Skip Navigation
small NCES header image
Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10
Table of Contents Glossary of Terms
         Executive Summary

Accessing, manipulating, and sharing information electronically has proven time and time again to be a cost- effective way of getting things done.  Thus, it isn't surprising that many schools, school districts, state education agencies, and colleges and universities now use technology to manage student, staff, and administrative records.  Unfortunately, safeguarding electronic information is not as straightforward as simply assigning a technical staff person to verify that the "system" is protected.  It requires that top-level administrators invest time and expertise into the development of a well-conceived, comprehensive, and customized security policy.  This policy must then be applied appropriately throughout the entire organization, which again requires the commitment and authority of top-level administrators.  After all, while technical staffers might be responsible to top-level educational administrators for information technology security, the top-level administrators are in turn responsible to the greater public.
 

What's at Stake?
  1. Computer and networking equipment (including both hardware and software) used for both instructional and administrative purposes
  2. Vital administrative information education organizations must use to operate efficiently and fulfill their mission effectively (e.g., class management information, password archives, and financial records)
  3. Confidential student and staff information education organizations maintain and are responsible for

Most people see the necessity of securing computer and networking equipment.  Machines cost money, and therefore have value unto themselves.  But if you take a moment to consider why organizations are so willing to spend large amounts of money on technology--to store, access, and transmit information--the value of the information becomes more apparent.  After all, it makes no sense to spend vast amounts of limited resources on a system for processing information unless the information itself is of value.  And because information has become so useful, it's not only the hardware and software that demand protection, but also the data.  When information is lost, damaged, or otherwise unavailable when needed, it can have a serious effect on the day-to-day operations of an education organization.  And when the information at risk is an individual student record, the consequences can be even more serious.  What would be the damage, for example, if student report card files were modified inappropriately or confidential student aptitude scores were revealed improperly?

Would the cost of such a security breach be $2,000 to rekey information? Or $20,000 to readminister tests?  Perhaps $200,000 in settling legal suits?; How about $2,000,000 in lost technology funding when lawmakers become fearful of entrusting private information about their constituents' children to record systems that are perceived to be unsafe?

You should not, however, conclude that the repercussions of mishandling information are limited to simple dollars and cents.  Failing to secure confidential information can carry other consequences as well.  Educational staff have not only an ethical responsibility to protect confidential information about students and their parents, but also a legal obligation to do so.  Many states and localities have enacted laws and regulations to protect a student's right to privacy.  So, too, has the federal government--the Family Educational Rights and Privacy Act of 1974 (FERPA) is a federal guarantee of the privacy of educational records for students and their parents.

Educational administrators are well trained and knowledgeable about the protection of education records in a paper world.  But as information management becomes more and more technologically advanced, they must also be able to protect electronic information and the software and hardware used to manage it.  What makes the issue of information security more difficult is that many, if not most, educational administrators do not have the technical expertise or, given their other vitally important duties, the time to devote to single-handedly developing, implementing, and monitoring information security policies and procedures for their organizations.  Nonetheless, the responsibility for both meeting the public's demands for accountability and adequately securing information, software, and equipment is inescapable for top administrators.  Like it or not, it comes with the job.  And that is why this document has been developed.

Unlike other resources on electronic information security, this guide has been developed specifically for educational administrators at the building, campus, district, system, and state levels (e.g., school principals, district superintendents, state chiefs, college deans, and their assistants).  It is meant to serve as a framework to help them better understand why, and how, to effectively secure their organization's information, software, and computer and networking equipment.  Because this intended audience has in most cases been trained to manage education organizations and not computer systems, the document is written in non-technical language and emphasizes a step-by-step approach to protecting education information in a technology-based system, regardless of computer or network type and technical savvy.  Since only the reader understands his or her organization, its needs, capabilities, limitations, and unique circumstances, the guidelines are presented as well-researched recommendations (not canned solutions) for developing security policies that are customized to meet each organization's specific needs.

The document is organized into ten content areas (chapters):

  1. Why Information Security in Education? (An Introduction) ,
  2. Assessing Your Needs (Risk Assessment) ,
  3. Security Policy (Development and Implementation)
  4. Security Management
  5. Physical Security
  6. Information Security
  7. Software Security
  8. User Access Security
  9. Network (Internet) Security
  10. Training (A Necessary Investment in Staff)

Each chapter includes:

  • An overview
  • Commonly asked questions
  • Anecdotes illustrating real-world relevance
  • Security guidelines (actual recommendations)
  • A summary checklist of "things to do" (based on the guidelines)

Key points about the development and implementation of effective information security policies that are conveyed throughout the document include:

  • Successful information security policy requires the leadership, commitment, and active participation of top-level educational administrators.

  • Information security initiatives must be customized to meet the unique needs of the organization.

  • Effective information security is the result of a process of identifying an organization's valued information, software, and computer and networking equipment; considering the range of potential risks to those resources;  tailoring security policy to those specific conditions; and ensuring that policy is not only developed properly but also implemented reliably.

  • Critical information security strategies rely primarily upon appropriate conduct on the part of personnel, and secondarily on the use of technological solutions.

Above all, this document hopes to convey that increasing information security is both a necessary and achievable task.  It is the prudent thing to do for organizations and the right thing to do for students, parents, staff, and communities.  These practical guidelines provide direction for those top-level educational administrators who must lead the effort.

back to topback to home page

Would you like to help us improve our products and website by taking a short survey?

YES, I would like to take the survey

or

No Thanks

The survey consists of a few short questions and takes less than one minute to complete.
National Center for Education Statistics - http://nces.ed.gov
U.S. Department of Education