Hi, the teaching staff involve in a moodle site are keen to see their online discussions on sensitive content (e.g. developing questions for the forthcoming exams, students marks and grades, etc.) are safe and their IT colleagues have moved their moodle to a location to be accessed via https instead of http. Would the teachers be able to have peaceful sleeps now? What should (or shouldn't) the teachers ( or their IT counterparts) do to avoid wakening in midnight again? Looking forward to hear your advice, cheers.
Hi James, you're talking about a potentially very big area, but off the top of my mind, take a look at: https://docs.moodle.org/33/en/Security
and:
1) Make sure the web and database servers are configured securely. This will depend on what operating system and database is used so can't make any specific recommendations, but general web hardening practices apply to Moodle servers.
2) Make sure someone is periodically auditing access rights, ie: who has access to what and should they still have access (ie: have they left? Did they move to another group within the school that shouldn't have access anymore?)
3) Make sure everyone is aware of secure processes.. ie: that they are not sending excel files around to public email provider accounts, accidentally uploading files to places where they shouldn't be, etc. A good chunk of security is training and awareness. You can have all the technical security in place, but that won't stop someone from posting/sending the information in the wrong place by accident or giving access to the wrong person.