With homeland security on everybody’s mind these days, it is not surprising that schools have been taking stock of their security systems and emergency readiness. The U.S. Department of Homeland Security and the American Red Cross have provided widely distributed guidelines for schools, but many schools are seeking their own new and improved ways of maintaining the safety of staff and students.
While protecting the safety of children is an imperative burned into the mind of every responsible adult, not everyone in this world shares these sentiments—least of all those who would threaten the safety of schoolchildren or the security of educational establishments. Keenly aware of their responsibilities, school security professionals have been examining—and re-examining—their existing network security and emergency planning preparedness. And from radio frequency telephones to off-site data storage and computerized security cameras, schools are embracing new ways of meeting the security requirements of our modern world.
In Maryland and Texas, school administrators are gathering resources to confront possible emergencies. By coordinating with several agencies, schools can be ready to protect students and staff in these uncertain times.
“International events have definitely put new security concerns on the radar screen,” says John Q. Porter, CIO of Montgomery County Public Schools (MCPS) in Rockville, Md. “Over the past year and a half, there has been heightened awareness of the importance of school security and the necessity for innovative solutions to security problems.”
MCPS has chosen a radio frequency-based telephone system manufactured by Nextel Communications for use in emergencies. “Our telephone network was completely overwhelmed on September 11th, 2001,” Porter explains. “The network was so saturated that we were unable to make outgoing calls. That reinforced for us that the more ways we have to communicate, such as radio phones, the better we will be able to remain calm and focused in the event of an emergency.”
MCPS were early adopters of the technology, and their relationship with the company was a significant factor in MCPS negotiating an attractive price for the equipment. There is one phone in the administrative office of every district school. The company even donated some phones during the early testing phase. A monthly charge based on usage is the only recurring equipment cost.
These phones allow calls to be broadcast globally (that is, to all users in the network), or to particular groups or individuals. This ensures that an effective information flow is maintained even if some links in the chain are temporarily unavailable.
“We chose a phone that operates on a radio frequency, not just because it represented a cost-effective option for us, but because we will be able to depend on it in the event that the local telephone system goes down”, Porter says.
Nextel phones are a key element of MCPS’ Incident Command System, a complex network of information channels designed to spring into action in the event of an emergency. If there is an incident, MCPS will rely on this technology for the exchange of information between schools and agencies at the county level.
“Testing and training have been extensive,” Porter says. “Each phone is tested daily, and features like global broadcast are tested at least every two weeks to measure response times and the efficiency of the established information channels.”
“Federal government has raised our awareness of homeland security issues, and that has helped us to improve our security procedures,” Porter observes. “Our close proximity to Washington, D.C. has heightened our awareness of the importance of excellent security planning.”
“Continuous auditing is essential,” Porter says of MCPS’ security system. “A detailed audit every six months will help you build a better system.”
The auditing is extensive. It examines computer security attributes, including authentication, access control and audit trails; and network security attributes, from encryption, message authentication and alarms through event reporting.
The upward curve is evident: A 2001 audit, for example, showed weaknesses in internal security that left the system open to potential attack. A subsequent audit identified poor background documentation as an obstacle to the development of efficient security strategies by MCPS staff.
By August 2002 however, an audit carried out by BAE Systems to examine the MCPS’ security program and practices, awarded the school system a cumulative score of B+/A-. The assessment included a review of MCPS’ security policies, security architecture, continuity, security capital planning, critical infrastructure, and security program planning and management. A B+/A- score means MCPS meets or exceeds the generally accepted standards for safeguarding information technology assets.
Then, in March 2003, the U.S. Department of Education (ED) and the U.S. Department of Homeland Security showcased a new federal initiative to help schools with emergency preparedness for potential terrorist attacks at Montgomery Blair High School in the MCPS District.
The MCPS District is now cited on the ED Web site as one of three schools nationwide engaged in “Promising Practices in School Emergency Response.” It is evident that rigorous audits and careful planning paved the way for MCPS’ rise to national pre-eminence in school security. This attention to detail will ensure MCPS does not fall behind its own high standards anytime soon.
