Security: protection of assets and information

In a previous post, I introduced the International Standards Organisation (ISO) standards for information security, ISO27001 and ISO27002 and highlighted the benefits of a best-practise approach to information security.

The standard includes a set of controls related to the protection of “organisational assets.”

The controls set out that all (information) assets should be on an inventory. As part of asset management, the SBM will have an inventory of assets for accounting purposes and this will provide the accounting value of (what are probably) physical assets. However the information security value may differ, and has to be assessed through a risk assessment. What would be the impact if this information were lost or made public? Regulatory and reputational risk must be included in your risk register or plan.

Information assets form a larger group than physical assets such as IT and communications hardware, though you should include these. You should also include all software, and of course all data whether stored online, offline, or in hard copy. Data will at least include all files, plans, documents, financial information, accounting information, and teaching materials. The Network Manager will provide information on how the IT systems are organised,  where data is stored and how data is organised and used.

Each asset identified should have a designated owner, and should be subject to an acceptable use policy. It’s important to note that when an asset is assigned to an “owner” in this context, it does not mean the “owner” has property rights. The owner is accountable for the security of the assets which he or she “owns”.

The recommended approach is to assign assets not to named persons but to roles or parts of the organisation. This makes for clearer documentation and avoids information becoming out of date when persons change roles or leave the organisation. The ownership of information assets can then be linked to the documented roles and responsibilities. This has the added benefit of documenting the organisation.

It is not best practise to assign all IT hardware, software, and electronically stored data to the network manager (or equivalent) as owner. It is more effective to assign ownership of data to a departmental head or (senior) manager or member of SLT. This ownership should match with the person’s roles and responsibilities in two ways: firstly ownership should be assigned to the role which uses or is best placed to manage the asset; and secondly to a role with financial authority matching the value (and risk) of the asset.

For each information asset, there should be an approved policy setting out the acceptable use.  The “owner” is accountable (and depending on the organisation, may be responsible) for making sure that the rules are fit for purpose, are documented, are reviewed and approved, and that the rules are communicated and are followed. The implementation of the acceptable use policy manages the risks to the information asset.

An example of acceptable use which should already be in place would be a policy that school IT equipment is not used to access inappropriate websites or for any use which might put the organisation at regulatory or reputational risk. The control might be implemented using firewalls or software which prevent and log such access.

In some cases, acceptable use will be determined by external organisations. Use of software, for example, will be subject to licensing arrangements. Examination papers will be have to be controlled and used in a manner satisfactory to the Examination Boards.

Putting into effect “appropriate protection” for assets is a major step towards information security and managing risk. In a subsequent post, I will look at Information Classification, which works together with responsibility for assets.


Why projects fail

In 2003, the Parliamentary Office on Science and Technology issued a report on IT Projects, which included a list of eight common reasons why projects fail.

