2021-04-23 My Morning Message to CCP-Essentials Class
You always get jitters in our stomach the day of module launch. You worry will everything work? Will my students understand the modules and demonstrate growth? Will my assessments elicit evidence of this knowledge growth?
Yesterday the launch of our Module One in our CCP-Essentials Class, a non-certified preview of our official class coming this June. It also affords us the chance to hire a team of experts for a content validity study and to write the protocols for all the assignments.
Yesterday I realized like most of us in the Defense Industrial Base I need to take my policy and procedure a step back and begin with user onboarding.
Onboarding Procedures
Much like the Human Resources onboarding and termination policies any company needs for cybersecuirty our courses will need guides on how to add users and grant authorized access to learning materials through role based access control (RBAC).RBAC? I mean different people have different authorizations to see and/or do things to different stuff. So the teacher has one role and they get to more things to more stuff and then students have a role and they get to less things to less stuff but more things to their stuff.
In a way we build classrooms like access control.
New Users
I stuggled yesterday with account creation and provisioning of assignments. As a reminder we deployed our class using Microsoft Teams. So we have people still signing up for the class after they hear about our approach to personalized learing.
I quickly realized I need, just like you need a new employee guide, policy for new account creation. For example I need to ask, “Do you use a GCC-High account and if so do you have a commercial account you can use?”
As GCC-High will block the account creation. This must be followed up with, “If you choose to use a personal account do you know if this violates work policy?”
Authorization to Video
Microsoft Teams and metting recordings do not get shared outside of the organization. Some of the accounts in the class, not all, can not watch previously streamed movies. Makes sens don’t want folsk sending meetings outside of the organzation. The videos get sent to stream and to Share Point.
So as a hack I go into Stream, I download the video and then I upload the mp4 file to Teams so everyone has access. Works but a PITA. Still needs to make my policy.
The bigger the PITA someone will find a process the more important we find that you stress fidelity, spell out the steps and make everyone do them, in your policy.
People seek the path of least resistance. You can not let them. That is the job.
Deployment of Assets
Sharepoint has so many internal settings for our University Security we could not deploy it as a viable option. So after feature and price shopping we have decided to pilot SafeShare, an encrypted file service, for our curriculum deployment.
I need a smoother workflow for distributing and templating assessments. In SafeShare you can control asset access by only allowing authorized users specific times to open a file. In learning we call this Condtional Release, it has tons of research supporting the use.
In CMMC land we call this a strategy for limiting unauthorized access.
What I did yesterday for Module One didin’t work. Whether in Teams or In SafeShare I need a way just to hit a button and send a template top every student.
Matching the Tool to the Job
We have people doing many different types of pre and post assessments derived from the most rigorous research in cognitive science. Many cybersecurity experts complain, “I am not good at tests.”
Maybe becuase we only test in one modality when we know learning occurs best through multiple repitions across as many modalities as possible.
Why should measurement be any different?
Doesn’t mean we won’t mess up.
Yesterday, for example, (and I knew better) I tried using Micorsoft Word for concept mapping. I would just print mine out but a lot of people like tech, especially in this cyber space, so folks suggested making in PPT.
One student just did it on our own.
Policy Through Iterative Design
So while this isn’t policy I do need to update the protocol for assessments and continue to hack on asset deployment to ensure a verifiable path of evidence for accountability.
Same holds for your protocols and policy, You can never reach a security level high enough for compliance without living documents.
Ad hoc equals = death in a digital world.