8. Treat data systems as valuable organizational assets
The network manager called the chief information officer at 11:00 p.m. "You're never going to believe this, but a
tech assistant fried our database." The CIO rolled her eyes. "How many times do we need to tell people they can't
touch that equipment?" "Well, to be fair, it was a new employee—but you're right, it is an ongoing problem." The CIO
then asked, "But why are you calling me? You know how to access the offsite backup files as well as I do." "That's
the second part of the problem," the network manager confessed. "I know there is no excuse for it, but I wanted to
leave a little early on Friday and figured I could have the backup tapes sent in on Monday. I meant to do it first thing
Monday morning, but a data request from the superintendent came in and I just lost track of time. I know I fouled
up, but we don't have an offsite backup for the last two weeks." The CIO was very angry, but knew that the network
manager appreciated the magnitude of the mistake and that a reprimand wouldn't help. "Well, we're going to need to
hire specialists and get the system fixed." "But that's going to cost several thousand dollars," the network manager
interjected. "I know," the CIO said. "But tell me our other options?"
Education organizations spend a great deal of money on systems for collecting,
storing, accessing, using, and sharing data. In addition to these infrastructure expenses,
there are significant human resource costs for collecting and managing data. Collection
instruments, including assessments and survey forms, for example, must be carefully
designed by highly skilled professionals. The administration of these assessments and
surveys—beginning with the delivery of the materials and ending with verification and
validation activities—requires many staff hours and represents a substantial investment.
Moreover, many education organizations build or rent climate-controlled
contract with offsite backup storage services, employ elaborate encryption algorithms,
mandate restrictive user authentication schemes, conduct criminal background checks
on staff, and engage in robust destruction techniques at the end of a piece of data's
useful life. Education data are clearly a valued asset or they would not warrant this
This canon is probably violated unintentionally as often as it is willfully broken.
Failure to follow procedures that protect data and data systems—or failure to anticipate
potential threats to these—can cause as much damage as any deliberate sabotage.
In addition to the loss of resources when a data system must be replaced
or repaired because of negligent behavior, there is the issue of data security. It is
practically impossible to retrieve data after they have been released electronically. Once
someone's private information has been shared over the Internet, it will never again be
private. Moreover, when information is lost, damaged, or otherwise unavailable when
needed, there can be serious effects on the operation of an education organization.
What happens when a teacher cannot download a lesson plan in time to inform
instructional choices for students sitting in his classroom? Or when a school nurse
cannot find a sick kindergartner's home telephone phone number quickly? What
would happen in the aftermath of a tornado or other catastrophe if a school principal
could not access the morning's attendance information to account for every student
after a building evacuation?
A wide range of people and events threaten data, including
- natural conditions such as fire, flood, lightening, or humidity;
- intentional acts, including malicious hackers and computer viruses;
- routine or unintentional actions, such as unwittingly placing a coffee cup
on a server or leaving a password taped to a computer monitor.
Data must be protected from these and other threats by means of a wide range of
physical, software, hardware, and access security measures. Countermeasures include
a host of processes and products intended to prevent, deter, contain, and detect
problems, as well as recover data when needed. However, while we rely on traditional
technical and data management solutions to security concerns, these security
procedures are implemented by individuals who must follow a professional ethic that
recognizes their responsibilities as stewards of the organization's information resources.
Recommended Practices and Training
- Document all security procedures including
- system access procedures;
- encryption procedures and algorithms;
- data exchange protocols with partners (schools, districts, state education
agencies, intermediate units, application service providers, etc.);
- metadata (data about data) concerning technologies, methods, operations, and
data elements; and
- other security procedures you may have.
- Establish a thorough and robust security plan based on an extensive risk assessment,
threat analysis, and countermeasure strategy for the entire organization.
- Establish procedures that ensure adherence to security procedures for all forms of
data, including digital and print records.
- Employ physical security measures without exception. For example, never prop
open the door to the server room when it is supposed to stay locked, and install
locks and other surveillance tools to prevent unauthorized entry into secure
- Follow all security requirements related to the use of mobile data storage
devices, including laptop computers, handhelds, portable disk drives (e.g.,
jump drives), etc.
- Use required transmission protocols for all forms of data exchange, including
transfers of data tapes and email. This often includes the use of encryption and
- Back up data responsibly. Although the organization may engage in offsite
storage, individual users must be sure to store data in proper formats, in
designated locations, and with appropriate testing and verification.
- Never allow data handlers to access data that are not required for their work.
- Never allow data handlers to share their passwords or other authentication
information with other users who may not have the same access privileges.
- Never allow data handlers to use shortcuts or unauthorized channels for
accessing the organization's systems and networks, whether onsite or remotely.
- Destroy data that have reached the end of their useful life.
- Review and reauthorize user access privileges at least once a year.
- Train all data users about their data security responsibilities.
- Thoroughly orient new employees to security procedures, and make sure
they understand their responsibilities and repercussions for failing to observe
- Include security training for staff and volunteers who have access to the
organization's information system. This should include what to do to protect
hardware and software as well as protecting information.