  1. Lack of clear link between the project and the organisation’s key strategic priorities, including agreed measures of success.
  2. Lack of clear senior management ownership and leadership.
  3. Lack of effective engagement with stakeholders.
  4. Lack of skills and proven approach to project management and risk management.
  5. Lack of understanding of and contact with the supply industry at senior levels in the organisation.
  6. Evaluation of proposals driven by initial price rather than long term value for money (especially securing delivery of business benefits).
  7. Too little attention to breaking development and implementation into manageable steps.
  8. Inadequate resources and skills to deliver the total delivery portfolio.
In April 2009, the National Audit Office published a report to explain the delays and cost increases in the National Offender Management Information System project (C-NOMIS), and reported that seven of the eight common reasons for failure could be identified. Clearly, not everyone had learned the lessons.
  1. Despite connections and overlap with a strategic Change Programme, the C-NOMIS project was effectively set up and run as a standalone project. As a result, the strategic programme was put at risk and the C-NOMIS project was subject to delay and cost increase. The lesson for the SBM is to make sure all projects and changes in the school are managed as part of a programme.
  2. The Senior Responsible Officer had little experience of major IT projects and insufficient time to play a full role in oversight of the project. Moreover, it was unclear which of two groups were accountable for the project. The lessons for the SBM are that project management is a learnt set of skills and techniques, and the SBM should make sure that there is a suitably experienced single accountable person or body with control over every project. 
  3. There was insufficient engagement with stakeholders, and no communications plan for the project to keep stakeholders informed on the progress of the project. The lessons for the SBM are self-evident. Always make sure that stakeholders have sufficient and appropriate opportunity and means to input ideas and information, and follow a clear plan for communicating project progress to all stakeholders.
  4. The project had to bring in contractors because of a lack of appropriate skills within the organisation, did not have the skills to keep financial control of the project, and did not manage risks: instead there was effectively “good-news” project reporting to the SRO. Lessons: make sure you know what you can deliver internally and what will have to be purchased when building the financial model and business case for the project. Manage project finances closely throughout the project. Build a risk management plan at project start-up and manage it carefully throughout the lifetime of the project.
  5. Costs were seriously underestimated in the original business case. There was no contingency in the project budget. Lessons: be rigorous in testing business cases and cost estimates. Build a risk management plan at project start-up and manage it carefully throughout the lifetime of the project. Estimate contingency.
  6. Existing contracts which constrained the project were not identified, and their risk to the project not managed. There was no evidence of assessment that suppliers could meet requirements. Lessons: Make sure you assess existing contracts carefully and update the project risk plan. Use a methodological approach to assess supplier proposals. Make sure the project requirements are documented and agreed. Document and agree quality measures for the project during initiation.
  7. The project made use of existing suppliers and did not evaluate alternative offerings. The chosen suppliers were not engaged in project meetings and communication broke down. Lessons: Make sure bids are competitive. Communicate, communicate, communicate. 

Project Management: someday, my Prince2 will ….

  • A project is a finite process with a definite start and end
  • Projects always need to be managed in order to be successful 
  • For genuine commitment to the project, all parties must be clear about why the project is needed, what it is intended to achieve, how the outcome is to be achieved, and what their responsibilities are in that achievement.  

I once worked for a company which measured the performance of its IT project managers on whether their projects were delivered on time and on budget. These are both valid business drivers and project measures, and project managers worked incredibly hard to meet these targets on behalf of the projects’ sponsors.

But all these projects were handed over with risks that there would be additional costs incurred after the projects closed. This is because the projects were not measured against Quality.

Time, Budget, and Quality sit at the three sides of the project management triangle. The point at which any project is measured as successful sits somewhere inside that triangle, and is a different point for every project. It depends on the relative importance of time, budget, and quality. When a project’s success is measured on two of the three, then you are effectively saying that the third can be set to null.

If the project has to be completed by a fixed date and there is no leeway (the opening ceremony of the Olympics, for example) then the success point is on the Time side of the triangle. If the project has to be completed by a fixed date and there is no leeway, and there is also a fixed Budget with no leeway, then the success point is at the angle where Time meets Budget, and Quality will have to give way. In this situation, the project team will have to look hard at Quality to see what can be removed to meet the unmovable date and  budget. If your project was to build and install complex medical software which had to work within very narrow and precise limits to avoid putting patients at risk, you might expect that the success point would be on (or very close to) the Quality side.

There are a number of reasons why projects fail. One common cause of failure is that someone jumps into the delivery phase and starts ordering hardware and taking the walls down before the project has been Started-up and Initialised properly.

To reduce the probability of project failure, it is essential that a project management methodology is used to deliver the project. The right methodology is flexible and scaleable; two of the characteristics of Prince2 and PMP.  Using a best-practise approach will give you a better chance of success. One reason for this is that a methodology such as Prince2 will make you focus on control, and on getting clear agreement what success will look like and how it will be measured. When projects are started in the middle, they typically just stop when budget or patience runs out, or when an unmanaged risk materialises and blocks the project. Getting agreement from all stakeholders as to what the project will deliver (to what level of an agreed definition of quality), how (including at what cost), and when it will start and finish must be done before any of the budget is spent (except what has been agreed for getting to this point).