“You can never be too secure,” Porter says. “You can never do too much to protect your networks against the sinister people out there who will try and attack your system. When it comes to emergency response and technology, exhaustive planning is the key. Then you should practice the emergency response plan, create drills. Some of these drills should be unannounced and involve different scenarios.”
Montgomery County’s school system is the 18th largest and the 12th fastest growing in the United States. Montgomery County’s 191 schools—29 of which are National Blue Ribbon schools—serve roughly 138,000 students, with in excess of 10,500 teachers instructing students from more than 161 countries.
Other school districts are working with federal agencies to develop security plans.
Dr. Richard Griffin is a consultant for School Governance and Executive Leadership to the Harris County Department of Education (HCDE) in Houston, Texas, and a former superintendent of the Harris County School District (HCSD).
“The response to homeland security concerns in our district has been phenomenal,” Griffin says. “The Center for Safe and Secure Schools and other initiatives provide a framework for developing awareness and effective policies and procedures among educators, administrators and others with a role in school security.”
“All agencies have bent over backward to help us,” Griffin observes. “During last year’s anthrax scare, for example, the federal government sent out one of America’s foremost experts on anthrax to talk to us. This kind of coordination is extremely positive.”
Meetings of the HCDE Governing Board have quadrupled in frequency over the past 12 months, and an extensive range of security topics are discussed. “At our next meeting, for example, we will be discussing smallpox,” Griffin explains. “If there is even just one case of smallpox anywhere in the Houston area, schools will be used as clinics. So, it is vitally important that we have a strategy in place to deal with such an eventuality.”
Griffin emphasizes the importance of open discussion of security issues: “Monthly meetings of the Superintendent’s Institute regularly involve security discussions in a candid environment. At these meetings, expert speakers deliver lectures on specialist topics, including security, and the candid atmosphere aids frank and open discussion of any security concerns our superintendents may have.”
“We are in regular contact with the FBI, the Secret Service, Houston Police, medical experts and psychologists,” Griffin says. Not content to rely on security programs developed solely by schools, Harris County has learned from security experts in business and industry, experts that bring extra insight to security strategy development. The HCSD and HCDE have also communicated with experts from Houston’s massive petrochemical industry to put procedures in place in the event of an emergency.
Griffin speaks enthusiastically about rigorous security evaluations at schools: “We measure schools against a checklist of 200 items, and we send out teams that include police officers, FBI and education specialists to examine the school’s security system.”
Technology levels are high in Houston schools. Spring Independent School District (ISD)—with around 30,000 students—have a computerized camera system in place that is linked to the Spring ISD Police Department. If there is an incident on school premises, police can see the camera feed live on their PCs.
Citing the Cypress-Fairbanks Independent School District as an example, Griffin explains that an ideal data backup and storage policy will include off-site storage. Cypress-Fairbanks back up their data tapes nightly and then forward them to a “hotspot,” a secure, off-site location capable of acting as a centralized backup locus. “Most schools have not implemented such a system,” Griffin observes. He recommends that they do so.
Another Texas school district has begun using security cameras as part of the safety measures they are taking.
“The Columbine tragedy is what really got schools working toward improving their in-house security systems,” says Alan Bragg, chief of police of the Spring ISD Police Department. “For me, everything that happened on 9/11 just emphasized it more and brought it closer to home.”
Spring ISD uses analog and digital security cameras. Analog systems rely on dial-up to each camera via a 56K modem. Spring ISD bought the fiber-optic cable network that forms the foundation of their “always-on” digital camera system.
Twenty-four hours a day, Bragg’s staff monitor close to 500 cameras from 30 sites. They can monitor up to 64 live camera images simultaneously.
“We are getting to the point where we depend more and more on technology every day,” Bragg explains. “Every school we build in the future will be digital, and as funding permits, we’re going to convert all of our analog systems over to digital.”
Schools and school districts must establish a shared vocabulary among all agencies involved in security planning.
“We have found that a lack of common terminology has been an obstacle to communication between schools, emergency services, police and county authorities,” Griffin says. “So, we have been working hard in this district to develop a code of common language so that the various bodies involved in dealing with emergencies understand each other.”
