Revised Domain Audit Tool SY15-16
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

 
View only
 
 
Still loading...
ABCDEFHIJKL
1
CheckpointStatusFindingsQuick Link to cPanel Section (if applicable)Name of Topic or Admin Panel SectionSubTab / SectionPriorityRationale for this settingIn-House Training NeedsHelpful LinksRisk Categories
2
The primary, super admin account for the domain is NOT THE SAME ACCOUNT as an actual user. E.g. you should have a role account like "admin@mydomain.org" as your primary domain owner.not yet startedAdmin Roles-->Super AdminAdmin RolesSuper AdminhighYou need to build for succession. The domain should not be tied to a specific person -- rather a set of role account credentials should be passed between people.Ineffective use
3
The school principal has a user account with "Super Admin" privileges on the domain and they are aware they have this access and how to access the control panel. There should be a generic "systems" account in addition to any real super admin roles.not yet startedAdmin Roles-->Super AdminAdmin RolesSuper AdminhighAs the ultimate accountable person at the school the school principal should have the full ability to review, change domain level settings for any other employee in the organization.Principal will need an introduction to the Apps control panel, and will need to see this checklist.Legal
4
Appropriate personnel have been assigned to groups admin role. I.e. is there someone like an AP or school secretary who might be good at keeping your domain distribution groups up to date?not yet startedAdmin Roles-->Groups AdminAdmin RolesGroups AdminhighIt is important to delegate responsibility to maintain up-to-date internal communications lists and sharing groups to employees who have direct access to up-to-date table of organization and employee on-boarding (for accounts) or who handle student enrollment (for student accounts). You can also assign certain privileges of admin based on their role. For example, you may have your secretary have the privilege of adding new users to the account.Personnel designated as groups admins will need to be shown how to get to the Apps Control Panel from their Mail inbox and how to manage group membership, type, etc.Ineffective use
5
Create a special role called "Google Apps Vault Admin" and assign appropriate users in the organization to the role. Assume that only the tech liaison and the principal should have this level of access. Notify the principal that they have this level of access and provide them the link: https://ediscovery.google.comnot yet startedAdmin Roles-->Create a New RoleAdmin RolesCreate a New RolehighVault allows compliance with public employee records retention laws and protects teachers from false accusations by students in schools with student accounts. In the event of NYCDOE investigations, Vault allows for full discovery of all email and chat transcripts on specified users. It is critical that only the principal and other trusted parties at the school have admin rights in vault.Principal (and APs?) will need an overview of how Google Vault works. Faculty will need an explanation of this that treats them like adults: 99% of the time, this will afford teachers far more protection than using a non-archived email account, in particular if they are communicating with students and parents regularly. The NYCDOE uses the same practices -- albeit poorly -- on Outlook. An audit trail exists in Vault for every accessed record. If someone were to use Vault for uncouth or harassing purposes, the audit history could be subpoena'd to illustrate this. It could also be stated that this inserts an additional layer between the school and the DOE re: investigations. All correspondence on professional accounts should be professional in nature.https://support.google.com/vault/answer/2584132Student safety, Faculty protection, Legal
6
Add "Cloudlock for Google Drive" through Marketplace Appsnot yet startedsee resources columnAppsMarketplace AppshighCloudLock is used to monitor FERPA compliance and, potentially, for offensive, hurtful, or embarassing content that is public-facing. New Visions is covering the costs of CloudLock in year one.https://docs.google.com/a/newvisions.org/document/d/1DFn8x19dh3CFCU_0jeRWm7PD-J_1tLssNn43m8Za_Z0/editStudent privacy, Student safety, Legal
7
