Skip Navigation
Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10
Table of Contents Glossary of Terms
CHAPTER 6
Protecting Your System: Information Security
 
 
Illustration of the Cover of Safeguarding Your Technology
 
Chapter 6 in a Nutshell:
Introduction to Information Security
Commonly Asked Questions
Policy Issues
Information Security Countermeasures
Information Security Checklist
 

The terms data and information are often used synonymously, but information refers to data that have meaning. For example, "87 percent" is data. It has no meaning by itself until it is reported as a "graduation rate," and then it becomes information.

 
Introduction to Information Security

As stated throughout this document, one of an organization's most valuable assets is its information. Local, state, and federal laws require that certain types of information (e.g., individual student records) be protected from unauthorized release (see Appendix B for a FERPA Fact Sheet). This facet of information security is often referred to as protecting confidentiality. While confidentiality is sometimes mandated by law, common sense and good practice suggest that even non-confidential information in a system should be protected as well-not necessarily from unauthorized release as much as from unauthorized modification and unacceptable influences on its accessibility.

Components of Information Security20
Confidentiality: Preventing unauthorized disclosure and use of information
Integrity: Preventing unauthorized creation, modification, or deletion of information
Availability: Preventing unauthorized delay or denial of information

back to topback to home page

 
Commonly Asked Questions   Commonly Asked Questions

Q. If an organization maintains physical, software, and user access security, isn't information security addressed by default?
A. Yes and no. Information backups and their storage are surely safer when the building is secure, software is used properly, and unauthorized users are effectively restricted. However, these security features are meaningless if the information that is being backed up and stored wasn't maintained in a sound way in the first place. While there is no doubt that physical, software, and user access security strategies all contribute to protecting information, ignoring those initiatives that are aimed directly at securing information is not a wise plan.

 
 

While encryption prevents others from reading your information, encrypted files can still be damaged or destroyed so that they are no longer of any use to you.

 

Q. Isn't there software that can protect my information?
A. Yes, a variety of software products can help your organization in its effort to secure its information and system, but only a thorough, well-conceived, and committed effort to develop and implement an overarching security plan will prove effective in the long run.

Q. Doesn't it make sense to just go ahead and encrypt all information?
A. Not necessarily. Encryption and decryption are time consuming. If information is confidential, then additional time for encrypting and decrypting makes sense. But if the files aren't confidential, why would you slow down processing speed for an unnecessary step? And while encryption is a good practice for sensitive information or information that is being transmitted over unsecured lines, it should be noted that it is not a complete security strategy in itself. Encrypting information protects files from breaches in confidentiality, but the risks of unauthorized or accidental modification (including destruction) and/or denial of use are still real.

back to topback to home page

 

Guidelines for security policy development can be found in Chapter 3.
  Policy Issues

Perhaps more than any other aspect of system security, protecting information requires specific procedural and behavioral activities. Information security requires that data files be properly created, labeled, stored, and backed up. If you consider the number of files that each employee uses, these tasks clearly constitute a significant undertaking. Policy-makers can positively affect this effort by conducting an accurate risk assessment (including properly identifying sensitive information maintained in the system). They should also provide organizational support to the security manager as he or she implements and monitors security regulations. The security manager must be given the authority and budget necessary for training staff appropriately and subsequently enforcing information security procedures at all levels of the organizational hierarchy.

A final consideration for policy-makers is information retention and disposal. All information has a finite life cycle, and policy-makers should make sure that mechanisms are in place to ensure that information that is no longer of use is disposed of properly.

 

As discussed more completely in Chapter 2, a threat is any action, actor, or event that contributes to risk.

 
Information Threats (Examples)

As discussed more completely in Chapter 2, a threat is any action, actor, or event that contributes to risk. Examples of information threats include:

  • Natural events (e.g., lightning strikes, and aging and dirty media)
  • Intentional acts of destruction (e.g., hacking and viruses)
  • Unintentionally destructive acts (e.g., accidental downloading of computer viruses, programming errors, and unwise use of magnetic materials in the office)

back to topback to home page

 
 


A countermeasure is a step planned and taken in opposition to another act or potential act.

   

Information Security Countermeasures

The following countermeasures address information security concerns that could affect your site(s). These strategies are recommended when risk assessment identifies or confirms the need to counter potential breaches in your system's information security.