In future posts, the SBM blog will guide you through the project stages. For now, the key questions you should always ask are

  • Is this justified? (Does it fit in with the School’s business plan? Is it really needed?)
  • Is there a business case? (Does it fit in with the business plan and is the expenditure justified?)
  • What are the products? (What will be created or changed? How will we know the quality is sufficient?)
  • How will the project be controlled? (Who holds the budget? Who will manage the project? How will you manage risks? How will you manage changes to the project?)
  • Who are the stakeholders? (Who will be affected by the project?)

Is the Education sector a safe place to work?

For a number of years I worked for a company in the private sector which was proud of its Investors In People (IIP) awards.  One of the principles of the IIP framework is

Taking action to improve the performance of the organisation

and the indicators that this principle is being met include

  • Managers are effective in leading, managing and developing people.
  • People’s contribution to the organisation is recognised and valued.
  • People are encouraged to take ownership and responsibility by being involved in decision-making.

What then, to make of this, from a summary of the Guardian Teacher Network survey?

A massive 90% complained of teacher bullying – nearly two-thirds cited bullying from senior management, just over half cited parents as the aggressors, 40% students and 35% colleagues.

Caveats, first of all. The survey sample was small (2,000) and may not be representative. The research was done by invitation to respond to the questionnaire. This wasn’t a randomised sample and there are always doubts about data gathered via self-reporting questionnaire. Terminology, (such as “bullying” or “senior management”) is not defined in the report, and may have been left to respondents’ interpretation. Finally, the survey was aimed at teachers, and excluded non-teaching staff. But even with these concerns about the research, the quotation does not read a lot better.

The findings in this paragraph are truly shocking.

Reflect on this. Nine out of ten teachers responded that they had been subjected to bullying, and of these nearly two-thirds alleged they had been (or were being) bullied by senior management. Put this another way: if this survey is to be believed, the management of schools is typically done by using intimidation. Bullying is not something which happens on one occasion and can then be set aside: once a manager uses bullying even once as a technique, then that manager is a bully.

The culture of an organisation is created by the senior management, and defined by how the senior management leads and manages.  Little wonder, then, that over a third of respondents alleged bullying by colleagues. Some respondents, by inference, are being bullied – by colleagues and by senior management. Is this an environment where it is safe to work? Being bullied can contribute to loss of self-esteem, poor performance, and in the longer-term to stress-related illness. Bullying employees is unethical, unprofessional, and inefficient.

Is it just that teachers’ progress through subject leadership to SLT is done without being given the skills and techniques to lead and manage? Is there a culture of autocracy or even of cabals in school leadership? Why is governance (apparently) failing so badly? What values are being given by county council personnel management teams, and what support are they providing to teachers? Is the situation better or worse in academies, better or worse in the private sector?

On top of all this, over half of the respondents alleged bullying by parents and/or students. Employers should have zero tolerance of intimidation of staff by customers or the general public. Depending on the organisation’s culture, many teachers will recoil at the use of “customers” for students or even parents; but the point remains that employees should be protected by their employers (by their managers and leaders) from bullying.

This survey presents a number of issues for the SBM.

Firstly, what could or should you do if you yourself – as seems likely – are subjected to bullying by the Head Teacher or by colleagues? If you work in a maintained school, are you confident that you will have the support of the Council? The advice would seem to be to join a professional body or trades union, and to make sure you are briefed on employment law. Always keep notes.

Secondly, what will you do if you witness bullying by a Head Teacher or colleague? Does your school have an up-to-date and robust, approved, whistle blowing procedure?

Thirdly, how can you safeguard your staff from bullying by the teaching staff, parents, and students? What policies are in place, and what support will you receive from the SLT and Governors?

Fourthly, if you are considering working in the Education sector or if you have a friend or family member who is considering work in the Education sector, what advice do you give them? My recommendation based on this survey would be: Don’t.

Becoming Lean: Knowing waste when you see it

One of the SBM’s responsibilities is to make sure that the school is run as efficiently and effectively as possible within the budget constraints. Being able to identify waste is a very useful skill to develop.

You have to be absolutely clear in your own mind – and clear with others – that making processes efficient and cost-cutting are not the same thing. You can cut costs out of a business without making it more efficient; in fact, cost-cutting can even be counter-productive.