Understanding each other, working together, being unafraid to return again and again to the minutiae of security planning as you work with several agencies simultaneously—with these imperatives in mind, we can protect our educational institutions from the violent excesses of our brave new world and keep our schools safe for this and future generations.
• Does your school’s screening process include volunteers and maintenance workers?
Screening must be as universal as possible.
• Do outside contractors screen their employees at industry-standard level?
If they don’t, you don’t.
• Do you simply search criminal databases or do you perform courthouse searches?
Social Security number searches enable directed courthouse searching.
• Are your personnel files protected by a firewall or equivalent security technology?
A commonly identified weak link in the school security chain.
• Do your classroom Web sites give too much information about students or teachers?
Make personal data hard to find. Don’t put it on the Internet.
• How much of your school property could an intruder access before being apprehended?
Contact the FBI to discuss testing your school’s ability to apprehend intruders.
• Are your critical system components physically secure?
Critical system components should be secured behind locked doors.
• Do you audit your school’s security system in detail at least twice a year?
A security system that doesn’t require change is either incapable of improvement … or a sitting duck.
• Do you have any method of communication to fall back on if the telephone system goes down?
Radio frequency-based communication devices can back up your existing telephone system.
• Are your bus drivers equipped with two-way radios or cell phones?
Security does not end at the school gates.
Firewalls are used to restrict access to one network from another. The Cisco Pix restricts Internet users to only access the demilitarized zone (DMZ) to request services and information, and the Cisco Pix allows the internal user to conduct Internet Web searches and access MCPS applications and services.
Intrusion detection systems (IDS) are used to monitor a network. The Cisco IDS is used to monitor the incoming traffic prior to entering the firewall. This allows MCPS to access the types of traffic and types of attacks that may be affecting the MCPS network.
The RealSecure IDS is placed after the fire in front of the DMZ, in front of the internal network, and in front of the critical application servers and services. This allows MCPS to monitor any unauthorized activity accessing the network and application services.
The RealSecure host/server IDS monitors any unauthorized activity that occurs at the server level. This allows MCPS to actively respond to any malicious destruction or misuse of application and hardware.
IronMail provides a firewall and intrusion detection system for e-mail messaging. In addition, IronMail also prevents unsolicited e-mail (spam) and enforces e-mail policies.
BindView bv-Control software products provide systems configuration reporting on Windows, Novell and UNIX systems. This allows MCPS to maintain up-to-date services patches and ensure enforcement of configuration policies.
This is a firewall-independent scanner that easily plugs into virtually any existing network. This product screens and protects all e-mail traffic from e-mail-related viruses.
This product screens and protects all e-mail traffic from e-mail-related viruses on Microsoft Exchange servers.
This product screens and protects all e-mail and data viruses related to the desktop computers.
Percent of public schools using technologies/procedures to prevent student access to inappropriate material on the Internet on all computers with Internet access used by students.1
All public schools 98%
Less than 300 96%
300 to 999 99%
1,000 or more 98%
Urban Fringe 98%
Percentage minority enrollment4
Less than 6 percent 97%
6 to 20 percent 3100%
21 to 49 percent 99%
50 percent or more 98%
Percent of students eligible for free or reduced-price lunch5
Less than 35 percent 99%
35 to 49 percent 97%
50 to 74 percent 97%
75 percent or more 98%
1Percentages are based on 95 percent of public schools (99 percent with Internet access times 96 percent using technologies or procedures to prevent student access to inappropriate material on the Internet).
2 Data for combined schools are included in the totals and in analyses by other school characteristics, but are not shown separately.
3 In this case, the estimate fell between 99.5 percent and 100 percent and therefore was rounded to 100 percent.
4 Percent minority enrollment was not available for 31 schools.
5 Percent of students eligible for free or reduced-price school was not available for two schools.
Source: U.S. Department of Education, National Center for Education Statistics, Fast Response Survey System “Internet Access in U.S. Public Schools, Fall 2001,” FRSS 82.