CETPA - EdTech Journal - Fall 2018 by Association Outsource Services, Inc.

Shaping the Future of Education Through Technology 2018 | issue three

A CALIFORNIA EDUCATIONAL TECHNOLOGY PROFESSIONALS ASSOCIATION PUBLICATION

IT GOVERNANCE IN THE K-12 TECHNOLOGY WORLD

ITâ&#x20AC;&#x2122;S ABOUT THE HUMANS

DIVING INTO THE 2018 CETPA ANNUAL CONFERENCE SCHEDULE

As industry pioneers and constant innovators for over 20 years, Aeries has led the SIS industry with an expert team comprised of former school district employees that know and empathize with your challenges.

ENDPOINT MANAGEMENT MADE SIMPLE

Technology can have a significant, positive impact on learning, but only if teachers can control the technology - not the other way around. FileWave is a single management solution for apps, devices, and configurations for Mac, Windows, and mobile, giving IT the ability to proactively and automatically provision and maintain every device. And with FileWave Engage, teachers have a simple, intuitive way to manage their classroom needs, without becoming IT technicians themselves. For schools, FileWave increases visibility, reduces complexity, improves security, and enables learning. Multi-Platform Client Management

IT Asset Inventory

End-to-End Software Management

Mobile Device Management

Imaging and Deployment

Classroom Engagement

FREE TRIAL

LIVE DEMO

filewave.com

HUDDLE ROOMS

CLASSROOMS

CONFERENCE ROOMS

MEDIA LABS

COMMON AREAS

The Definitive Guide to Collaboration System Design Our new Collaboration Systems Design Guide shows how Extron technology can be used to create modern meeting spaces that facilitate collaboration. Our open systems architecture integrates easily with market-leading unified communications solutions, offering a one-touch user experience for conferencing, collaboration, and control. Through our technology partnerships, we can extend Extron control capabilities to spaces that use Zoom, Cisco, Logitech, and many other popular providers. In addition, we have the system design experience, critical customer support, and enterprise software solutions to help ensure your success.

Extron offers: • Complete collaboration solutions for any environment • Integration with leading UC technology providers • Room scheduling and AV resource management tools • Wired, wireless, and streaming AV platforms • Intuitive, intelligent, energy-saving systems • Industry-leading technology training and customer support

800.633.9876 • www.extron.com/collaboration

REQUEST YOUR COPY TODAY

c o n t e n t s Issue Three EdTech | 2018

PRESIDENT’S MESSAGE the mindful cto: effective leadership BY JULIE JUDD, ED.D

10 The EdTech Journal is the official publication of the California Educational Technology Professionals Association (CETPA). EdTech Journal is published twice a year as a service to our members and information technology managers across California’s K-12 and secondary education school systems. CETPA and the EdTech Journal assume no responsibility for the statements or opinions appearing in articles under an author’s name. The services of an attorney or accountant should be sought in legal and tax matters. All copyrights and trademarks are property of their respective owners. Except where otherwise noted, content in the EdTech Journal is licensed under a Creative Commons Attribution 3.0 License.

PUBLISHER California Educational Technology Professionals Association

PRESIDENT ELECT'S MESSAGE

it governance in the k-12 technology world BY LORRIE OWENS

EXECUTIVE DIRECTOR’S MESSAGE

it ’s about the humans BY ANDREA BENNETT

rethinking the emergency management space in education BY FRANK SPAETH

school 2home in california provides framework to successfully close the achievement gap

2018 CETPA ANNUAL CONFERENCE

diving into the schedule

EDITOR Lisa Kopochinski lisakop@sbcglobal.net ADVERTISING MANAGER Cici Trino Association Outsource Services (916) 961-9999 cicit@aosinc.biz

26 14

overcoming your security weaknesses BY DAVID THURSTON

cloud - based filtering: a logical step for students BY ROB CHAMBERS

cetpa chats with libbi garrett BY LISA KOPOCHINSKI

new training opportunities at cetpa BY LIBBI GARRETT

20 If undeliverable, return to: 980 9th Street, 16th Floor, Suite 21 Sacramento, CA 95814

camsa 2.0 is here BY GLENN OSAKO

5 EdTech | 2018 | ISSUE THREE

BOARD OF DIRECTORS PRESIDENT JULIE JUDD Ventura County Office of Education julie.judd@cetpa.net

PAST PRESIDENT STEPHEN CARR Ventura County Office of Education (retired) stephen.carr@cetpa.net

PRESIDENT-ELECT LORRIE OWENS San Mateo County Office of Education lorrie.owens@cetpa.net

Technology Innovation

TREASURER PETER SKIBITZKI Placer County Office of Education peter.skibitzki@cetpa.net

SECRETARY BRIANNE FORD Irvine Unified School District brianne.ford@cetpa.net

DIRECTORS-AT-LARGE ERIC CALDERON Riverside County Office of Education eric.calderon@cetpa.net

DEWAYNE COSSEY Vista Unified School District dewayne.cossey@cetpa.net

JEREMY DAVIS Capistrano Unified School District jeremy.davis@cetpa.net

DAVID GOLDSMITH Hanford Elementary School District david.goldsmith@cetpa.net

ROLLAND KORNBLAU El Rancho Unified District rolland.kornblau@cetpa.net

TIM LANDECK

For 35 years, Sehi Computer Products, Inc. has supported schools by providing educators with innovative IT solutions that engage students and advance academic achievement.

