1 Understanding Your IT Environment

You should know the following terms:

• Anti-virus software
• Application whitelisting
• DHCP logs
• Inventory
• Levels of access
• Malware
• Mobile Device Manager (MDM)
• Multi-factor Authorization (MFA)
• Network topology
• OS deployment tools
• Personally Identifiable Information (PII)
• Standard operating procedures (SOP)
• Switches and routers
• System Center Configuration Manager (SCCM)    
• Virtual Private Network (VPN)
• Wireless controllers

Inventory and Control of Enterprise Assets

Inventory and Control of Enterprise Assets is the CIS (Center for Internet Security) Critical Security Control 01. Schools and districts must maintain an accurate inventory of the devices they provide to staff and students. Entry-level technicians often play a role in helping to maintain hardware and software inventories, including deploying and collecting devices from staff and students, imaging devices with approved software, and sometimes working with supporting systems, such as security, HVAC, and phone systems. You should know where to access your district’s hardware and software inventory and any standard operating procedures (SOP) that you may be required to follow to maintain it.

Your district may utilize multiple products depending on the types of devices that are supported. Your inventory may be managed through one or more of the following:

• System Center Configuration Manager (SCCM) provides inventory and control of most computers.
• Mobile Device Manager (MDM) provides inventory and control of mobile devices you own.
• Microsoft Intune is a cloud-based management system that helps manage users, applications, and devices
• Google Workspace is used to manage Chromebooks and the suite of Google applications, like Gmail, Drive, Calendar and others.
• Snipe-IT is an open source asset management resource that is cloud hosted.

Inventory and Control of Software Assets

In addition to hardware, IT Departments can better protect their network and improve security by maintaining an accurate software inventory system. This is CIS Critical Security Control 02. Various open-source or for-fee products are available to help you maintain a software inventory, including mobile apps, and online systems. Any approved software should be kept up-to-date to prevent malicious attacks on the vulnerabilities of outdated software.

To better maintain the integrity and security of your network, most districts will limit staff and students from installing software or apps. Others may provide a secure method for staff to select from and install approved apps, such as a district online software center or other resource. To securely manage devices, IT staff often create images of the OS that contains only approved software for staff or students that can be deployed on devices. There may be different images for different user types. These can then be loaded onto any district-owned devices using OS deployment tools, including a MDM for mobile devices.

Your district likely incorporates anti-virus software on its devices but can also use application whitelisting to ensure staff are using approved applications and websites. Applications not on the list, including malware (malicious software), can be prevented from running or installing itself on devices and causing harm.

Teachers, especially, will hear about and find many different websites and apps they’d like to use from friends, colleagues, or simply by connecting with others online or at meetings. Just because a teacher finds a new application that may seem valuable doesn’t mean they should be able to install it or use it without some type of district review. 

Any resources used in the district should first be reviewed to understand how it works, how it is or isn’t similar to other district-supported resources, the types of data it collects, and whether and how it shares that data. Your district is legally required to protect some student data, including personally identifiable information (PII) when students are working online or with digital devices. The IT Department should be involved in the process used to review potential new resources that may be recommended by staff, both free and for-fee products This process may also involve curriculum and instruction staff, media specialists, those in charge of adopting textbook materials, teachers, administrators, as well as the legal department.

Network Operations

Your network team should be able to quickly locate, identify, and control any device that connects to your network, whether on campus or remotely. They can obtain an inventory of devices that are connected at any one time by reviewing live data within switches and routers, wireless controllers, and DHCP logs. Additional resources are available to maintain historical records of devices that have accessed your network. While you may or may not be required to manage your network and the devices on it, you should understand your district’s basic network topology. You should be able to read any charts, diagrams, spreadsheets or tables that document your network and its resources in case you are called upon to support the network team. 

Your network may be divided into separate networks that support the needs of different types of users. These users may be assigned different levels of access, such as a teacher versus a student, or a teacher versus staff that have access to confidential personnel or financial records. Some users may actually connect to a separate network, such as a guest network, that has limited access. Your district’s guest network should not allow guests using it to access internal devices, for example network printers. It may also have stronger security and filtering settings than the network staff have access to. You may be asked to test these restrictions on your guest network and you should understand how guests can access the network. Some guest networks have fairly open access, but others may require a guest account or agreeing to acceptable use on a network landing page. Know how your guest network operates and the services it does and should not provide.

When off-site, staff may need to access the resources on your network. While not necessary in all cases, some access to network resources may be necessary as teachers work on lesson plans or develop other materials. A Virtual Private Network (VPN) connection may be used to provide secure access to network resources to qualified users. VPN connections should require multi-factor authorization (MFA) to ensure only approved users are logging in. 

Here are additional resources you may find useful:

• Critical Security Controls® (version 8). (March 2022). Center for Internet Security (CIS)
• Locating a Host Port by IP Address from PacketLife.net
   

Complete the following task or self-assessment:

Find and review your district’s hardware and software inventory; work with others on your team to understand the SOP you must follow to help maintain it.

• What controls does your district employ to maintain the integrity of your network and manage software?
• Which of these fall under your job description?
• If there are systems that you will be working with but have limited expertise, what resources are available to help you better understand how to use them effectively and efficiently? You may be able to find and complete online tutorials or review vendor support websites to increase your knowledge and skills.