Countermeasures come in a variety of sizes, shapes, and levels of complexity. This document endeavors to describe a range of strategies that are potentially applicable to life in education organizations. In an effort to maintain this focus, those countermeasures that are unlikely to be applied in education organizations are not included here. If after your risk assessment, for example, your security team determines that your organization requires high-end countermeasures like retinal scanners or voice analyzers, you will need to refer to other security references and perhaps hire a reliable technical consultant.

 
   
Something you should do.  

Transmit Information Securely (including e-mail):

  • Use e-mail only for routine office communication: Never send sensitive information as e-mail. If e-mail absolutely must be used, encrypt the file and send it as an attachment rather than in the text of the e-mail message.

  • Encrypt everything before it leaves your workstation: Even your password needs to be encrypted before leaving the workstation on its way to the network server-otherwise it could be intercepted as it travels network connections.

  • Physically protect your data encryption devices and keys: Store them away from the computer but remember where you put them. Use the same common-sense principles of protection you should be giving your bank card's personal identification number (PIN).

  • Inform staff that all messages sent with or over the organization's computers belong to the organization: This is a nice way of saying that everything in the office is subject to monitoring.

  • Use dial-up communication only when necessary: Do so only after the line has been satisfactorily evaluated for security. Do not publicly list dial-up communication telephone numbers.

  • Confirm that outside networks from which there are dial-ins satisfy your security requirements: Install automatic terminal identification, dial-back, and encryption features (technical schemes that protect transmissions to and from off-site users).

  • Verify the receiver's authenticity before sending information anywhere: Ensure that users on the receiving end are who they represent themselves to be by verifying:

    1. Something they should know-a password or encryption key; this is the least expensive measure but also the least secure.

    2. Something they should have-for example, an electronic keycard or smart card.

  • Something they are-biometrics like fingerprinting, voice recognition, and retinal scans; these strategies are more expensive but also more secure.

  • Consider setting up pre-arranged transmission times with regular information trading partners: If you know to expect transmissions from your trading partners at specific times and suddenly find yourself receiving a message at a different time, you'll know to scrutinize that message more closely. Is it really your trading partner sending the message? Why has the pre-arranged time been ignored? Has the message been intercepted and consequently knocked off schedule?

  • Maintain security when shipping and receiving materials: When sending sensitive information through the mail, or by messenger or courier, require that all outside service providers meet or exceed your security requirements.
  •  

    Select only those countermeasures that meet perceived needs as identified during risk assessment and support security policy.
       

    Countermeasures like biometrics are probably beyond the realm of possibility (and necessity) in most, if not all, education organizations.
       
      Pre-arranged transmission times set for the middle of the night (e.g., 1:37 a.m.) may seem odd, but they can increase security because there is less traffic on telephone lines and fewer hackers snooping around at such odd hours.
       

    Something you should do.
     
    Present Information for Use in a Secure and Protected Way:

    • Practice "views" and "table-design" applications: A "view" selects only certain fields within a table of information for display, based on the user's access rights. Other table fields are excluded from the user's view and are thus protected from use. For example, although a school record system may contain a range of information about each student, Food Services staff can view only information related to their work and Special Education staff can view only information related to their work. This type of system maintains information much more securely than traditional paper systems, while at the same time increasing statistical utility and accountability options.

    • Use "key identifiers" to link segregated information: If record information is maintained in a segregated manner (e.g., testing files are kept in a different database than special education files) for security purposes, a common file identifier (e.g., a Social Security Number) can be used to match records without unnecessarily divulging the identity of individuals and compromising confidentiality.
     

    Something you should do.
     
    Back up Information Appropriately (see Chapter 4):

    • Back up not only information, but also the programs you use to access information: Back up operating system utilities so that you retain access to them even if your hard drive goes down. Also maintain current copies of critical application software and documentation as securely as if they were sensitive data. Caution: Some proprietary software providers may limit an organization's legal right to make copies of programs, but most allow for responsible backup procedures. Check with your software provider.

    • Consider using backup software that includes an encryption option when backing up sensitive information: Encryption provides additional security that is well worth the extra effort, since it ensures that even if unauthorized users access your backup files, they still can't break confidentiality without also having access to your encryption key. If you adopt this recommendation, be sure to change your encryption key regularly.

    • Verify that your backups are written to the disk or tape accurately: Choose a backup program that has a verification feature.

