An audit verifies that the systems and applications you have in place are appropriate, efficient and adequately controlled to ensure a reliable, efficient and secure service. What do you need to know when it comes to your ICT provision? We explore
Why conduct an ICT audit? Simple; to asses equipment, infrastructure, policies and operations – their sustainability and effectiveness, identifying gaps in your provision, areas to upgrade, defining priorities and ensuring budgetary efficiencies. Why wouldn’t you do it? Ultimately, conducting a comprehensive audit of your school’s IT estate can illustrate how effectively digital resources are being used and what your school’s actual requirements are in order to deliver your school’s objectives – leaving you with a detailed report and guide which runs alongside, and complements, your school’s long-term vision as defined in its development plan.
Regardless of contracting budgets, schools are investing in IT because of the benefits to teaching, learning and wider school operations. However, it’s necessary to ensure that systems are reliable, secure and effective. To invest wisely, Neil Watkins, managing director of Think IT, advises that schools have a three-year strategy in place. “With the rate of change in technology this is hard to plan, but schools need to have a big picture vision on which to base their investments; to be truly effective schools have to start with the bigger picture questions.” It’s useful to ask questions such as, ‘What’s not working? ‘What would we like to be able to do and can’t?’ ‘What is limiting our IT delivery and how can we reduce IT costs?’ To answer these effectively, you must start with a full IT audit.
Under investigation: needs and priorities
Bill Champness, managing director of Hardware Associates, agrees that undertaking an IT audit will give you an idea of what needs to be done; it will reveal where students and staff are working on systems which need to be upgraded if they are going to achieve the best learning experience. It will also help you to prioritise where your focus should be. “For instance, there might be a decade-old server in the library, but that’s OK as it’s just holding records. Meanwhile, the computers in the design technology department, due to their age and spec, are really hindering student development and teachers’ ability to teach to their full potential – so replacing this suite is a priority,” Bill says.
Taking an ‘outcomes’ approach will help you to make more informed decisions. Your audience needs to be considered as outcomes may be different depending on whether your target group is students, staff, parents, governors or wider stakeholders. Finally, technology infrastructure and whether licensing is up-to-date must be assessed.
Managing ICT is just like running a car; you have to consider and maintain each and every part to ensure it stays safe and runs smoothly
A break in the ICT chain
A technology assessment is vital in ensuring that spend is neither excessive nor unnecessary, and it needs to be comprehensive – drilling down into the different areas of a school’s ICT chain. It’s important to see a school’s ICT as interconnected – if one link’s not up to par it can impact other areas. “For example, an IT manager at a school in Wales tried to fix a problem with the school’s server which occurred at busy times. Rather than seeking external help, he inadvertently switched off the internet filtering, with potentially damaging consequences,” Neil says.
A thorough IT audit can pick up ‘chain breaks’ in your school’s ICT; ensuring that staff see all aspects of ICT as connected reduces the chance of basic errors being made. Neil explains that, while connectivity coming into the building is essential, if the wifi infrastructure is out-of-date or not fit-for-purpose, the chain breaks. “Equally, this is only effective if network security is current and this, in turn, can be compromised if the equipment and software aren’t up-to-date,” he continues. Schools must have a good back-up system to avoid a security breach, preferably in the cloud in a secure, data centre with restricted access, Neil recommends. This is important to minimise the risk of data falling into the wrong hands, which can easily happen if your policies aren’t regularly updated and people don’t know what’s permissible. “Managing ICT is just like running a car; you have to consider and maintain each and every part to ensure it stays safe and runs smoothly,” he adds.
Once your audit is done and dusted…
Once everything has been assessed and audited, the real game-changer is the budget. “Despite what the audit might say, it’s rare these days to find a school or academy that has the budget they need to purchase an entire, brand-new IT estate with brand new desktop computers, laptops, tablets, etc.,” Bill says. However, with your audit in hand you will be in a good position to consider alternatives that can help you meet your school’s requirements.
Neil advises that you work out what the total cost of ownership of the school’s IT is and look at where savings can be made – don’t just go for the cheapest. “If the lowest priced product doesn’t come with a warranty, free delivery, installation, software upgrades and, most of all, isn’t really necessary, it is potentially the most expensive product available!” he cautions. The rapid evolution of technology is a challenge for schools when it comes to ensuring that IT is current; procurement is challenging too, because it’s difficult to know what’s the best on the market and what’s good for the school’s needs. This is why the Department for Education recommends procurement frameworks and why many schools opt to engage IT consultants.
The General Data Protection Regulation (GDPR) has made it crucial that schools understand the personally identifiable information (PII) that they hold – who’s using the data, how it’s acquired and managed; in order to ensure compliance you will need to have a thorough process in place.
“A data discovery exercise will help you better understand the flow of PII around the organisation,” Richard Jones, business development of Foregenix, suggests. “You need to know where data enters systems, who uses it, where it resides – and even where it leaves the organisation – who it’s shared with, or processed by, and by which other third parties.” Richard also says that a thorough PII audit will cover all bases and suggests searching all areas of your school – regulated and unregulated. “While the external threat might loom large, staff can also access, and potentially remove, PII without permission – it can be as simple as placing a USB stick in a PC,” he says – and this is something which all schools need to guard against.
Your dedicated data protection officer is responsible for all PII and other sensitive data and must be able to see the bigger picture so that they can effectively monitor overall compliance. Any data discovery exercise brings with it the option of dealing with the data there and then – protect, delete or place in quarantine while you decide its fate. “Use a data audit to cut the ‘redundant, obsolete or trivial’ (ROT) data out of your organisation. Research suggests that upwards of 34% of data classed as PII can be classified as ROT,” Richard points out.
Undertaking an audit – in any department – can help ensure long-term viability; understanding what you have in place can help you take the best course of action and, as the old adage goes, ‘A stitch in time saves nine.’