HP Sales, Service and Support  Chromebooks

 Supplies

 Mobility

 Audio

Solutions

and Video

Los Gatos Unified School District tim.landeck@cetpa.net

 PCs

PHILIP SCRIVANO

 Workstations

 VR

 Printers

 Warranty

Services

 Managed

Simi Valley Unified School District phil.scrivano@cetpa.net

STEVE THORNTON

and Laptops

& Accessories

Menifee Union School District steve.thornton@cetpa.net

 HP

EXECUTIVE DIRECTOR

 Server

ANDREA BENNETT andrea.bennett@cetpa.net

DIRECTOR OF EDUCATION AND EVENTS LAUREL NAVA laurel.nava@cetpa.net

PUBLICATIONS AND COMMUNICATIONS SPECIALIST

& Imaging

Networking Solutions

 Storage

BREEANN NILES breeann.niles@cetpa.net

6 EdTech | 2018 | ISSUE THREE

Services

 Classroom

Solutions

1275 Puerta Del Sol San Clemente, CA 92673

RESOURCE PROGRAM SPECIALIST

OFFICE AND MEMBERSHIP COORDINATOR

and App Solutions

Visit Sehi at CETPA - Booth #211

elizabeth.peeke@cetpa.net

libbi.garrett@cetpa.net

Displays

 Chrome

Solutions

ELIZABETH PEEKE

LIBBI GARRETT

 Digital

See all Specializations*

1-800-346-6315 www.BuySehi.com

*HP specializations include: Services Sales, Delivery, Managed Print, Designjet

Device Charging Stations

How much could Towers SAve you? Time. Space. Security. Convenience. 100% Student managed Open Concept Problem Free Cable Management Space saving vertical design Come see us at CETPA booth #125 Wall Mount

Free Standing

Mobile

LIFETIME WARRANTY

Simple, Smart, Effective Solutions

408.357.2777 PowerGistics.com

p r e s id e n t

’

m e s s a g e

THE MINDFUL CTO: EFFECTIVE LEADERSHIP

by julie judd, ed . d .

n the July issue of EdTech Journal, I spoke of the importance of reflecting on one’s personal and professional growth. During the summer, I spent time contemplating the things that went well this year, evaluating the projects that are in varying stages of completion, and reflecting on relationships with new colleagues (including my team) and the work we share. During this period of reflection, intentionally focusing on my own efficacy as a leader, I found myself reading excerpts of my dissertation CTO Mentor Program: Examining the Effectiveness of the CETP Mentor Program and its Impact on the K-12 Technology Leader’s Career (Judd, 2015).

IT leaders must learn

I share the excerpt below in the hope you will find in yourself the characteristics of an effective technology leader.

to understand the complex financial

EFFECTIVE TECHNOLOGY LEADERSHIP

Potentially, the benefits of effective technology leadership include providing greater efficiency in administrative operations, which can lead to students’ improved academic performance and growth, improved attendance rates, reduced attrition rates and modernized Career Technical Education (CTE) preparation of students (Kearsley & Lynch, 1992). CTO characteristics are absolutely related to their effectiveness based on the notion that a CTO must possess basic qualities to be

c e t pa p r e s i d e n t j u l i e j u dd , ed . d . is the chief technology officer at the ventura count y office of education . she can b e r e ac h e d at j u l i e . j u dd @ cetpa . net.

8 EdTech | 2018 | ISSUE THREE

considered effective (Brown, 2006). Effective CTOs exhibit significant personal skills and behaviors that stand out against all others (CoSN CTO Council, 2009): • Communicator: direct, honest, and respectful in all forms • Exhibits courage • Flexible and adaptable as well as credible • Results-oriented in both organizational improvement and personal growth • Innovator: leading for innovation and modeling behaviors that others are encouraged to adopt In his dissertation, A Study of Chief Information Officer Effectiveness in Higher Education (Brown, 2004), “found a correlation between the CTO’s strategic business knowledge, interpersonal skills, and political savvy and IT knowledge” (p. 105) and his or her perceived effectiveness. To be most effective, “CTOs will be able to shift their time from distracting operational issues to education leadership and transformation by driving technology solutions that help all aspects of the district’s education and support operations” (Moore, 2010, p. 6).

planning of their institutions. TECHNOLOGY LEADERSHIP: ESSENTIAL SKILLS IDENTIFIED

For a CTO to successfully implement his or her role in the organization, he or she must possess the skills to perform those duties. This is an area of much discussion and increasing study. Elite CTO skills, as identified by Katinka Nicou (2006), include: the capacity to plan and execute successfully integrated IT initiatives; relationship building and motivational skills, strong visionary and inspirational leadership capabilities, the ability to recognize cause and effect of actions and behaviors, both the individual and organizational levels, highly developed cultural sensitivity and the ability to perceive and read the environment and act appropriately. EDUCAUSE’s Brian Hawkins (as cited in Bucher, Horgan, Moberg, Paterson, & Todd, 2001) stated that a CTO needs three primary skills: communications, alliance building, and collaboration.

More specifically, a CTO needs to: • Establish friendly relationships with stakeholders and become familiar with the staff • Understand the tech staff and reorganize the department as necessary, but judiciously • Learn the culture of the institution; learn about the budget structure of the institution • Build a relationship with the boss after you get to know who the boss is • Set and manage expectations – yours and the institution’s It is the CTO’s responsibility to know the best practices in the field and maintain a network of colleagues who can provide feedback on what has worked and what hasn’t (Floyd & Murali, 2010). “With increased visibility and importance being given to the CTO position, there has also come a corresponding increase in new job responsibilities and accountabilities” (Beatty et al., 2015, p. 2). IT leaders must learn to understand the complex financial planning of their institutions. They must clearly understand the organization’s processes and financial structure, as well as its sources of funding and strings attached, as in the case of federal funding (Goldstein, 2007). Carol Cartwright (2002), President of Kent State University, seeks in a CTO the same skills she values in all executive officers: proven leadership skills, strong management skills, and a solid understanding of the difference between the two. In summary, the common components of effective leadership (see below), while self-evident, can be found in numerous publications on leadership and I’m confident you all employ them to one degree or another in your daily work.