    • Rotate backup tapes: Although backup tapes are usually quite reliable, they tend to lose data over time when under constant use. Retire tapes after two to three months of regular use (i.e., about 60 uses) to a backup activity that requires less regular use (e.g., program backups). Also note that routine tape drive cleaning can result in longer tape life.

    • Maintain a log of all backup dates, locations, and responsible personnel: Accountability is an excellent motivator for getting things done properly. Remember to store the logs securely.

    • Avoid over-backing up: Too many backup files can confuse users and thereby increase the possibility of exposing sensitive information. Clear hard drives, servers, and other storage media that contain old backup files to save space once you have properly secured (and verified) the last complete and partial backup.

    • Test your backup system: This point has been made numerous times throughout the document, but it truly cannot be overemphasized!

    I'm trying to back up the system, but I can't find the reverse gear on this thing.

     

    Many organizations prefer that users back up only their own data files-leaving software and operating system backups in the responsible hands of the security manager or system administrator.
       
    Something you should do.   Store Information Properly (see Chapter 5):
    • Apply recommended storage principles as found in this document to both original and backup files alike: Backup files require the same levels of security as do the master files (e.g., if the original file is confidential, so is its backup).

    • Clearly label disks, tapes, containers, cabinets, and other storage devices: Contents and sensitivity should be prominently marked so that there is less chance of mistaken identity.

    • Segregate sensitive information: Never store sensitive information in such a way that it commingles with other data on floppy disks or other removable data storage media.

    • Restrict handling of sensitive information to authorized personnel: Information, programs, and other data should be entered into, or exported from, the system only through acceptable channels and by staff with appropriate clearance.

    • Write-protect important files: Write-protection limits accidental or malicious modification of files. Note that while write-protection is effective against some viruses, it is by no means adequate virus protection in itself.

    • Communicate clearly and immediately about security concerns: Train staff to promptly notify the system administrator/security manager when data are, or are suspected of being, lost or damaged.

    • Create a media library if possible: Storing backups and sensitive material in a single location allows for security to be concentrated (and perhaps even intensified). Note, however, that an on-site media library is not a substitute for off-site backup protection.
     
       

    It Really Happens!

    As Principal Brown's secretary, Marsha didn't have time for all the difficulties she was having with her computer--well, it wasn't really her computer that was having problems, but her most important files (and that was worse). Fed up with having to retype so many lost files, she finally called in the vendor who had sold the school all of its equipment. The vendor appeared at her office promptly and asked her to describe the problem.

    "Well," Marsha explained, "I keep a copy of all of my important files on a 3 1/2 inch disk, but when I go to use them, the files seem to have disappeared. I know that I'm copying them correctly, so I just can't understand it. I don't know if it's the word processing software or what, but I'm tired of losing all of my important files."

    The vendor asked whether it was possible that Marsha was using a bad disk. "I thought about that," she replied as if prepared for the question, "but it has happened with three different disks. It just has to be something else." Marsha reached for a disk that was held to the metal filing cabinet next to her desk by a colorful magnet. "You try it."

    "That's a very attractive magnet," the vendor said as Marsha handed over the disk. "Do you always use it to hold up your disks?"

    "Yes, it was a souvenir from Dr. Brown's last conference. I just think it's beautiful. Thanks for noticing."

    "It is beautiful," the vendor replied, "but you know that it's also the root of all your problems. Every time you expose a disk to that magnet, it erases the files. That's just the way magnets and computer disks get along-like oil and water. Try storing the disk away from the magnet and your troubles, not your files, will soon disappear."

     
    Something you should do.  

    Dispose of Information in a Timely and Thorough Manner:

    • Institute a specific information retention and disposal policy as determined by the organization's needs and legal requirements: All data have a finite life cycle. Consult local, federal, and state regulations for guidance before implementing the following:

    • Establish a realistic retention policy.

    • Mark files to indicate the contents, their expected life cycle, and appropriate destruction dates.

    • Do not simply erase or reformat media, but overwrite it with random binary code. Sophisticated users can still access information even after it has been erased or reformatted, whereas overwriting actually replaces the discarded information.

    • Consider degaussing (a technique to erase information on a magnetic media by introducing it to a stronger magnetic field) as an erasure option.

    • Burn, shred, or otherwise physically destroy storage media (e.g., paper) that cannot be effectively overwritten or degaussed.

    • Clean tapes, disks, and hard drives that have stored sensitive data before reassigning them: Never share disks that have held sensitive data unless they have been properly cleaned. Also remember to clean magnetic storage media before returning it to a vendor for trade-ins or disposal.