Turn off Google Wallet, Google Reader, Google Desktop, Offers, Orkut, AdWords, Friend Connect, AdWordsXN, Advertising Professionals, AdSense for TV, Adsense, Ad Planner, DoubleClick, Partner Dash, Partner Program, Merchant Center, YouTube Partner Syndication, YouTube Promoted Videos for students (if applicable).not yet startedApps -> Additional Google Services-->Apps -> Additional Google ServiceslowThese are tools that have no obvious use in an educational environment and are potentially going to expose you to risks. Not all may be turned on in Additional Services. Ineffective use
8
Google Plus is enabled for faculty but NOT for studentsnot yet startedApps -> Additional Google Services -->Google+Apps -> Additional Google Services Google+highGoogle Plus is a phenomenal networked learning tool -- for staff. At this point the level of exposure it creates for students would require a school to have very strong culture and IT staffing to manage effectively. We remain open to the possibility of student G+ accounts in the future, but do not recommend at this time.https://admin.google.com/AdminHome#AppDetails:service=gplusLegal, Ineffective use
9
Org settings: faculty -> make the default setting for new posts unrestricted. Students should be restricted if this service is turned on for them (not recommended at this time)not yet startedApps -> Additional Google Services -->Google+ -> Advanced settingsApps -> Additional Google Services Google+ -> Advanced settingshighFaculty need to be able to share on G+ outside the school. Ineffective use
10
Hangout options: For faculty: Allow hangouts On Air.not yet startedApps -> Additional Google Services -->Google+ -> Advanced settingsApps -> Additional Google Services Google+ -> Advanced settingslowFaculty should be able to host live video broadcasts on YouTube -- a very exciting way to showcase student work, performances, etc.Ineffective use
11
Only "performance suggestions and updates" and "feature announcements" should be checked.not yet startedCompany Profile-->Communication PreferencesCompany ProfileCommunication PreferenceslowTargeted advertisements are inappropriate in the educational context.Student privacy, Legal
12
Change Sites to http://sites.mydomain.org Requires a CNAME record be added to the DNS provider control panel

Change Docs to http://drive.schooldomain.org Requires a CNAME record be added to the DNS provider control panel

Change to Email to http://mail.schooldomain.org Requires a CNAME record be added to the DNS provider control panel

Change Calendar to http://calendar.schooldomain.org Requires a CNAME record be added to the DNS provider control panel
not yet startedCompany Profile-->Custom URLSCompany ProfileCustom URLSlowProvides one less friction for users in accessing these services. Much simpler URLs than the default URLs that Google provides.Instructions for adding CNAME records based on provider.Ineffective use
13
Time Zone -> Default set to GMT-05:00not yet startedCompany Profile-->ProfileCompany ProfileProfilemedn/aIneffective use
14
New User Features -> Rapid releasenot yet startedCompany Profile-->ProfileCompany ProfileProfilelowNew Visions will be developing and disseminating tools with the assumption that schools are using all of Google's latest releases. This feature release track is identical to that used for Gmail users, so new features have been very thoroughly tested prior to release.Occasionally, the interface will change suddenly for users and may require a friendly announcement or mention.Ineffective use
15
New Products -> Manualnot yet startedCompany Profile-->ProfileCompany ProfileProfilelowThis is more of an issue if student accounts are on your domain. A new service may or may not comply with FERPA or your school's readiness to facilitate the service with students.Legal
16
Upload custom school logo (up to 320 x 132 pixels)not yet startedCompany Profile-->PersonalizationCompany ProfilePersonalizationlowAllows your email inbox to be branded. Helps users distinguish between their school accounts and their personal Gmail account -- a very important legal and professional distinction.Ineffective use
17
Primary and secondary admin accounts are trusted entities who are employed at the school.not yet startedCompany Profile-->ProfileCompany ProfileProfilehighThe level of access to internal school business granted a super-admin requires trust in the discretion and judgment of the person(s) involved on the part of the principal.Legal
18
The newvisions.org is whitelisted on the school's domain.not yet startedDomains --> Whitelisted External DomainsDomainsWhitelisted external domainshighSchools will be able to set up Google classroom once this is in place.