• Infuse joy and celebration in our work • Lead others with self-confidence • Never stop learning and improving I hope you have a wonderful 2018-19 school year and I look forward to seeing you at the Annual CETPA Conference in Sacramento, November 13-16, 2018. REFERENCES

Beatty, R. C., Arnett, K. P., & Liu, C. (2015). CIO/CTO job roles: An emerging organizational model. Communications of the IIMA, 5(2), article 1. Retrieved from http://scholarworks. lib.csusb.edu/ciima/ vol5/iss2/1/ Brown, W. A. (2004). A study of chief information officer effectiveness in higher education (Doctoral dissertation). Retrieved from ProQuest Dissertations & Theses. (UMI No. 3147364) Brown, W. A. (2006). CIO effectiveness in higher education. Educause Quarterly, 29(1), 48-53. Retrieved from http://www. educause.edu/node/634 Bucher, J., Horgan, B., Moberg, T., Paterson, R., & Todd, H. D. (2001). The realities of a new senior-level IT position. Educause Quarterly, 24(2), 34-38. Retrieved from http://www. educause.edu/node/634 Cartwright, C. A. (2002). Today’s CIO: Leader, manager, and member of the “executive

orchestra.” EDUCAUSE Review, 37(1), 6-7. Retrieved from http://www.educause.edu/ero Consortium for School Networking CTO Council. (2009). Framework of essential skills of the K-12 CTO v.2.0 (20th ed.). Washington, DC: Consortium for School Networking. Floyd, E. S., & Murali, V. (2010). From vision to innovation. EDUCAUSE Review, 45(4), 8-9. Retrieved from http://www.educause. edu/ero Goldstein, K. L. (2007). Preparing the next IT leaders: Financial management. Educause Quarterly, 30(2), 61-63. Retrieved from http://www.educause.edu/node/634 Kearsley, G., & Lynch, W. (1992). Educational leadership in the age of technology: The new skills. Journal of Research on Computing in Education, 25(1), 50-60. Retrieved from http://dl.acm.org/citation.cfm?id=J479 Moore, R. J. (2010). The future of information technology or how the next ten years will fundamentally change the role of the K-12 CTO. In J. Salpeter (Ed.), CoSN compendium (pp. 1-6). Washington, DC: Consortium for School Networking. Nicou, K. (2006). The complexities of CIO leadership: What makes a successful CIO? Retrieved from http://www.integrateod.com/ pdfs/022607_Complexities_of_CIO.pdf

• Let our values guide our actions • Set an example for others • Articulate our vision in times of uncertainty • Inspire others toward our common purpose • Create environments that promote innovation • Build cohesive and spirited teams • Share power and information with accountability

9 EdTech | 2018 | ISSUE THREE

p r e s id e n t

elect

message

IT GOVERNANCE IN THE K-12 TECHNOLOGY WORLD

T governance is not a popular topic in the world of K-12 technology support. In fact, it’s barely a topic at all. We manage. We lead. But the whole concept of using frameworks to help us in our management/leadership endeavors is just not one we have time for. It sounds great, but we’ll leave all of that to our private industry counterparts who have significantly more resources to work with than we do in K-12. Whether we work in a large LEA or a small one, an urban one or rural, one considered wealthy or with financial challenges, there is one thing we pretty much all have in common—our LEAs’ technology demands continue to increase but our resources do not increase at the same rate. In other words, we will always be asked to do more with less. How can IT governance help with this? What exactly is IT governance? Essentially, IT governance is a structured process in which the leadership of an organization ensures the organization’s IT resources are aligned with the organization’s mission and goals. IT governance ensures requirements are spelled out, applicable laws are complied with, costs—both onetime and ongoing—are identified up front and risk is mitigated.

c e t pa p r e s i d e n t - e l e c t lo r r i e ow e n s i s t h e adm i n i s t r at o r fo r info rmati on tech nology s e r v i c e s at t h e s an mat e o count y office of education . she is al so the past president fo r t h e t e c h nology and telecommunications s teering comm i t t e e . lo r r i e can b e r e ac h e d a t lo r r i e . ow e n s @ cetpa . net

10 EdTech | 2018 | ISSUE THREE

by lorrie owens

There are a number of well-known frameworks out there to help with IT governance. Two frameworks that we talk about in the CTO Mentor Program are COBIT (Control Objectives for Information and Related Technologies) and ITIL (Information Technology Infrastructure Library). COBIT provides us with an overview of what we should be doing. ITIL gives us more guidance on how we should perform certain activities. There is extensive—and expensive— training and certifications available for both frameworks. Very few members of the K-12 technology community have had the opportunity to be trained in either framework. If, and when, there are training dollars available at all, if it is between COBIT 5 training or training addressing how to configure our wireless LAN, we all know which training will win out.

log can be constructed any way you like and can be as concise or as elaborate as you deem appropriate.

How do we use elements of either of these frameworks when we don’t have the time or money to be trained? Well, how does one eat an elephant? One bite at a time.

