Skip Navigation
Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10
Table of Contents Glossary of Terms
Why Information Security In Education?
Illustration of the Cover of Safeguarding Your Technology

A Brief History of Security in Education
What's at Risk?
Why Administrators Should Read These Guidelines?
Document Framework
A Final Word on Considering Security Issues
Introductory Security Checklist


A Brief History of Security in Education

Robbery is illegal, but people still find it prudent to lock doors and close windows in their homes; so too must we lock up our information systems. Like people who lock their doors, schools have always been concerned about protecting their valued resources, including confidential information contained in student and staff records.

There are numerous legitimate reasons for collecting, using, and sharing education information appropriately.

  Before the widespread use of computers, educational administrators were responsible for safeguarding paper records that were often kept in filing cabinets.  The cabinets were probably locked in the administrator's office, and were perhaps themselves locked.  Maybe the administrator held the only key; at most, a secretary was given a copy in case of unforeseen problems.  In recent years, however, most education organizations have joined other public and private sector entities in adopting technology as the primary means by which they organize and access information.  Sharing information via computers and networks has proven time and time again to be a cost-effective way of getting things done.  In fact, today's society relies upon computers now more than ever and will more than likely continue to increase its use of technology.  As the saying goes, information is power.  In schools, it is the power to make the entire educational process more efficient.  Information about students, staff, courses, programs, facilities, and fiscal activities is collected and maintained so that schools can effectively coordinate services offered to students, measure learning progress, assign and monitor staff responsibilities and resource use, and provide other valued services to their communities.

Technology is simply a tool for accomplishing necessary tasks more efficiently.

  But as new as technology is to the workplace, its application is an extension of the way schools have always conducted their business.  While computers and networks contribute to the efficiency of educational record-keeping, data access, and use, they have not changed the reasons schools need to maintain, share, and use student and staff information.   The education community has always required these types of information to carry out its mission to instruct students.

Although it may be fitting to discuss analogies between paper files in wooden cabinets and electronic files on hard drives or 3½-inch diskettes, there are significant differences in the specific processes required to maintain appropriate security in the age of computer networking.  With the flip of a switch, information can be damaged irreparably.  With the careless turn of your head, a pocket-sized disk containing thousands of records can disappear.  And with the connection of a single wire, sensitive material can be shared with millions of users.

While these scenarios may seem foreboding and even scary, they are only part of the story--and, in fact, a small part--because by flipping a different switch, properly storing disks, and connecting the right wires, information stored on school computers and networks can be secured more safely than any paper file in any administrator's office filing cabinet, whether locked by deadbolt or protected by an armed guard.

  The same technology that can be the source of so much concern when in the hands of untrained users can actually be used to protect information more securely than ever before imaginable if it is used wisely.

It Really Happens!

Hillary Johnson saw the headline in the Sunday paper.  It just couldn't be true, could it?  She read further and realized how bad the situation really was:

Ilustrative Story (graphic)- Fire Ravages School Warehouse Hillary was beside herself with worry.  She had very definitely been told in her first interview that she needed to bring proof of high school graduation when she went to meet with the supervisor.  What would they do when she told them that she couldn't get a copy of her school records?  She really needed that job. Would they understand her predicament, or just hire the person who had all of the paperwork?

Unfortunately, Hillary wasn't the only one upset at the loss of academic history.  Amanda Chang was equally concerned when she saw the story.  Five years after finishing high school, she was finally ready to apply to college, but knew that doing so required a high school transcript as a part of the application process.  Did this mean that maybe she really wasn't meant to go to college after all?

But poor Chet Wilcox was perhaps most distraught of all.  He had been planning to use his school records to verify his age for retirement.  What would he do if he couldn't prove that he qualified for benefits?

As the Superintendent of Schools acknowledged in her statement after the fire, for countless numbers of people, school records are not just "memories of days gone by," but vitally important documentation of their life experiences.  They retain meaning and significance long after high school graduation and really do affect people's lives.

While such an article may only be anecdotal in this instance, the point it illustrates is real: school records are not just important for administrative reasons--they affect people for the rest of their lives, as they are used to apply for employment, for admission to higher education, and, in some cases, even retirement benefits.

Back to Top Go to Home Page

  What's at Risk?

Most people see the necessity of securing computer equipment.  Machines cost money and therefore have value unto themselves.  But if you take a moment to consider why organizations are so willing to spend large amounts of money on their computer systems--to store, access, and transmit information--the value of that information becomes more apparent.  After all, it makes no sense to spend vast amounts of limited resources on equipment for processing information unless the information itself is of value.  And because information has become so useful, it's not only the equipment that demands protection, but also the data.  In the education community, information about students, staff, and other resources is far more valuable to the operation of school buildings, campuses, and district and state education agencies than even the most costly equipment.  How could it be so?