In process improvement terms, service “waste” is any activity which the customer wouldn’t pay for. So as you analyse the way the school does things, look for any of the following Seven Wasteful Sins. (I am indebted to Michael L. George)

  1. Over-processing. What is the level of quality which is required? Providing something which is better than needed is wasteful. Having an unnecessary level of approval or review is also wasteful.
  2. Unnecessary movement of material. Are data being moved about, either physically between offices or between computer systems? Are materials being handed from one staff member or office to another?
  3. Unnecessary movement of staff. Are staff walking around the site to access, handover, or store material? Do staff have to access too many computer applications (or even computers) to do their job? Are the computer applications efficient, or do staff have to key and re-key data?
  4. Is there work-in-process (WIP) sitting around? Look for piles of forms, pending emails, queues outside offices.  Queues of people are a particularly bad sign … customers do not like to queue.  Unnecessary levels of WIP could mean the processes are inefficient or there are insufficient resources to handle the work.
  5. Does work sit there waiting for the next action? Waiting time is where there is a time delay between the end of one process step and the start of the next.
  6. Defects. Are there errors in outputs which means they have to be re-done?
  7. Overproduction. Is the school producing too many letters, reports, school magazines …

As always, the people who know best where this waste is occurring are the people doing the job. Elimination of waste, like all process or quality improvement, is everyone’s responsibility; so it’s critical that staff are familiar with these types of risk and have the opportunity to suggest and implement improvements in the way they work.


Data Security and ISO27000

For an SBM accountable or responsible for the school’s data security, the BERR Information Security Breaches Survey gives a useful perspective on how, and how well, UK businesses have been addressing what can be a complex activity. The most recent report published is for 2008, and includes responses from the government, health and education sectors.

The report gives interesting clues as to whether organisations manage data security in a systematic way.  The problem is that without a systematic approach security actions tend to be reactive rather than preventative, and security controls address the last security threat (vulnerability) but not the next one. The most efficient and effective approach is to implement an information security management system (ISMS), as specified by the international standards.

The detailed report reminds us that the British standard on information security (the 7799 standard) was first issued in the mid 1990s, and later revisions form the basis of the international standards organisation standards ISO 27001 and ISO27002.

Yet, according to the ISBS survey, only about a fifth of respondents “were aware of the contents of” BS7799 (Fig 15).

Of those businesses which were aware, about 75% had either implemented it (fully and partially) or planned to in the next twelve months.  Asked to respond on the biggest benefits of implementing BS 7799, the overall responses were  (Fig 17) :

  • Better business continuity (24%)
  • Better marketing (24%)
  • Greater efficiency (19%)
  • Improved or more consistent security controls (14%)
  • Better security awareness (10%)
  • Better risk management and reassurance for senior management (9%)

This implies that by using an ISMS to protect your school against security threats you will suffer less service disruption, be able to respond better to a disaster, improve your school’s image, manage costs better, be more consistent in the ways you protect against security threats, keep staff and students aware of security issues, and sleep better.

It’s helpful to compare these achieved benefits with the top five benefits used to justify   (increased) security expenditure, and to identify which apply to your school. The top five justifications are (from Fig 24):

  • Protecting customer information
  • Protecting the organisation’s reputation
  • Maintaining data integrity
  • Business continuity in a disaster situation
  • Complying with laws and regulations

All of these apply to your school. Remember, an ISMS does not just apply to data held on computer systems, but to the whole organisation.

Achieving ISO 27000 certification is a significant and potentially costly task, not least because the school would need input from data security experts. But implementing a systematic approach to data security, and using an ISMS tailored to the school’s requirements is achievable and would be beneficial.

In future posts, I will show in more detail how this could be done. For now, here are some quick wins. Make sure:

  • a member of the SLT is made accountable for data security and everyone knows who this is
  • agree with SLT that SLT will actively support security within the school. Sponsorship, or “buy-in” from the top is a necessary condition for successful security management
  • data security is discussed at SLT and appropriate governance meetings (as part of risk management)
  • the school has an information security policy, which is reviewed regularly, and when approved is published and communicated to all staff, all students, and relevant external parties
  • review your suppliers, particularly any party handling data. Ask suppliers for a copy of their data security policy and any certification.