The next step would be to categorize your services. This categorization would be in whatever way that would make sense to your stakeholders; there are no right or wrong answers here. One person may choose to categorize broadly by hardware services, software support services, training and integration services. Another may choose a more functional approach like new user set-up services, classroom support services, and administrative support services. Take the time to choose the most appropriate method to categorize the service catalog. It is important because this will dictate how your stakeholders locate the information most pertinent to them.

Knowing elements of COBIT will become increasingly important to our technology organizations in the years to come if, as many believe, IT audits eventually become mandatory as financial audits are today. One can simply Google COBIT and find a storehouse of information to start with. But since our technology departments are service organizations, and ITIL is focused primarily on IT service management, there are elements of ITIL that can be employed in our environments immediately. Right now, we’re drilling down through the service design component of the ITIL framework to get to the service catalog. The service catalog is one of the most useful tools you can create for your organization. It helps to educate your stakeholders about available IT services, which goes a long way in moving your department from a constant “reactive” mode to a more “proactive” mode. A service catalog is a curation of all the services your department offers along with pertinent information about those services. An organization’s service cata-

In looking at a simplified way to start building a service catalog for your organization, the first step would be to identify your stakeholders. Are you constructing this catalog for your internal users, for the general public or for someone else? Depending on the types of services involved, do you wish to build separate service catalogs for specific stakeholders in your organization? For example, if you manage an integrated technology department (instructional technology and information technology), you may choose to build two separate service catalogs to address the services unique to the users in each group.

After categorizing your services, define those data elements you wish to communicate about your services. The most basic and the most common elements are a short definition of the service itself (ensure it is written in lay terms), contact information the stakeholder can use to procure the service, some estimation regarding the amount of time needed to deliver the service and any costs associated with the procurement of the service. You can add more information as you deem appropriate. However, you want to limit your service catalog to the information your users need in continued on 28

executive

dir e c t o r ’ s

message

IT’S ABOUT THE HUMANS by andrea bennet t

’ve been reading Thomas Friedman’s Thank You for Being Late. This book intrigued me because the subtitle is An Optimist’s Guide to Thriving in the Age of Accelerations. I’ve been struggling with what feels like time passing more and more quickly and I thought maybe the book had some tools I could use to learn how to adapt better to the fast pace of change happening today. Well, it isn’t that simple.

We are now living– not just with our devices– but in them.

The title comes from a habit Friedman developed when the person he was meeting would be running late. Rather than working or looking at his phone, he would sit and take in the surroundings. He felt better, giving himself permission to slow down, to contemplate and to keep his thoughts to himself instead of tweeting or posting them. That is where he began to formulate his ideas for this book, which is not a set of coping tools but rather what turns out to be—from my perspective—some straightforward ideas on how we can succeed in an accelerated state of change. Friedman writes about three exponentials affecting the world today: Globalization, Mother Nature and he revisits Moore’s law, which is what happens if you keep doubling the power in microchips every two years for 50 years.

and r e a b e nn e t t h a s b e e n c e t pa ’ s e x e c u t i v e d i r e c to r for more than 12 years and has worked in the education communit y as a programmer / coder , tr ainer and director for nearly 30 years .

He writes that Intel engineers did the math to compare the advancements in the automotive industry to the advancements of the microchip. If the automotive industry kept the same pace as the processing power in a microchip, the 1971 VW Beetle could go about 300,000 miles per hour, would get 2 million miles to the gallon and would cost 4 cents.

are now living—not just with our devices— but in them. Ideas and opinions are formed and shared at a faster rate than ever seen and technology is creating opportunities even in Third World countries. These opportunities are both creating solutions to current problems and creating new problems no one expected. And the cycle goes on and on.

According to Friedman, this acceleration started in 2007. He makes a convincing argument, citing that in 2007 the iPhone was released, Hadoop, GitHub, Twitter, Facebook, Android, Bitcoin and others all began. Google bought YouTube, IBM developed Watson, and “The Cloud” began.

Technology is advancing faster than humans can adapt. Information is provided instantly and constantly, and individuals may have a difficult time evaluating, confirming and communicating in a meaningful way.

Devices went from being so expensive and complicated they were run by scientists and engineers to now being used by everyone, even people who are otherwise illiterate. We

It makes us frustrated and a little afraid. The fear that technology will take over all the human jobs is untrue, Friedman says. What is happening, though, is that the skills needed for middle-class jobs are changing from continued on 29

11 EdTech | 2018 | ISSUE THREE

DIVING INTO THE 2018 CETPA ANNUAL CONFERENCE SCHEDULE

12 EdTech | 2018 | ISSUE THREE

THIS YEAR OUR MAIN KEYNOTE SPEAKER IS STEVE “THE WOZ” WOZNIAK!

PRESIDENT’S RECEPTION

hen we begin our review of submitted sessions for the conference each spring, our key question is: What sessions will provide the greatest professional development value to our attendees? We recognize in these days of tight budgets and lengthy approval processes, attending CETPA may be the biggest professional development INFRASTRUCTURE AND SECURITY (PD) activity for our school district attendees In these sessions, you’ll encounter topics such each year. as network design and management, monitorWe’ve always organized our sessions into three ing, cybersecurity and internet of things (IoT). tracks: Leadership, Educational, and Technology. But we’ve debated over the years how to DATA AND DEVELOPMENT provide additional detail that allows you to Within this focus area, sessions will feature prioritize your schedule more effectively. This software design, support and integration, as year we are organizing our sessions into five well as data governance, programming, reportdistinct focus areas: ing and analytics.

