You are here: Home Contents V6 N3 V6N3_Lincke.html
Personal tools

Security of Information Systems in Schools: An Evaluation using Audit and COBIT Interviews



Full text

Journal of Information Systems Security
Volume 6, Number 3 (2010)
Pages 4263
ISSN 1551-0123 (Print)
ISSN 1551-0808 (Online)
Susan J. Lincke — University of Wisconsin-Parkside, USA
Reetika Kumar — University of Wisconsin-Parkside, USA
Virat Tiwari — University of Wisconsin-Parkside, USA
Information Institute Publishing, Washington DC, USA




This research helps to define the current level of information systems security in a set of Wisconsin/Illinois schools. To conduct this research  seven schools or school districts were interviewed, and students audited sections of the schools' computer infrastructure. These schools were of varying size in terms of their IT department structure and equipment facilities. Information was gathered on the basis of questions relevant to the security maturity standards defined by COBIT recommendations. This research helps to define whether and which COBIT recommendations apply to smaller nonprofit organizations, such as schools. By asking interviewees which areas were deemed important, we observed the priorities of the very small versus larger organizations. This research is necessary to mold the COBIT standard to a form useful for smaller institutions, and schools in particular.




COBIT, Education, Schools, Audit, Information Security Maturity Model, CMM, Small Business Security




Alapo, L. (2009) "Teens 'sexting' concerns parents, educators, police", Chattanooga Times Free Press, 15 March 2009.

Baker, W. H. and Wallace, L. (2007) 'Is Information Security under Control? Investigating Quality in Information Security Management', IEEE Security & Privacy, Jan/Feb, 5 (1): 36-44.

Barlette, Y., Fomin, V. V. (2008) 'Exploring the suitability of IS security management standards for SMEs', Proc. 41st Hawaii International Conf. on System Sciences, Jan. 2008, Waikoloa, Big Island, Hawaii.

Carnevale, D. (2006), 'U. of Texas May Add Second Layer of Security to Foil Hackers,' Chronicle of Higher Education, 4 Aug. 2006, 52:48.

CDW (2008), 'K-12 Schools' Physical Safety Improveds, While Cyber Safety Declines, According to the 2008 CDW-G School Safety Index', Business Wire, May 19, 2008.

Debreceny, R. (2006), 'Re-engineering IT Internal Controls: Applying Capability Maturity Models to the Evaluation of IT Controls', Proc. 39th Hawaii International Conf. on System Sciences, Jan, 2006, Waikoloa, Big Island, Hawaii.

Debreceny, R. and Gray, G. L. (2009), 'IT Governance and Process Maturity: A Field Study', Proc. 42nd Hawaii International Conf. on System Sciences, Jan 5-8, Waikoloa, Big Island, Hawaii.

FERPA (1974), 'Family Education Rights and Privacy Act,' U.S. Dept. of Education,, 10 May 2007.

Field, M. (2009) "TelstraClear hires hacker 'Akill'; INTERNET SECURITY", The Press. Christchurch, New Zealand. 24 March 2009.

Gash, M. (2006), 'Wisconsin principal dies after school shooting,' USA TODAY, 30 Sept. 2006.

ISACA, (2007), “COBIT 4.1”,

IT Governance Institute, (2006), "IT Control Objectives for Sarbanes-Oxley, 2nd Ed., (Exposure Draft),", 30 April 2006.

Johnson, D. W. and Koch, H., (2006), "Computer Security Risks in the Internet Era: Are Small Business Owners Aware and Proactive?", Proc. 39th Hawaii International Conf. on System Sciences, Jan. 2006, Waikoloa, Big Island, Hawaii.

McDowell, M. and Householder, A. (2005), 'Keeping Children Safe Online,' Carnegie Mellon University,, 2005.

Newswire (Anonymous) (2009), 'Study Finds Both Students and Teachers Lack Basic Cyber Security Education', PR Newswire, ProQuest Newspapers, Nov. 18, 2008.

O'Brien, B. (2008), 'Catching the 'scritp kiddies'; School districts play digital cantand-mouse', Buffalo News, Apr. 21, 2008.

Pospeschil, J. (2006), 'Computer breach exposes WIU students' data - Social Security numbers, credit card information may have been viewed by unauthorized parties', Journal Star, Peoria IL, Jun 16, 2006.

Ramos, M. (2006), 'Guidance for Designing a Computer General Controls Review' in How to Comply with Sarbanes-Oxley Section 404: Assessing the Effectiveness of Internal Control, 2nd Ed., John Wiley & Sons, Hoboken, NJ.

Read, B. (2006), '2 Students Face Hacking Charges for Changing the Grades of Nearly 300 Classmates,' Chronicle of Higher Education, 52 (48): 4 Aug. 2006.

SSE-CMM (2003), 'Systems Security Engineering Capability Maturity Model SSECMM ® Model Description, Vers. 3.0,' Carnegie-Mellon University,, 15 June 2003.

Swartz, N. (2007), 'ID Thieves Targeting Universities', Information Management Journal, 41 (2): Mar/Apr 2007.

Unmuth, K. L. (2009) "Carrollton police investigate possible link between computer thefts at schools", McClatchy - Tribune Business News. 4 April 2009.

Vijayan, J. 'School Out to Improve Its Marks on Security', ComputerWorld, 40 (26):6 Jun 26, 2006.