19
Domain admin knows how to get to Google Apps Admin Panel from inbox or from admin.google.comnot yet startedhttp://admin.google.comGeneralhighDomain admin knows how to get to Google Apps Admin Panel from Google Apps universal navigation links or from admin.google.comhttp://support.google.com/a/bin/answer.py?hl=en&answer=182076Ineffective use
20
Google Vault has been turned on for the domainnot yet startedGoogle Apps-->Additional Google Services-> Apps VaultGoogle AppsAdditional Google Services-> Apps VaulthighVault allows compliance with public employee records retention laws and protects teachers from false accusations by students in schools with student accounts. In the event of NYCDOE investigations, Vault allows for full discovery of all email and chat transcripts on specified users. It is critical that only the principal and other trusted parties at the school have admin rights in vault.Principal (and APs?) will need an overview of how Google Vault works. Faculty will need an explanation of this that treats them like adults: 99% of the time, this will afford teachers far more protection than using a non-archived email account, in particular if they are communicating with students and parents regularly. The NYCDOE uses the same practices -- albeit poorly -- on Outlook. An audit trail exists in Vault for every accessed record. If someone were to use Vault for uncouth or harassing purposes, the audit history could be subpoena'd to illustrate this. It could also be stated that this inserts an additional layer between the school and the DOE re: investigations. All correspondence on professional accounts should be professional in nature.https://support.google.com/vault/answer/2584132Student safety, Faculty protection, Legal
21
Set the Google Vault email retention policy to "Retain data indefinitely"not yet startedGoogle Apps-->Additional Google Services-> Apps VaultGoogle AppsAdditional Google Services-> Apps VaulthighRetention period for email is unclear in NY State law and nowhere specified in the Chancellor's regs. Student records have a 10-year retention requirement, thus email should never be used to permantly house student records.Principal (and APs?) will need an overview of how Google Vault works. Faculty will need an explanation of this that treats them like adults: 99% of the time, this will afford teachers far more protection than using a non-archived email account, in particular if they are communicating with students and parents regularly. The NYCDOE uses the same practices -- albeit poorly -- on Outlook. An audit trail exists in Vault for every accessed record. If someone were to use Vault for uncouth or harassing purposes, the audit history could be subpoena'd to illustrate this. It could also be stated that this inserts an additional layer between the school and the DOE re: investigations. All correspondence on professional accounts should be professional in nature.Student safety, Faculty protection, Legal
22
Outside school domain, for students org unit only, select the highest level to allow to "Only free/busy information" For faculty, allow sharing to outsiders and allow outsiders to change calendars (permits development of shared space / resource calendars on multi-school campuses, public-facing school web calendar)not yet startedGoogle Apps-->Calendar -> Sharing settingsGoogle AppsCalendar -> Sharing settingsmedStudent calendars shouldn't be shared outside the domain -- or should they? Up to you ultimately. One could imagine students wanting to share their school calendars with their own Gmail selves or their parents.http://support.google.com/a/bin/answer.py?hl=en&answer=60765Ineffective use
23
Internal Sharing Options: set internal Sharing options to "Share all information" for all organizations (students and staff)not yet startedGoogle Apps-->Calendar -> Sharing settingsGoogle AppsCalendar -> Sharing settingsmedThis makes it possible for all students and teachers to see one anothers' calendars, including details. This may seem too open, but is critical if there's a need for folks to see what classes someone is teaching, where someone is at a given time, what homework assignments a students is tracking, etc.http://support.google.com/a/bin/answer.py?hl=en&answer=60765Ineffective use
24
Enable Calendar Labs for my usersnot yet startedGoogle Apps-->Calendar -> Sharing settingsGoogle AppsCalendar -> Sharing settingslowLabs is where Google Engineers showcase the coolest internal experiments at Google. These are features your users will have fun testing, and that may prove extremely useful.http://support.google.com/a/bin/answer.py?hl=en&answer=1187241Ineffective use
25
Google Classroom is on for everyone. not yet startedGoogle Apps-->ClassroomGoogle AppsClassroommedTeachers can enable classroom if necessary.