LEADERSHIP AND POLICY

Our annual President’s Reception will be held at the Hyatt Regency Sacramento on Tuesday evening, November 13th from 7-10 pm. Outgoing Board President, Julie Judd, will be hosting light appetizers and drinks and she’s put together a special activity for our CETPA community. Beyond serving CETPA and being CTO of Ventura COE, Julie pursues her passion for music in conducting a local orchestra. We wanted to do the same for this year’s reception, so we’re inviting all CETPA musicians to bring their voices and instruments to join us in live band karaoke with a giant concert screen. Not too sure how to play? Then join us in another part of the reception for a Rock Band/Guitar Hero playoff ! This year’s reception will also include our poker tournament, starting with a brief lesson at 7pm. Learn more and sign up for poker at http://cetpa.net/2018presidentsreception.

These sessions include topics such as supervision, leading within your organization, project management, change management and collaboration.

SUPPORT AND USER TECHNOLOGY The sessions under this category address technical support structures and services, device deployment and device management (can anyone say 1:1?). CETPA CHILL ZONE In the east lobby at the Sacramento ConvenCURRICULUM INTEGRATION tion Center (third floor), we’ll have the latest in This focus area dives into the educational tech- 21st-century workplace and learning furniture nology aspects of our work and how to maxi- set up for you to take a break, connect and join mize the use of technology in the classroom. in some other surprise activities located in the Keep an eye on social media in the coming space. weeks as we highlight individual sessions and CETPA “BEST EVER” GOLF our featured speakers! #cetpa2018

CONFERENCE NETWORKING ACTIVITIES We know one of the highlights of joining the Annual Conference is (re)connecting with colleagues you’ve only seen via email address or videoconference. This year, we’re bringing back some of our most popular networking activities:

TOURNAMENT

After Friday’s keynote with Sarita Maybin, you’ll want to take a short trek over to the Teal Bend Golf Club for the annual “Best Ever” Golf Tournament. Registration includes a box lunch, raffle, prizes and the option to let us know who you’d like on your team. Find out more at http://cetpa.net/2018golf.

13 EdTech | 2018 | ISSUE THREE

OVERCOMING YOUR SECURITY WEAKNESSES

by david thurston

ow many times has this happened to you? You’re just getting settle in at the

office and news breaks of yet another security flaw in a system upon which your organization relies? Maybe you’re catching up on the industry news only to read about some sneaky hack that damaged an organization’s reputation and exposed security weaknesses you know also exist in your LEA? It’s enough to want to make you bury your head in the sand and pretend that security incidents aren’t going to happen to your LEA. I mean, your LEA isn’t a bank, right? It’s not like you have valuable trade secrets, or critical national security documents on your network. 14 EdTech | 2018 | ISSUE THREE

In the last issue of EdTech Journal, we published this article by David Thurston without the links to the resources he mentioned in this feature. For this reason, we are reprinting his article. At the end of this article, there is a list of live links for your reference. We apologize for any inconvenience this has caused. —Editor

Well, unfortunately, we all know that not true. School districts and COEs are targets and, oftentimes, easy ones, precisely because we lack the resources of larger agencies or private enterprises. The truth is that savvy, malicious actors know that LEAs maintain valuable information, like student data and employee financial records. Furthermore, LEAs have extensive IT infrastructure sought after by cyber-criminals so that they may exploit our resources in order to commit other crimes, or generate ill-gotten gains (i.e., crypto-mining, botnet recruitment, etc.). Not only are we up against lone hackers, and the occasional curious but misguided student, we now face groups of organized career criminals motivated by billions of dollars in easy money.

It’s also moments like these where we look for solutions. It’s only human nature to try and find a quick and painless fix where we can “set it and forget it” and solve our security problems. Well, that is exactly how the marketers and sales teams of cybersecurity technologies companies want us to feel—scared, confused and desperate for something that will make us, and our users feel safer. I have no doubt that this is how many big sales of security solutions have been made over the years. It’s certainly a powerful marketing strategy, but we all know it’s not an effective or sustainable way to secure our environments. The fact is that no single security tool, or even collection of systems, can sufficiently protect our ever-changing and

dav i d t h u r s t on i s c h i e f t e c h nology off i c e r fo r t h e s an b e r na r d i no co u n t y s u p e r i n t e nd e n t of school s where he oversees techni cal serv i ce s and th e d i g i tal l e a r n i ng s e r v i c e s d e pa r t m e n t s . dav i d ’ s t e am s e r v e s ov e r 3 0 s c h ool d i s t r i c t s and su ppo r t s t h e educational efforts of more t h an 3 8 0, 0 0 0 s t u d e n t s . h e is currently the instruc tor for the cc to cybersecurit y s tr ands and cc to s teering comm i t t e e m e mb e r . h e h a s al so served as a cto mentor and a s t h e c h a i r p e r s on fo r t h e ce t pa i nland a r e a technology regional group. he can be reached at david . thurston @ sbcss . net.

continued on 16

15 EdTech | 2018 | ISSUE THREE

overcoming your security weaknesses

continued from 15

increasingly complex networks. We should be skeptical of vendors selling comprehensive solutions, throwing around jargon like “next generation,” “cloud-based machine learning,” and “real-time threat analysis.” Sure, they sound sexy, and it’s very appealing to think you’ve got an army of AI-enabled cybersecurity analysts in the cloud watching your network. But really, if the tools were all we needed, we’d all have a lot more free time, and probably fewer stress headaches, right?