IT Management for SBM: creating a Service Catalogue

Service Level Management is a continuous improvement process for IT Service to bring the quality of IT Service in line with the school’s business and cost expectations.

It’s important not to forget those cost expectations. The ideal situation is to get the quality of service you need from the school’s IT for the budget you have agreed. To achieve this ideal balance, you will need to define the following:

  1. What services IT actually delivers to the school
  2. What level of service is needed for each of those services
  3. How much is available in the budget for each IT service

As ever, this information must be put in the context of the school’s self-assessment and business processes.

An up-to-date and accurate list of services (known in IT service management as a Service Catalogue) is a very useful piece of documentation.  It will, for example, help the SBM to manage the Service Continuity Plan and Risk Management plan, provide a more practical understanding of staff roles and responsibilities, and make visible underpinning contracts. The network manager will get an improved understanding of how the systems are being used, and be challenged to document the relationship between the IT Systems and the services.  A Service Catalogue will also promote discussion on the services being provided, and how services should be prioritised.

The best place to start on the Service Catalogue is with the customers: the staff, parents, governors and any other stakeholders who use the IT services. It’s important to consult sensitively during this exercise: people can get defensive when asked about what they do, and how: but are almost always happy to suggest how they could do their work better.

It’s also important to manage expectations when you let it be known you are seeking ways to improve IT services. Remember, satisfaction = expectation – perception!

During this discovery exercise, the SBM should put together a description and identify possible key targets. This should include:

  • who the customers of the service are (admin staff, teaching staff, governors, parents, SLT … )
  • when the service is normally required (what times of day, which days, how frequently)
  • whether an extension to those hours may be needed
  • special usage – school holidays and public holidays
  • whether the service has a built in calendar (such as period closing dates, reporting dates)
  • what is the impact if the IT systems are not working during the normal service hours (“unavailability”)?
  • how reliable is the service? (How often is it taken down for maintenance, or fails  and needs repair)
  • what throughput is likely? (how many concurrent users and how many transactions?)
  • during what hours is the system supported?
  • whether an extension to support hours may be needed
  • Service Continuity – what would this service look like in a disaster situation? How quickly would it need to be restored?
  • What are the charges, if a bought in service?
  • What are the customer’s responsibilities (such as changing passwords, storing data in the correct place)
  • What levels of security are required of the service? (does it include sensitive or confidential data).

There is one other key target which can be particularly tricky, and that is response time.  It’s probably fair to say that for anyone working at a computer, the response times can often be too slow. But there is a large element of perception about this. Unless your network manager can measure and report on response times exclude them and use throughput instead: ask whether the operator(s) can get through their work in the time allowed.

In future posts, I will show how an SBM can use a Service Catalogue to improve service, reporting, disaster recovery and security. But here are some quick-wins:

  • Look for obvious mismatches. For example, do hours of support match hours of use?
  • Review the services against the school’s business plan and SEF. Is there anything not needed, or are there any obvious gaps? (for example, reports being printed which no-one uses or inputs to the SEF not being produced)
  • Review the Disaster Recovery Plan against the Service Catalogue. Is everything covered?
  • Is all sensitive and confidential data properly secured?

On being struck by a satellite

In the third week of September, 2011, parts of a communications satellite which had entered the Earth’s atmosphere struck the surface – according to reports – near Calgary, Alberta.  What action would you have taken if a large part of this satellite had struck your school?

The answer will be in your Service Continuity / Disaster Recovery plan.  Although you might – in fact, almost certainly will – argue that the probability of an object falling from orbit through the atmosphere and striking your property is so negligibly small as not to justify a separate entry on your Plan, there will be an entry on there against some other threat (such as fire or explosion) causing sudden and significant loss to a part of the school buildings and, sadly, cause injury or even loss of life.  You will have planned for this.