26
Classroom API is turned on.not yet startedGoogle Apps-->Classroom -> Data AccessGoogle AppsClassroom -> Data Accesshigh
27
All pending and verified teachers can create classrooms.not yet startedGoogle Apps-->Classroom -> General SettingsGoogle AppsClassroom -> General SettingsmedAllows flexibility so that Classrooms Group does not need to be maintained to enable Classroom access. ** Go to Classrooms and add "staff@school.org" group**
28
Your organization's users can join classes in whitelisted domains AND whitelisted domain users can join classes in your organization.not yet startedGoogle Apps-->Classroom -> Whitelisted DomainsGoogle AppsClassroom -> Whitelisted Domainshigh
29
Enable contact sharing and "Show all email addresses" and "Show both domain profiles and domain shared contacts"not yet startedGoogle Apps-->Contacts->Sharing settingsGoogle AppsContacts->Sharing settingsmedContact sharing means that ALL users on the domain are part of the autocomplete feature (i.e. you go to send and email and start typing a name and the email pops up) -- this radically improves the ease with which folks can communicate internally. For schools with student accounts, this means students can very easily contact their teachers.Ineffective use
30
Allow users to enable offline docs -> disable (can be configured at an OU level)not yet startedGoogle Apps-->Drive-> Data AccessGoogle AppsDrive-> Data AccessmedA bad idea for schools, where most users are living on multiple machines or laptop carts, and where files may contain student data where you don't want a local copy living on the device.http://support.google.com/a/bin/answer.py?hl=en&answer=1642623&topic=2490099&ctx=topicIneffective use
31
Do not allow Google Drive for Mac/PC in your organization. (This is because most machines in schools are shared machines & can be configured at an OU-level)not yet startedGoogle Apps-->Drive-> Data AccessGoogle AppsDrive-> Data AccessmedThis is a desktop app that creates much confusion when used in schools, where users exist on many machines and locally-stored files and internet connections are not consistent.http://support.google.com/a/bin/answer.py?hl=en&answer=2490101Ineffective use
32
Allow users to install Google Drive add-ons - YESnot yet startedGoogle Apps-->Drive-> Data AccessGoogle AppsDrive-> Data AccessmedThere are many, very useful Drive Apps for education and teachers (and students) should be free to use them. Downside risk is that some apps may be games, etc. You can manage these Apps in the domain control panel if you want to.https://chrome.google.com/webstore/category/collection/drive_appsIneffective use
34
Outside this organization:
Users can share documents outside the organization
- Warn users when sharing outside the organization
- Allow users to publish documents on the web or make them visible to the world as public or unlisted documents
not yet startedGoogle Apps-->Drive->Sharing settingsGoogle AppsDrive->Sharing settingshighUnfortunately, this setting is all or nothing -- i.e. for schools with student accounts, this means students will have the ability to make documents public to the world. Leaving this enabled is key if the school wants to make documents available to parents and the community, or if you want student work to be published to external audiences. Fortunately CloudLock and Teacher Dashboard allow schools effectively manage the risks associated by providing visibility to the teacher.http://support.google.com/a/bin/answer.py?hl=en&answer=60781Legal, Ineffective use
35
Sharing options --> turn OFF allow users in youpd.org to publish files for ALL OUs. Then go into staff OU and turn this feature on.not yet startedGoogle Apps-->Drive->Sharing settingsGoogle AppsDrive->Sharing settingshighPrevents anyone but staff at the school from publishing Drive items.
36
Link Sharing-->Off (Only the owner has access until he or she shares the file.)not yet startedGoogle Apps-->Drive->Sharing settingsGoogle AppsDrive->Sharing settingshighThis just sets the default visibility of Docs. Important because you definitely don't want to default to visible when you are sharing a domain with students or HR data lives alongside instructional data.http://support.google.com/a/bin/answer.py?hl=en&answer=60781Legal, Ineffective use
37
Templates -> Enable Templates for Drivenot yet startedGoogle Apps-->Drive->TemplatesGoogle AppsDrive->TemplateslowDocs templates are useful.https://drive.google.com/a/youpd.org/templates?pli=1#Ineffective use
38
Enable Android, Google, and iOS sync for all OUsnot yet startedDevice Management-->SetupDevice ManagementSetuphighThis ensures that a stolen mobile phone doesn't result in a breach of student privacy.Security, Student privacy, Legal
39
All core google services (Mail, Calendar, Classroom, Drive, Contacts, Sites, Talk and Vault) are enabled for faculty/staff. We recommend the same settings for students provided the school has a student accounts rollout plan in place.not yet startedGoogle Apps-->ServicesGoogle AppsServiceshighFor staff, all of these tools can be deeply useful in effective teaching and collaboration with colleagues. Even if you only use Mail at first, it's helpful to leave the other services turned on so early-adopters on the staff can help lead the way toward fuller adoption.