When it comes to improving your organization’s security posture, it is helpful to borrow a concept from education: it’s a process, not a product. Or, more accurately, it’s about the processes, not the products. As IT professionals, we need to focus on developing comprehensive security processes, based on industry standard frameworks, so that cybersecurity best practices are built into our environments and incorporated into our standard operating procedures. Its processes that, when effectively developed and implemented, change an organization’s culture; and developing a culture of security is the key to truly improving an LEA’s security posture

ated cybersecurity frameworks. Cybersecurity frameworks are designed to help organizations create and sustain improved security processes. Maybe you’ve heard of the International Standards Organization (ISO) 270001 standard1 or the National Institute of Standards and Technology (NIST) Cybersecurity Framework2? Both are excellent examples of cybersecurity frameworks; but let’s face it, they make for challenging reading and can be daunting to implement. This is why the CETPA CTO Mentor Program. requires that candidates study the Center for Information Security (CIS) Controls. The CIS Controls3 take the best practices from both the NIST and ISO frameworks and

EdTech | 2018 | ISSUE THREE

What’s so attractive about the CIS Controls is that the document’s structure lends itself to process development. It’s an easy-to-read list of the processes needed to ensure you’re taking the steps to secure your environment. It helps you identify the security and IT management tools you have in place to see where they’re being used to meet the requirements of a sub-

distill them into a prioritized, easy-read docu- control. This allows you to put the tools into ment designed to assist IT teams in developing the context of a process and properly evalusecurity processes. ate the security value they add. It’s also great The CIS Controls break down the best prac- document to review during IT staff meeting. tices of information security into 20 control You can choose a single control to review per groups. Control groups consist of a set of pri- meeting, check to see how your organization oritized actions, called sub-controls, regarding measures up, and choose specific sub-controls specific IT resource management topics to improve upon.

that—when implemented—will make marginal improvements to an organization’s security posture. The more actions implemented, the greater the security gains. While not all the actions are easy, the CIS Controls are designed to maximize quick wins by reducing complex problems to smaller, more manageable steps. So, where do we start when we want to develop The first six controls are considered basic and our organization’s security processes? Lucky excellent areas to start your process developfor us a lot of very smart people have cre- ment. The next 10 are foundational and build

upon the basic controls. The last four CIS Controls are organizational and provide recommendations for testing your implementation of the first 16 controls and include steps for developing an incident response plan and educating your users in the fundamentals of cybersecurity.

Let’s say that you’re already very familiar with the CIS Controls, or have implemented some other cybersecurity framework at your organization. Excellent work! You’re doing great things at your LEA! But, how are you handling incident response? Unfortunately, even when you’ve developed a robust set of information security processes, things happen. Processes break down and tools get beat. Suddenly, you find your environment compromised. How

WHEN IT COMES TO do you handle it? Do you have an organized method for dealing with threats? One where you can follow a series of steps that allow you to produce a comprehensive document you can use to assure your stakeholders the issue has been properly addressed? If not, you may be interested in these incident response process guides and the incident response and data privacy procedures form4. Let’s start with the incident response process guides. These forms cover 14 of the most common security threats you’re likely to encounter. Who hasn’t experienced some form of malware in the last five years? Or, maybe your LEA has had a laptop stolen? Or, just maybe, someone in your organization has recently been phished? Well, now you have a set of checklists you can use to guide and document the remediation process. The process guides linked in this article were developed by Secureworks in collaboration with the San Bernardino County Superintendent of Schools and were designed to be the primary working documents for incident response teams when dealing with security threats. They provide step-by-step guidance, allow for the delegation of duties and the systematic documentation of findings. They are a great resource for coordinating teams when dealing with large scale, complicated threats, and for individuals dealing with small but potentially dangerous lapses in security. While they are very detailed in their scope, they’re also customizable. They can be modified in ways that will make them more applicable to your organization. Additionally, implementing the process guides will give you a big head start complying with the CIS Control 19: Incident Response and Management.

IMPROVING YOUR ORGANIZATION’S SECURITY POSTURE, IT IS HELPFUL TO BORROW A CONCEPT FROM EDUCATION: IT’S A PROCESS, NOT A PRODUCT.

enough detail to inform IT leadership, but can also be to communicate with executive teams, third-party consultants and, if necessary, law enforcement. The OCDE incident response guide bridges the gap between the technical identification and remediation detailed in the process guides and the summary-style communication needs of non-technical stakeholders and outside support teams. Moreover, it provides an opportunity the response team describe how the lessons learned during the incident response process will be applied to make the organization safer and less prone to similar As great as the process guides are for dealing incidents in the future. with individual security incidents, they are made even better when combined with an in- Of course, no information security improvecident response summary document5, like the ment process is complete without a comone Dr. Carl Fong and his team at the Orange munication and education effort. In fact, user County Department of Education released education is a component of every major cyduring last year’s CETPA Annual Conference. bersecurity framework, and it is specifically adLucky for us, OCDE turned their excellent dressed in the control 17 of the CIS Controls work into a template that can be modified and document. I’m sure the idea of developing and applied to any LEA’s incident response pro- maintaining a user education program sounds cess. This template can be used similarly to the painful, but fear not, our CETPA colleagues process guides discussed above, but it lacks a and TAPD friends have developed materials threat-specific step-by-step checklist. However, and resources that will help you kickstart your when coupled with the process guides, the user education process. Last year, Max Eissler, School District, OCDE template serves as very effective sum- CTO at Martinez Unified 6 shared the slide deck he uses to provide anmary document; one that not only provides

nual cybersecurity best practices trainings for the Martinez staff. The presentation is detailed and covers the majority of points users need to know in order to improve the organization’s overall security posture. It is an excellent template for those IT leaders looking to introduce their users to the fundamentals of cybersecurity. CETPA also includes it in the list of resources for the CCTO cybersecurity classes, and it’s in use at SBCSS in a pilot training program. For organizations looking for something more formal, TAPD is offering their new and improved Cybersecurity Education Program (CEP)7. For those of you unfamiliar with the CEP program, it’s a comprehensive set of enduser focused lessons designed to educate individuals about their personal online practices and their professional cybersecurity responsibilities. The program is delivered via the Canvas LMS and provides a structured, content rich means of delivering effective cybersecurity education at no-cost. Thousands of K20 LEA employees have completed the CEP, and with the new content refinements and user administration improvements, it’s compelling program that will add value to any user education process. continued on 18

