de-identified, eliminating record and demographic information, we might not have so much to worry about."
卡内基学习的首席产品架构师史蒂夫·里特(Steve Ritter)
On the other hand, chief learning officer at Kaplan, Bror Saxberg, said, "There are ways to do rich analyses of large sets of data that anonymize and also protect identity of students while doing some very valuable work, which can lead you to understand how to personalize, but if the goal is to de-identify data, then don't collect data."
One way to address concerns is that as the risk goes higher, the access is more highly limited. "We have public data sets of K-12 student interactions that anybody can access because they are so de-identified," Koedinger said.
According to Koedinger, the National Academy of Education is starting to have these conversations, but there needs to be some way to get the word out to the schools that they should be putting pressure on the developers and vendors.
"The school should be demanding that security. A school could say to a vendor 'we will use your product, but only if you guarantee that the data you keep is fully de-identified'," Koedinger said.
拥有明确的数据治理政策来建立负责任的数据程序,将有助于减轻风险。萨克斯伯格说:“确保您清楚人们必须看到,分析和下载数据的权限,以便人们不会将各种数据收到不应该的地方。”
风险是人们在做方便的事情,并将其放置在不应该做的地方。萨克斯伯格说:“有很多数据安全思考,所有教育中的所有人都应该考虑并且应该对此敏感,而且很多人都没有考虑到负责任的数据。”
Ritter说,正如大多数部门的那样,大多数人在遇到问题之前不会考虑安全性。“那些在教育中做得很好的教育中的人正在询问有关数据隐私和安全性的详细信息。他们想知道供应商如何收集和存储数据,他们的纠正数据的政策以及他们是否有违反响应政策?”
在这一点上,绝大多数学校已经在收集大量数据并收集大量数据的时候,停止停顿以制定政策和程序是不可行的。最好的做法是考虑到安全,并在发生重大违规之前采取预防措施。
这个故事,“在学校中保护更多的隐私”最初是由CSO 。