Why Do You Need a Security Policy?

Who is responsible for securing an organization's information?  Perhaps the Research and Evaluation department?  Not exactly.  The Management Information System (MIS) staff?  Wrong again.  Ultimately, it is not only individual employees or departments that are responsible for the security of confidential information, but also the institution itself. It is, therefore, incumbent upon top administrators, who are charged with protecting the institution's best interests, to ensure that an appropriate and effective security policy is developed and put into practice throughout the organization.

Q. What does this document have to offer that experienced education policy-makers don't already know?
A. Experienced policy-makers certainly bring a great deal of skill to security policy development.  But in many ways, security policy is different from other forms of more traditional policy--it requires policy-makers to think like data entry clerks, MIS staff, research and evaluation specialists, legal counsel, building administrators, teachers, and so on.  Many of the procedural guidelines included here will already be appreciated by seasoned policy-makers, but this document tailors the information so that it can be more readily applied to the specific concerns of information and system security--an area of expertise not always held by educational administrators and policy-makers.

Q. Isn't policy written at the district and state level?
A. Yes, but not exclusively.  Whoever is in charge of a site (be it a building, campus, district, or state education agency) must be concerned about protecting sensitive information and critical systems that can be accessed from within that site.  This concern is articulated through security policies that are designed to regulate access and protect information and systems as circumstances within the organization specifically warrant.

Q. Shouldn't expert technology consultants be hired to do the job?
A. There certainly are roles for expert consultants when instituting security policy: they could be hired as general technical support or they might be useful in offering advice about countermeasures (e.g., a password system).  But generally speaking, the chief educational administrator and his or her employees need to shoulder the responsibility of protecting their system because, after all, it is their system.  They are the people who know it best and they will be the ones who have to implement adopted security policy. Outside contractors, while certainly capable of lending expertise to the process, cannot take the place of committed and informed staff.

Tenable security policy must be based on the results of a risk assessment as described in Chapter 2.  Findings from a risk assessment provide policy-makers with an accurate picture of the security needs specific to their organization.  This information is imperative because proper policy development requires decision-makers to:

• Identify sensitive information and critical systems

• Incorporate local, state, and federal laws, as well as relevant ethical standards

• Define institutional security goals and objectives

• Set a course for accomplishing those goals and objectives

• Ensure that necessary mechanisms for accomplishing the goals and objectives are in place

Although finalizing organizational policy is usually a task reserved for top-level decision-makers, contributing to the development of policy should be an organization-wide activity.  While every employee doesn't necessarily need to attend each security policy planning session, top-level administra-tors should include representatives from all job levels and types in the information gathering phase (just as in the case of brainstorming during risk assessment).  Non-administrative staff have an especially unique perspective to share with policy-makers that simply cannot be acquired by any other means.  Meeting with staff on a frequent basis to learn about significant issues that affect their work is a big step toward ensuring that there is buy-in at all levels of the organization.

While it makes sense to get as much input from potential users as is possible, it is also essential that voices from outside the organization be heard during the information gathering stages of policy development.  Why?  Because decision-makers need to be informed of security arrangements that other organizations are making that potentially impact them and the policies they will be developing.  If, for example, every school but one in a district commits to encryption software to protect messages sent over the Internet, the lone school that does not have the encryption key is going to have a very difficult time communicating with its partners.  The point is that just as security planning demands coordination internally, it often requires it externally as well--a recommendation that should not be overlooked, especially by those organizations that practice site-based management.

An organization's risk assessment, and not this document or any other source, informs policy-makers of their system's specific security needs.  But regardless of those findings, the following general questions should be addressed clearly and concisely in any security policy:⁹

• What is the reason for the policy?

• Who developed the policy?

• Who approved the policy?

• Whose authority sustains the policy?

• Which laws or regulations, if any, are the policy based on?

• Who will enforce the policy?

• How will the policy be enforced?

• Whom does the policy affect?

• What information assets must be protected?

• What are users actually required to do?

• How should security breaches and violations be reported?

• What is the effective date and expiration date of the policy?

Policy should be written in a way that makes sense to its intended audience.  After all, guidelines that aren't implemented foreshadow objectives that won't be met.  Tips for reader-friendly policy include:¹⁰

• Be concise--focus on expectations and consequences, but explain the underlying rationale when appropriate

• Don't temper the message--truth is, you're not asking but telling, so don't propose, suggest, or insinuate unless that is specifically what you mean to do

• Use simple, straightforward language as is possible

• Define any term that could potentially confuse a reader--no need to make things more difficult than need be

• Be creative--presentation should never interfere with content, but checklists and reference cards increase utility

This document presents a great deal of information for policy-makers to consider.  The role of an effective administrator, however, is to absorb these recommendations as appropriate and distill the results into a meaningful and manageable set of employee regulations that fit his or her organization.  These rules then serve as the mechanisms for operationalizing policy goals and objectives throughout the workplace.  Although it might be tempting (and certainly possible) to create an exhaustive inventory of "do's and don'ts," formulating a short list of sensible rules that can realistically be implemented is undoubtedly a better strategy.

Personnel Issues

One aim of successful security policy is that it should limit the need for trust in the system.  While this may seem like a terribly cynical philosophy, it actually serves to protect both the organization's employees and the organization itself.  But before the benefits of security can be realized, staff must be properly informed of their roles, responsibilities, and organizational expectations.

• Employees must be told in writing: ¹¹
  • What is and is not acceptable use of equipment.
  • What the penalties for violating regulations will be.
  • That their activities may be monitored.
  • That security will be a part of performance reviews (users who do their share should be rewarded, whereas those who lag behind might be reprimanded or retrained).
  

Outsiders (e.g., repair technicians, consultants, and temporary help) and outside organizations (e.g., other departments, other educational institutions, and contractors) with access to your system should also sign agreements that require them to respect and maintain the confidentiality of your information.  But be careful not to share more about your security operation with outsiders than is necessary.  Even apparently harmless warnings about what to expect of your defenses can give a skilled intruder an edge in tampering with your system.  Instead, limit security briefings to those levels required to (1) keep them from breaching your defenses, (2) impress upon them that you are serious about protecting your system assets, and (3) ensure that they handle your assets in a secure manner.

Having said this, sharing general news with the public--parents, local organizations, business partners, and lawmakers to name few--about your organization's commitment to securing confidential information can instill a feeling of confidence throughout your organization and community.
 

Closing Thoughts on Policy

The incredible pace of technological innovations requires that all security policies be reviewed on a frequent basis.  How frequently?  That depends on your organization's needs and technological savvy.  Generally speaking, however, each new technological change has the potential to necessitate a corresponding policy change--so it is a good rule to review all organizational policies (security or otherwise) annually at a minimum.

Policy Development and Implementation Checklist

While it may be tempting to refer to the following checklist as your security plan, to do so would limit the effectiveness of the recommendations.  They are most useful when initiated as part of a larger plan to develop and implement security policy throughout an organization.  Other chapters in this document also address ways to customize policy to your organization's specific needs--a concept that should not be ignored if you want to maximize the effectiveness of any given guideline.