Arvika municipality's path to a secure digital environment in schools

Arvika municipality’s path to a secure digital environment in Norwegian schools

Arvika municipality has used Google Workspace for Education since 2008. Originally for teachers to have access to a good e-mail solution. At the same time, it was realized that there could also be a future need for students because Google contained several other tools that had great potential to be used in the classroom. In 2012-2013, students began to access their own computer in school, and several of Google’s tools were introduced into the curriculum. The need for a security analysis became clearer, especially since the general Privacy Regulation, GDPR, was adopted 25. May 2018. In addition, Chapter 10 of the Information and Secrecy Act cannot be avoided. Privacy Shield. Cloud Act. Schrems II.

Need for a continuity analysis

A continuity analysis was carried out which included operation, vulnerability, identity and information flow in all the municipality’s digital environments. The analysis work indicates that there is potential for improvement in terms of handling, for example, personal information, privacy-sensitive information and classified information. Communication can take place in an uncertain way, the knowledge and the conceptual understanding of what it means to send information within the domain and outside the domain must be developed.

Some important guidelines that lead the work forward

In order to move forward in the safety work, the municipality must carry out some principled guidelines. It is unreasonable for a few people in a small Värmland municipality in sparsely populated areas to solve the problems that, among other things, have to do with data storage in different regions. This is first and foremost a question that the EU and the US must resolve. At the same time, the municipality is at a crossroads between different legislation on information and data security, which indicates that certain handling of data may be illegal. On the other hand, there are school laws, curricula and governing documents that say that the school must be digitized. The municipality therefore takes the following guidelines:

laws and guidelines are incompatible
they assume that the EU and the US will find a solution
they are prepared to take the risk of breaking the regulations
Chapter 10 of the Public Access to Information Act on information and secrecy will hardly work
Without these guidelines, the only option for municipalities is to step out of their digital environments and start using paper and pen again.

With the knowledge that there is a minimal risk that Chapter 10 of the Public Access to Information Act on information and secrecy will materialize, the municipality chooses to continue the work of creating a security-conscious organization. When the EU and the USA have solved the problems, Arvika municipality will be at the forefront.

Hire a Google Certified Partner

An important key to Arvika municipality’s successful work is that they started a collaboration with a certified Google Partner at an early stage. The municipality’s own organization is too small to maintain the specialist competence needed to be able to carry out the work. Thanks to the partnership with Online Partner, you have exclusive access to expert knowledge about Google and security, which means that you can quickly get answers to questions and support at work. In addition, the work is formalized in a way that makes it a mutual responsibility to fulfill its obligations. The work becomes more efficient, for example thanks to planned reconciliations.

How to create a security-conscious organization?

Creating a security-conscious organization is mainly about technology, pedagogy and education. In Arvika municipality’s project, the technical part is estimated to be about 10%. The rest is pedagogy and developing users’ skills around data and information security. Together, it helps to create a culture where one “thinks about information security”.

Google Admin Console

The biggest changes in the technical environment are not visible. They are created behind the scenes, largely via the Google Admin Console, where functions that contribute to a safe environment are activated / deactivated to create rules and policies for users. Here, the municipality has received great help from Online Partner to make the right adjustments and settings. Google Drive creates structure, order and order. Some devices are locked to store sensitive information but do not share the information from the device. It’s about making it harder for teachers to inadvertently make mistakes.

Two-factor authentication

Another important part of the municipality’s security work is to introduce two-factor authentication when logging in. Security key by Yubico, USB keys for two-factor authentication are implemented step by step for employees in kindergarten, elementary school, and then high school.

Kl. 06.00 every, Monday, Wednesday and Friday, all users are automatically logged out of the domain on all digital devices. To log in to their devices again, staff use their Yubikey USB keys.

Training

The student must always be at the center, and the teacher is responsible for protecting students’ data and sensitive information. Teachers must be able to trust that the digital environment is secure, that sensitive information does not end up in the wrong hands and that they can work in the environment without risking unintentional mistakes. However, it is known that teachers often feel insecure in digital environments, they are afraid of making mistakes and of possible consequences. Myths spread about the suitability of cloud solutions to store sensitive information. Cyberattacks, ambiguity and lack of frameworks and rules. Here it is important to understand that the Google environment is so safe that no one can hack into it.

In order to increase the level of knowledge, awareness, contribute to a cultural change and a new way of working, all users must complete two courses. The first training “Theme Security” is based on the Swedish Digital Information Security Training for All, Disa. In addition, there is an online basic training on information security via Draftit. Once the training is complete, employees can receive Yubikey USB keys