Whether to enable all of these same services for students is up to the judgment of the schools. We recommend full enablement because these are incredible learning tools where the downside risks can be effectively managed by tools like CloudLock and Teacher Dashboard.
Ineffective use
40
Domain MX Records should be
Priority Points to
1 ASPMX.L.GOOGLE.COM.
5 ALT1.ASPMX.L.GOOGLE.COM.
5 ALT2.ASPMX.L.GOOGLE.COM.
10 ASPMX2.GOOGLEMAIL.COM.
10 ASPMX3.GOOGLEMAIL.COM.

If not, these need to be set in the domain (DNS provider) control panel
not yet startedGoogle Apps-->Settings for Gmail -> Advanced settingsGoogle AppsSettings for Gmail -> Advanced settingshighIncorrect MX records settings will result in the failure of the Email service in Google Apps.http://support.google.com/a/bin/answer.py?hl=en&answer=174125Ineffective use
41
Leave POP and IMAP enablednot yet startedGoogle Apps-->Settings for Gmail -> Advanced settingsGoogle AppsSettings for Gmail -> Advanced settingslowThis allows folks with Mac Mail, Outlook Client, Thunderbird, and Blackberry mobile devices to set up full sync with Google Apps Mail and Calendar.http://support.google.com/a/bin/answer.py?hl=en&answer=105694Ineffective use
42
Automatic forwarding -> Disablenot yet startedGoogle Apps-->Settings for Gmail -> Advanced settingsGoogle AppsSettings for Gmail -> Advanced settingshighAllowing faculty / students to forward to a 2ndary email account is counterproductive to the goal of creating user-behavior centered on a legally-compliant cloud-based collaboration platform -- i.e. the one provided and administered by the school. Personal, commercial email providers have terms of service and data-mining practices that are not FERPA-compliant. Auto-forwarded documents that contain student records presents an unacceptable risk. Faculty need to have this reality explained to them. For teachers whose primary work account has beem a Gmail account, these folks will need to mothball those accounts and share their work accounts on all legacy documents.http://support.google.com/a/bin/answer.py?hl=en&answer=2707558Legal
43
Email retention -> Do not delete email messages automatically. not yet startedGoogle Apps-->Settings for Gmail -> Advanced settingsGoogle AppsSettings for Gmail -> Advanced settingshighEmails are retained in Vault anyway. Retaining emails in people's inboxes / archives is extremely useful -- it means you can instantly search all your email going back to the dawn of Gmail adoption.http://support.google.com/a/bin/answer.py?hl=en&answer=151128Legal
44
Objectionable Content: Filter for objectionable content on "student" organizational unit. Add custom objectionable words. Suggested list: shit,fuck,ass,bitch,nigga,nigger,cunt,slut,faggot. Set to reject message.not yet startedGoogle Apps-->Settings for Gmail -> Advanced settings -> Content complianceGoogle AppsSettings for Gmail -> Advanced settings -> Content compliancemedThis is not necessarily a CIPA compliance requirement, but not a bad idea. The policy described does not notify anyone -- but rather just prevents the email from going through -- hence it protects students without creating an additional burden on the dean's office. Only apply to students. Staff -- if they choose to use profanity in professional email -- should suffer the full consequences of having the recipient read it;)Students (if they have accounts) should be informed that email is filtered for profanity and blocked.http://support.google.com/a/bin/answer.py?hl=en&answer=1346936&topic=2683824&ctx=topicStudent safety, Legal
45
"staff" Organizational Units need FERPA boilerplate compliance footer (not needed on student org unit):

NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Permanent student records data is protected by federal law (FERPA), and shall not be disclosed except to the student, those with a defined educational responsibility for the student, and the parent(s) and legal guardians of the individual student. Please use due care when working with and sharing electronic records."
