Following on from my previous post regarding Teacher Assessed Grades (TAG) and cyber security, in my first post I focused on mitigation measures around avoiding possible data loss. In this post I would like to focus on the integrity of data rather than possible loss.
- Accidental changes made by users with access
- Deliberate changes made by users not authorised to make changes, such as students.
The are a couple of issues which could impact on the integrity of TAG data:
Dealing with these issues relies on a number of basic principles which ideally should already be in place.
Least Privilege Access
This refers to simply minimising the users which have access, including minimising those users who have write access over those with read only access. By limiting the permission level provided you therefore limit the users who may accidentally or deliberately make unauthorised changes and reduce the risk as a result.
Linked to the above it is important to fully understand which users have access to which data/systems, with this being routinely reviewed and adjusted to accommodate for staffing changes, role changes, etc.
A checking process
It is likely you will have a process for gathering the data, with this data then reviewed by Heads of Department before eventually going to Senior Leaders then the exam boards themselves. It is also important to have a review process to check that unauthorised changes havent occurred along the way and that the integrity of data is retained across the whole process, from collection to eventually supply to the exam boards.
Audit Trails
If we assume, that there is a reasonable likelihood of an accidental or deliberate unauthorised change, the next thing we need to be able to do is to is identify such changes including the user who performed them, and the changes they made. It is therefore important to consider if the solution we use to store our TAG data has the relevant audit capabilities, whether it is using the audit logs in your Management Information System (MIS) or version history in either Google Workspaces or Office 365.
Conclusion
Generally, when considering cyber security, the important thing is to identify the risks and then identify and employ appropriate mitigation measures. There is seldom a “solution” in terms of a product or configuration or setup which is perfect, however there is a solution appropriate to your context, your organisations view as to risk and risk appetite.
It is also important to note that the best approach is a layered approach. In this and my last post I havent mentioned the use of storage arrays, mirroring of servers and other approaches aimed at either ensuring business continuity or making recovery quick and hopefully easy. Although these options add to the complexity of the possible approaches, the key is once again to assess the risks in your school’s situation and context, and deploy the solutions which you believe best address these risks within the framework of a risk management strategy.
Technology and Learning