17 EdTech | 2018 | ISSUE THREE

overcoming your security weaknesses

continued from 17

Perhaps you’ve noticed a sub-theme running through this article? Yes, it’s about putting processes before products when it comes to cybersecurity. But you’re a CETPA member, and if you’re not already doing all of this and more, no doubt that you’re taking whatever small steps you can to develop your own portfolio of processes to improve your LEA’s ability to withstand and resolve security threats. That brings us to the sub-theme: the more we collaborate and learn from each other, the more secure and more capable we become. CETPA and TAPD offer some great cybersecurity resources, but there are other organizations we can and should look to for help. If your organization is not already a member of MS-ISAC8, consider joining it as soon as possible. MS-ISAC stands for the Multi-State Information and Analysis Center. It’s a collection of state, local, territory and tribal governments that have pledged to work together to identify and address cyber-

security threats. It costs nothing to join and Below is a list of the links that appear in this membership entitles your organization to a article. number of benefits, including timely threat 1. https://www.iso.org/standard/ notifications, relevant cybersecurity news, pro73906.html fessional incident response assistance, and the 2. https://www.nist.gov/cyberframework monitoring of network activity that may indi3. https://www.cisecurity.org/controls/ cate a breach or the presence of malware. I also 4. incident response process guides and suggest signing up for alerts from US-CERT9, the incident response and data privacy the United States Computer Emergency Readprocedures form iness Team. US-CERT provides much of the 5. incident response summary document same information as MS-ISAC, but often pro6. slide deck duces urgent warnings before MS-ISAC. Ad7. Cybersecurity Education Program (CEP) ditionally, US-CERT allows agencies to report 8. https://www.cisecurity.org/ms-isac/ incidents and will provide incident response guidance in the event of a security emergency. 9. US-CERT

THE FACT IS THAT NO SINGLE SECURITY TOOL, OR EVEN COLLECTION OF SYSTEMS, CAN SUFFICIENTLY PROTECT OUR EVER-CHANGING AND INCREASINGLY COMPLEX NETWORKS.

Create deeper digital learning experiences with G Suite See why 1 in 5 California districts use Hapara to make learning visible Find out more at: hapara.com/cetpa

18 EdTech | 2018 | ISSUE THREE

NEW TRAINING OPPORTUNITIES AT CETPA by libbi garret t

ome awesome developments have been made with the California Student Privacy Alliance since its inception in 2016. We were the fourth state to join the national consortium, and now are the paradigm for the other 23 (and counting) alliances. The Student Data Privacy Agreement crafted by the Fagen, Friedman & Fulfrost team is now being recognized nationally by districts as well as vendors! We are happy to announce that there will be new additions to the CSPA training line-up this year. The initial on-boarding process will be split into two parts. Part One: Understanding the Contract and Part Two: Using the CSPA Website. However, these can still be taken consecutively. In addition to the on-boarding trainings we will now have Next Steps training as well as Resource Tools training.

The goal is to offer more trainings with smaller groups to provide focused support and help members become more comfortable working with the CSPA. Without the support of members like you, the Alliance would not be as successful as it is! All trainings will be available as a downloadable resource after the training for further reference.

Exciting things are happening this year and additional CETPA outreach and support are high up on this list! Make sure to check out some of the sessions on Student Data Privacy at the CETPA Annual Conference this year, November 13-16, at the Sacramento Convention Center. Look for increased outreach and resources to help districts meet the requirements of both State and Federal laws governing Student Data Privacy.

Next Steps training will be for districts who have already been on-boarded but desire to have additional support and training. Next Steps training will consist of small groups of five or fewer districts and will be a hands-on guided training, walking users through the process of uploading contracts. Resource Tools training will be for districts who are interested in using the additional resource tools available, such as the work flow piece the CSPA offers. Resource Tools training will consist of small groups of five or less districts and will be a hands-on guided training, walking users through the process of using the resource tools. Along with the opportunity for additional training, we are preparing to work with our Regional Groups to bring about awareness and additional support to the groups. One-on-one support is available when needed and district outreach has already begun.

libbi garret t is cetpaâ&#x20AC;&#x2122;s new resource program specialist. s h e can b e r e ac h e d a t libbi . garret t @ cetpa . net.