not yet startedGoogle Apps-->Settings for Gmail -> Advanced settings -> General Settings -> ComplianceGoogle AppsSettings for Gmail -> Advanced settings -> General Settings -> CompliancehighOutbound emails may inadvertantly contain student records as a result of user error. This helps to inform the recipient that they are legally responsible to notify the sender in the case of error, and that further disclosure is illegal. Important. Do not apply this to student accounts. Only staff.http://support.google.com/a/bin/answer.py?hl=en&answer=2364576Legal
46
Enable Labsnot yet startedGoogle Apps-->Settings for Gmail -> LabsGoogle AppsSettings for Gmail -> LabslowLabs is where Google Engineers showcase the coolest internal experiments at Google. These are features your users will have fun testing, and that may prove extremely useful.https://support.google.com/mail/answer/29418?hl=enIneffective use
47
Enable custom templates.not yet startedGoogle Apps-->Sites-> TemplatesGoogle AppsSites-> TemplateslowTemplates are usefulIneffective use
48
Sharing options -> Users can share outside domain but will receive a warning each time. Users can make sites public.not yet startedGoogle Apps-->Sites->Access SettingsGoogle AppsSites->Access SettingsmedPublic sites are important to most schools. Sites can be used to build the school's primary website, for club sites, etc.http://support.google.com/a/bin/answer.py?hl=en&answer=90919&topic=25685&ctx=topicLegal, Ineffective use
49
Site Creation -> Allow faculty and students to create sitesnot yet startedGoogle Apps-->Sites->Sharing SettingsGoogle AppsSites->Sharing SettingsmedSites are great. Cloudlock can be set to monitor their content for inappropriate language, etc. if that's a worry.Ineffective use
50
Default Site Visibility -> Users at school.org can find and edit sitesnot yet startedGoogle Apps-->Sites->Sharing SettingsGoogle AppsSites->Sharing SettingsmedYou want your sites visible to others in the org, generally. Be VERY CAREFUL when creating private site for faculty only that you change the setting to private and only share faculty.http://support.google.com/a/bin/answer.py?hl=en&answer=1751957Ineffective use
51
Set option for online chat to "Google Talk only" IT IS NOT COMPATIBLE WITH GOOGLE VAULT.not yet startedGoogle Apps-->Talk/Hangouts -> Advanced settingsGoogle AppsTalk/Hangouts -> Advanced settingshighThe new hangouts product, however awesome, is incompatible with Google Vault -- a key part of your public employee records retention strategy.Legal
52
DO NOT disable chat history making them "off the record"not yet startedGoogle Apps-->Talk/Hangouts -> Advanced settingsGoogle AppsTalk/Hangouts -> Advanced settingshighChats can be taken off the record.Student safety, Legal
53
For students ONLY: disable "Display users' chat status outside domain" disable "Users can chat with other users outside domain" These can be left as enabled for faculty.not yet startedGoogle Apps-->Talk/Hangouts -> Advanced settingsGoogle AppsTalk/Hangouts -> Advanced settingshighYou want students to chat internally with other personally identifiable school users whose chats will be archived -- not with anonymous outsiders. The latter option is very disruptive.Student safety, Legal
54
Chat invitations -> enable "Automatically accept chat invitations between users within domain"not yet startedGoogle Apps-->Talk/Hangouts -> Advanced settingsGoogle AppsTalk/Hangouts -> Advanced settingsmedMakes chatting between members of the school community much more seamlessIneffective use
55
Enable all additional servicesnot yet startedGoogle Apps-->Talk/Hangouts -> Advanced settingsGoogle AppsTalk/Hangouts -> Advanced settingslow
56
Resources -> Create resources for rooms, technology items, and anything else the school would want to make available on the school calendarnot yet startedGoogle Apps-->Calendar -> ResourcesGoogle AppsCalendar -> ResourcesmedAllows for folks to schedule resources (laptop carts, etc.) along with calendar events. This is one way (though not the only way) to handle technology reservations.Folks would need to be trained on how to reserve resources when using Google Calendar.http://support.google.com/a/bin/answer.py?hl=en&answer=1686462&topic=1034362&ctx=topicIneffective use
57