    It Really Happens!

    Trent couldn't believe his eyes. Displayed before him on a monitor in the high school computer lab were the grades of every student in Mr. Russo's sophomore English classes:

    Student Name Grades Comments
    Linda Foster: C-, C, C+, C Improving slightly, but unable to make sufficient gains; a candidate for learning disability testing?

    All Trent had done was hit the "undelete" function in the word processing software to correct a saving mistake he had made, and suddenly a hard drive full of Mr. Russo's files were there for the taking. Luckily for Mr. Russo, his sophomores, and the school, Trent realized that something was very wrong. He asked the lab supervisor, Ms. Jackson, where the computers had come from.

    "Most of them have been recycled," she admitted. "Teachers and administrators were given upgrades this year, so their old machines were put to good use in the labs. They should still be powerful enough to handle your word processing. Why?"

    Trent showed Ms. Jackson what he had uncovered about the sophomore English students. She gasped, "Oh my goodness, they gave us all these computers without clearing the hard drives properly. I bet it's that way across the district. Trent, you may have just saved us from a potentially disastrous situation. That information is private and certainly shouldn't be sitting here for anyone in the computer lab to see. I've got some phone calls to make!"

    back to topback to home page

     

    Retaining data beyond its useful life exposes the organization to unnecessary risk.21
       

    Even if a vendor replaces a hard drive, require that the old one be returned so that you can verify that it has been cleaned and disposed of properly.
       
     


    Information Security Checklist

    While it may be tempting to refer to the following checklist as your security plan, to do so would limit the effectiveness of the recommendations. They are most useful when initiated as part of a larger plan to develop and implement security policy throughout an organization. Other chapters in this document also address ways to customize policy to your organization's specific needs-a concept that should not be ignored if you want to maximize the effectiveness of any given guideline.

       
    Security Checklist for Chapter 6
    The brevity of a checklist can be helpful, but it in no way makes up for the detail of the text.
       
    Check Points
    for Information Security
    Transmit Information Securely (including e-mail)      Click here
    1. Is e-mail used for only the most routine of non-sensitive office communication?
         Click here
    1. Is everything, including passwords, encrypted before leaving user workstations?
         Click here
    1. Are encryption keys properly secured?
         Click here
    1. Have policy goals and objectives been translated into organizational security regulations that are designed to modify staff behavior?
         Click here
    1. Is dial-up communication avoided as much as is possible?
         Click here
    1. Are outside networks required to meet your security expectations?
         Click here
    1. Is the identity of information recipients verified before transmission?
         Click here
    1. Have times for information transmission been pre-arranged with regular trading partners?
         Click here
    1. Are security issues considered before shipping sensitive materials? Accomplished?
         Click here
    Present Information for Use in a Secure and Protected Way      Click here
    1. Are "views" and "table-design" applications being practiced?
         Click here
    1. Are "key identifiers" used when linking segregated records?
         Click here
    Backup Information Appropriately      Click here
    1. Are programs that are used to access information backed up?
         Click here
    1. Does backup software include an encryption option that is used?
         Click here
    1. Does backup software include a verification feature that is used?
         Click here
    1. Are backup tapes retired after a reasonable amount of use?
         Click here
    1. Is a log of all backup dates, locations, and responsible personnel kept and maintained securely?
         Click here
    1. Is an effort made to avoid "over-backing up" (i.e., are old backups removed to avoid "clutter")?
         Click here
    1. Does the backup system pass regularly administered tests of its effectiveness?
         Click here
    Store Information Properly      Click here
    1. Are recommended storage principles applied to master files and their backups alike?
         Click here
    1. Are disks, tapes, containers, cabinets, and other storage devices clearly labeled?
         Click here
    1. Is sensitive information segregated (i.e., is it maintained separately from normal use information at all times)?
         Click here
    1. Is the handling of sensitive information restricted to authorized personnel?
         Click here
    1. Are important files write-protected?
         Click here
    1. Does staff know to communicate security concerns immediately?
         Click here
    1. Has a secure media library been created as is possible?
         Click here
    Dispose of Information in a Timely and Thorough Manner      Click here
    1. Has an information retention and disposal policy been implemented ?
         Click here
    1. Are magnetic media that contain sensitive information properly cleaned before reuse or disposal?
         Click here
         

    back to topback to home page
    back to previous chapternext chapter