The example demonstrates the type of risk which would fall within the scope of a Service Continuity/Disaster Recovery Plan. The plan is used for threats which could cause serious disruption to the school’s business, but which typically arise from events or actions outside of the school’s planned changes and development. It’s not the case that these risks all arise from events or actions outside of the school’s direct control, as the mention of fire or explosion (above) makes clear.

Scope is an important term, and one which these blogs will use frequently. It’s critical that the SLT (senior leadership team) and Governance agree the scope of the Service Continuity / Disaster Recovery Plan. The scope is not defined in the SFVS while The Academies’ Financial Handbook (2006) only includes specific references to “accounting facilities”, “financial data”, and “key computer held data”.

Under Section D Sub-section 23 of the SFVS,  “Protecting public money”, maintained schools are asked the question,

Does the school have an appropriate business continuity or disaster recovery plan, including an up-to-date asset register and adequate insurance?

In the Annex on Risk Management The Academies Financial Handbook refers to disaster recovery as something to consider under Resilience in the Operational Risk category. Under the section on Computer Systems,

Disaster Recovery Plans should be in place to ensure the academy has a fall back position in the event of loss of accounting facilities or other key computer held data.

and under the responsibilities of the Finance Director,

The Finance Director should also prepare a disaster recovery plan in the event of loss of accounting facilities or financial data. This should link in with the annual assessment made by governors of the major risks to which the academy is exposed and the systems that have been put in place to mitigate those risks.

The school manifestly needs to protect much more than these.  To agree the scope of Risk Management and Service Continuity, the SLT needs to have a clear description of all the services the school provides, its structure and how (through which processes) it provides these services, its direction, and its culture.  In terms of what the school does, and how it is delivered, the SBM will need to set out which processes are critical and what the impacts would be if those services were to be disrupted.

If the last part of that satellite were to fall on your science labs now, what would be the impact and what would your Service Continuity Plan specify?  How would the response be different if it were to fall on your own admin offices? In future blogs, I will draw on best-practise governance models to help you build and manage a robust Service Continuity Plan.

School Business Management and IT Governance

Information Technology Governance is as vital to the success of the delivery of IT services to schools as to any business, yet it is unlikely that many School Business Managers, school Network Managers, members of the school’s Senior Leadership Team (SLT) or School Governors have in-depth knowledge of what IT Governance is or the benefits it can bring.

The role of the School Business Manager is to support the Head Teacher and the Senior Leadership Team in managing and improving the administration of the school.  The SBM has a diverse portfolio which typically includes business planning, financial management, office management, premises management and health and safety management.

The National Association of School Business Managers  has set out the competencies of an SBM as being

  1. Managing Self and Personal Skills
  2. Providing Direction
  3. Facilitating Change
  4. Working with People
  5. Effective use of resources
  6. Achieving Results

and argues that SBMs “are responsible for ensuring school services are effective, efficient and in line with probity and school governance requirements” and “enhance effectiveness by ensuring school resources are managed to deliver high standards of learning and achievement outcomes for the school(s).”

IT services have become critical to the successful delivery of educational aims and services, so it is unsurprising to find correspondences between the role and competencies of an SBM and the objectives of good IT Governance.  SBMs will recognise the issues (if not the priority) in the following top ten, identified and ranked by over 100 CEOs by CIO Magazine. (Given the pace and scale of announcements from the Department of Education, perhaps numbers 4 and 6 might be promoted).

  1. align IT strategy with business strategy and governance
  2. meet the business needs effectively
  3. infrastructure and service management (reliability)
  4. coping with change
  5. dealing with senior management
  6. managing costs, budgets, and resources (internal and external)
  7. keeping up with technology
  8. recruiting and retaining staff
  9. executing projects effectively
  10. maintaining skills and knowledge

To add complexity, the IT sector itself is changing rapidly with new technologies and services (see 7 above) built around, for example, mobile computing, cloud computing, and virtualisation. This will challenge SBMs to execute the projects which deliver the changes to new technologies which are aligned with the school business plan and meet the business needs, while managing costs and budgets.

There exists a well-used set of IT Governance frameworks that should be used to achieve these goals. It is in this context that the mission of this blog is to help SBMs improve their competency and deliver outstanding service for their schools.