Make note: this is where you will transfer document ownership to a role account (archives@myschool.org) when staff leave the organizationnot yet startedGoogle Apps-->Drive->Transfer OwnershipGoogle AppsDrive->Transfer OwnershiphighCritical for preserving the Docs and other assets of a departing employee. Deleting a user account without transferring ownership to a role account is a really bad idea. This is one of the best (hidden) reasons to be using Apps for EDU instead of Gmail accounts. You get to preserve what gets made at the school. (Obviously -- circumstances allowing -- the departing employee should also have the opportunity to share / download / copy their stuff prior to losing access to their account.)Flashpanel for Google Apps may prove to be a worthwhile add-on (free) to opt for in managing user accounts.http://www.flashpanel.com/feature/deprovisioning-a-user/Ineffective use
58
Add new web address. Set up PRIVATE staff.myschool.org Site and set up web address mapping. not yet startedGoogle Apps-->Sites->Web Address MappingGoogle AppsSites->Web Address MappinghighAllows you to create a curated space for staff resources -- principals memo, forms, curriculum docs, meeting agendas, school calendar, data dashboard, etc. that grows over time.https://support.google.com/sites/answer/99448?hl=enIneffective use
59
For faculty: Password Settings--> Require users to set passwords on their devices. not yet startedGoogle Apps-->Mobile Management -> Device management settingsGoogle AppsMobile Management -> Device management settingshighThis ensures that a stolen mobile phone doesn't result in a breach of student privacy.Security, Student privacy, Legal
60
Restricted groups are created for staff, grade level teams, department teams, school leadership team, admin team. not yet startedGroups-->GroupshighGroups are a critical part of using Gmail and Drive effectively in a school -- a single email address e.g. "staff@myschool.org" allows for a memo to be sent, a Doc to be shared, etc. Setting these teams as "restricted" helps mitigate spammer or flamers from outside the group.Staff need to be made aware of the existence and power of groups. Create a list of groups for distribution to staff.Ineffective use
61
Announcement-only groups are created for students by grade level (i.e. grade9students, grade10students, etc.) One "allstudents" group exists (composed of all grade level groups - nested groups are possible)not yet startedGroups-->GroupshighGroups are incredibly useful for communicating important news / opportunities with the student body. Making them announcement only is important to avoid abuse. Faculty should be set as "owner" on these announcement groups so that they can send to them.Staff need to be made aware of the existence and power of groups. Create a list of groups for distribution to staff.Ineffective use
62
School has a plan to distribute and collect teacher signatures on FERPA affadavit at the beginning of each school year.not yet startedhttps://docs.google.com/a/newvisions.org/forms/d/1FdDUpaF70Bgc8AJqUp_AMobvftsA2mciPNetJAFTgeQ/copysee resources columnLegal Compliance DocsFaculty user accountshighFERPA affadavit contains specific guidance around the secure / private use of Google Drive when handling student records. Part of an overall strategy for FERPA compliance in the cloud.Someone will need to distribute and collect these affadavits from staff, answer questions, etc. -- ideally this is part of faculty training on the tool. All new staff will need to sign this as part of onboarding. All new accounts will need to have this signed. These signatures need to be tracked. Perhaps this could be done via Google Form!https://docs.google.com/a/newvisions.org/document/d/1-wNfCKK_UtCOKWfrAnyC22Y9XWQHzcVAyOyQAndcUgQ/editStudent privacy, Legal
63
If the school plans to furnish accounts to users under the age of 13, the school has plan to get COPPA-compliant parental consent form on file. Not a bad idea to do for all students, as it clarifies acceptable use, photo/work sharing expectations, and FERPA for parents.not yet startedsee resources columnLegal Compliance DocsStudent user accountshighThis is a federal law that you should probably comply with. Technically, Google Apps for EDU does no data mining / nor do they use student info for commercial purposes, so this is just an extra layer of protection and a good idea for all students.https://docs.google.com/document/d/1bApAajasXbA7kKFx1Lluh_eJHt8epy6hTEp_z2vIoJQ/editLegal
64
Turn ON API access (this will be used by scripts and 3rd party products at a later date to help ease the burdens of account management)not yet startedSecurity-->API referenceSecurityAPI referencehighThe user provisioning API will allow you to use New Visions scripts like the ATS-Google Account Sync Tool and the chromebookInventory tool to help you manage student user accounts, groups, and devices.Ineffective use
65