19 EdTech | 2018 | ISSUE THREE

CAMSA 2.0 IS HERE

by glenn osako

ETPA, SHI and Microsoft have had a long-standing relationship in which many CETPA members now refer to it as “CAMSA,” which stands for CETPA and Microsoft Strategic Alliance. This strategic alliance resulted in the first statewide enterprise licensing program back in September 2011. This purchasing vehicle for K-12 educational institutions allowed LEAs (Local Education Agency) to take advantage of significant volume discounts they would normally not receive on their own. Almost a decade has passed since the original CAMSA agreement and we are excited to announce the next generation CAMSA agreement, called CAMSA 2.0. There are some key changes we will discuss here while some things will remain the same. Microsoft 365 (M365) is built to unlock the creativity, teamwork, simplicity and security WHAT’S CHANGING AND WHY? in an affordable solution for education. M365 We are modernizing the Microsoft license is the successor to the “Desktop EDU” SKU, agreement (known as EES, Educational En- which is being retired. rollment Solution) to reflect today & tomorrow’s technology landscape. Cloud services is THE BENEFITS OF M365 A3 a widely accepted practice with school districts, INCLUDE: • License rights for everything that the with 94% of the Consortium for School Netprevious “Desktop SKU” included such as working (CoSN)survey respondents indicatOffice Pro Plus, Client Access Licenses ing they use some type of cloud-based software (CAL’s) and Windows OS upgrades. system.*

glenn osako is director of s t r at e g i c pa r t n e r s h i p s at m i c r o s of t and l e ad s t h e microsoft strategic alliance with cetpa to help empower t h e o r gan i z at i on and i t s members to achie ve more & fos ter s tudent success . he can b e r e ac h e d at gl e nn . osako @ microsof t. com .

20 EdTech | 2018 | ISSUE THREE

• Cloud-based enterprise mobility management service is included called Windows Intune for Education, which lets you deploy and manage Windows 10 devices using a simple interface for managing policies, apps and settings. • Innovative classroom solutions such as Minecraft Education Edition which is an educational version of Minecraft specifically designed for classroom use to transform learning.

• Security solutions, such as Office 365 Cloud App Security, which will give you insights into suspicious activity in Office 365 and includes the Cloud Discovery Dashboard which shows information about cloud app usage within your organization. Azure Information Protection helps secure email, documents and sensitive data that you share outside your organization. Advanced Threat Analytics will help protect your enterprise from multiple types of cyberattacks by learning, analyzing and identifying suspicious user or device behavior.

NEW PRICE LEVEL FOR THOSE LEAS THAT COMMIT TO M365 A5 We are pleased to offer Level D pricing for those LEAs that commit to M365 A5. Benefits of A5 include:

• Identity solutions such as Active Directory Premium which helps you manage and secure your user identities. In addition, you can implement single sign-on, multifactor authentication and self-service password reset, all helping to reduce IT management and security costs.

• Analytics capabilities including Power BI Pro, a business analytics tool to visualize and analyze data, share insights, monitor your organization and get answers quickly with rich visual dashboards available on every device.

• All benefits of M365 A3 are included. • Advanced Security and Management including ATP (Advanced Threat Protection), which helps protect your email against new, sophisticated attacks in real-time. It includes spoof intelligence, safe links, safe attachments and advanced anti-phishing capabilities.

• Cloud PBX and PSTN conferencing bring phone calling and meeting dial-in capability to Skype for Business and Microsoft teams. SIMPLIFYING USER DEFINITIONS TO STREAMLINE LICENSE COUNTS With M365 & CAMSA 2.0, we’ve eliminated the complex calculations for “full-time equivalent” (FTE). You simply count your Knowledge Workers, which is any employee who uses a product or qualified device for the benefit of the institution. LEAs can also use the free A1 suite for “Light Users,” those that do not typically use a computer in their normal job function. Example:

ENROLLMENT WINDOWS REMAIN THE SAME:

Student privacy compliance continues to be built-in to the CAMSA 2.0 agreement, which means Microsoft solutions are compliant with California education code student privacy laws. Further detail can be found on the CETPA website.

More information can be found at https:// www.microsoft.com/en-us/microsoft-365/ blog/2014/09/22/students-teachers-mayeligible-get-office-free/ For more information about CAMSA, please visit the CETPA website:

LEAs will continue to receive Student Use https://cetpa.site-ym.com/page/CAMSA Benefits such as the ability for students to download free to five devices of Office Pro Additionally, you can always contact your reseller, SHI, at CaliforniaEDU@shi.com or Plus. Faculty and staff also have this benefit. 800-535-5210. *based on CoSN’s 2017 Annual Infrastructure Survey Report

Another new benefit is enabling greater flexibility to adjust counts at anniversary. This allows LEAs to true-up or true-down at their yearly anniversary period. WHAT’S NOT CHANGING There are several benefits that are not changing and will continue for LEAs to take advantage of such as: • Leverage collective purchasing power of the whole group which saves times looking for the best pricing • Reduce overhead and recordkeeping • Save time with simplified decision making

An Employee Owned Company!

Infinity already serves 15% 17% 18% 20% E-Rate Services

25+%

of all California school districts.

Design Services

✓ E-rate C1 & C2 Filing & Reporting Services ✓ Funding, Tracking & Monitoring ✓ Up-to-date E-rate Compliance & Regulations ✓ Fund Recovery ✓ E-rate Review & Audit Representation

✓ Complete Systems Design & Specifications ✓ Drafting Services ✓ Budget Estimating ✓ Managing the Bidding Process ✓ Procurement Compliance

Project Administration ✓ Dedicated Assigned Project Manager Project Timeline Development Vendor Management Cost Control Inspection

✓ ✓ ✓ ✓

The program will continue to offer Level C pricing for the M365 A3 suites.

We would love to put our extensive experience to work for you, too.

The minimum knowledge worker count will be 25, similar to the minimum FTE count previously. Normally, the EES requires a minimum of 1000 knowledge workers to qualify.

P.O. Box 999at∞ Bakersfield, 93302 Be sure to stop by our booth #401 CETPA 2018 toCA get∞your Infinity coffee mug and more!!

*Please call us for a list of references in your area.

Infinity Communications and Consulting, Inc.

 1.661.716.1840

 www.Infinitycomm.com

 Info@Infinitycomm.com

21 EdTech | 2018 | ISSUE THREE