Adjust password setting -> minumum length of 8. Ensure that your super admin accounts have PW complexity of at least 14 charactersnot yet startedSecurity-->Basic SettingsSecurityBasic SettingshighPasswords can be easily hacked these days. Complexity is important. If someone hacks your super admin account, you've got big problems.http://support.google.com/a/bin/answer.py?hl=en&answer=139399Student privacy, Security
66
Allow users to turn on 2-step verification. Strongly encourage all staff, in particular domain admins and folks with lots of data access, to do this to protect the security of their accounts.not yet startedSecurity-->Basic SettingsSecurityBasic Settingshigh2-step verification is the gold standard in password protection of data -- it requires the user to enter a secure, 6-digit code each time they log into a new machine. It's what Google requires of its own employees. If you plan on using Google Drive to host a lot of student data, you should strongly encourage all of your staff to enroll in 2-step.http://support.google.com/a/bin/answer.py?hl=en&answer=175197Student privacy, Security
67
Note location for Google Apps customer support PIN and phone numbers. not yet startedSupport-->Google AppsSupportGoogle AppslowYou can't get Google Support without a PIN
68
staff and students are segmented into different Organizational Units(OUs). We recommend having the following OU structure:

- staff
- former staff
- active students
- student alumni
- transferred students
not yet startedUsers-->UsershighCritical for differentiating which services are turned on and which are not for specific subsets of users. Also used by Cloudlock policy.http://support.google.com/a/bin/answer.py?hl=en&answer=182433Ineffective use, Student privacy, Student safety, Legal
69
A different username convention is used for teachers and students. We recommend staff use first letter, followed by last name (e.g. jsmith) or same username as NYCDOE. We recommend students use first name followed by first letter of last name, followed by last 4 of OSIS number (e.g. johns3678)not yet startedUsers-->UsershighCritical for ensuring that doc sharing and emails are sent to the correct recipients -- indadvertant sharing with students is much less likely if their usernames follow a different pattern.Ineffective use, Student privacy, Legal
70
Student usernames are identifiable from within the community, but are anonymous for the purposes of external audiences. (e.g. tiffanys4356@myschool.org)not yet startedUsers-->UsersmedLets students publish content under their username without exposing their full identity.Ineffective use, Student privacy, Student safety, Legal
71
Teacher usernames are identifiable both inside and outside the organization (e.g. jsmith@myschool.org) for the sake of parent communication.not yet startedUsers-->UsershighMakes it easy for students to reach teachers via email. Distinguishes teachers from students.Ineffective use, Legal
72
I know how to bulk upload NEW users from a CSV file, and how to use the control panel to put users into the correct organizational units. For student account creation and management in the NYCDOE, we recommend employing the ATS-Google Account Sync tool. See http://cloudlab.newvisions.org/add-ons/ats-google-account-syncnot yet startedUsers-->UsershighAdding users one at a time is for suckers! http://support.google.com/a/bin/answer.py?hl=en&answer=40057Ineffective use
73
I know the difference between a GROUP and an ORGANIZATIONAL UNITnot yet startedUsers-->UsershighThese are VERY different entities. Groups are sharing and communication entities for users, OU's are service access and configuration control entities for administrators.https://support.google.com/a/answer/33329?hl=en
https://support.google.com/a/answer/2655363?hl=en
Ineffective use, Student privacy, Student safety, Legal
74
I know how to deactivate(suspend) a user account (different from DELETE). In general, to avoid the loss of shared docs, calendars, and other resources we recommend against account deletion.not yet startedUsers-->UsersmedDeleting a user account willy nilly (e.g. without transferring ownership) is BAD. On occasion, you will probably have to deactivate accounts for disciplinary purposes.http://www.flashpanel.com/feature/deprovisioning-a-user/Ineffective use
75
GAFE Usage Analyticsnot yet startedhightinyurl.com/nvgafeaudit
76
Configure CloudLock settings for your schoolnot yet startedsee resources columnhighhttps://docs.google.com/a/newvisions.org/file/d/0B7nwP6La7RszbjlFYkF3WDNsODA/editStudent privacy, Student safety, Legal
Loading...
 
 
 
Audit Findings
Domain Audit Highlights
Audit Findings (old)
Recommended CloudLock Policies (OLD)
Recommended CloudLock Policies (NEW Fabric)
Additional Resources