For starters, education data can represent years' worth of investment in collection and maintenance activities, and may be irreplaceable as an asset.  What would happen, for example, if a school "lost" grade information and was unable to calculate cumulative grade point averages for its graduating class?

"Need-to-know" refers to a legitimate educational reason for accessing confidential student records.
In the larger scheme, education information is often considered to be confidential by its very nature-that is, certain types of sensitive information (in particular individually identifiable student and staff records) must, by law, be protected from all parties who do not have a verifiable need-to-know.  In addition to numerous state and local laws designed to preserve the confidentiality of education records, the Family Education Rights and Privacy Act of 1974 (FERPA) (see Appendix B ) is a federal law designed specifically to protect the privacy of a student's education record.  It applies to all schools that receive funding under an applicable program of the U.S. Department of Education, and is but one example of legislation enacted specifically to protect confidential student information maintained in education record systems.

Another document published by the National Forum on Education Statistics, Protecting the Privacy of Student Records: Guidelines for Education Agencies, describes what and why specific types of information about students and their families are considered to be confidential and clarifies relevant laws governing proper and improper release of such records. This document, in turn, explains how to satisfy these requirements.
Since the institution is ultimately responsible for the integrity and security of its data, the organization and its management need to take active steps to ensure that valuable equipment and, more importantly,  information (such as private student and staff records) are being adequately protected.  If an education organization fails to protect its confidential information in a manner that satisfies "standards of due care" and "reasonable safeguards," it opens itself to a host of potential problems from allegations of negligence and incompetence, to law suits charging "computer malpractice," and forfeiture of insurance claims due to "preventable losses."1  In addition to the legal ramifications of privacy violations, the potentially priceless asset of public confidence is also at risk.  School boards, legislatures, and other governing bodies often look quite unfavorably upon institutions and staff responsible for upsetting public confidence in the government's need to collect, maintain, and use information about its constituency.  And the public might justifiably lose confidence if a list of student aptitude scores was accessed improperly or a mischievous student managed to modify report cards or attendance data.

Back to Top Go to Home Page

Why Administrators Should Read These Guidelines

What makes the issue of information security more difficult, however, is that many, if not most, education administrators do not have the technical expertise nor, given their other vitally important duties, sufficient time to devote to single-handedly developing, implementing, and monitoring information security policies and procedures within their organizations.  Nonetheless, to paraphrase President Harry Truman, it is upon the heads of those very education administrators that "the buck stops."  Responsibility for both meeting the public's demands for accountability and securing sensitive information is inescapable for an education institution's chief administrative officer.  Like it or not, it comes with the job.  And that is why this document has been written.

Document Purpose and Audience
The guidelines are written to help educational administrators and staff at the building, campus, district, and state levels better understand why and how to effectively secure their organization's sensitive information, critical systems, and computer and networking equipment.

Because top educational administrators are ultimately responsible for information security; they must develop a sufficient understanding of sound security strategies and how they can be realized through organizational policy.
The intent of this document is to provide basic and timeless guidance to decision-makers by identifying factors that should be taken into consideration when (not if) they develop security strategies and policies to meet their organization's particular conditions and local circumstances.  It is designed specifically to help educational staff as they endeavor to walk the fine line between keeping education data secure and yet at the same time available to authorized persons with legitimate purposes.  Because the technical methods for securing digital data lie outside the training and expertise of most educational administrators, these guidelines (which are exactly that--well-researched recommendations rather than canned solutions) are written in non-technical language that is specifically tailored to educators.

Although a key recommendation of this document is that each education organization designate a technically competent staff person (or hire a consultant) to manage data security operations, administrators cannot be content to otherwise disregard security issues entirely.  While operational authority can and should be delegated to staff or contractors, the actual burden of responsibility cannot be lifted from the shoulders of chief administrators.  That is why top educational administrators need to develop a sufficient understanding of information security and its related issues: so that they can judge whether their subordinates are acting competently and thoroughly and can subsequently ascertain whether proposed policies and procedures will be adequate and effective.  After all, each policy will still be implemented over the administrator's signature.


something you should do (icon)
This document presents recommendations for security information and equipment, but does not presume to dictate local policy.

In a nutshell, this document is:

  • An outgrowth of another National Forum on Education Statistics' document, Protecting the Privacy of Student Records: Guidelines for Education Agencies

  • Concerned primarily with information technology security as it relates to the privacy and confidentiality of education information

  • Designed specifically for use by education administrators and staff at the building, campus, district, and state levels

  • Organized so as to walk policy-makers through the steps of developing and implementing sound security policy that is tailored to meet the needs of their individual organizations

  • Focused on both technical and procedural requirements (i.e., both computer-related and staff-related issues)

  • Presented as a set of recommended guidelines

  • Also available electronically at the Web site for the National Center for Education Statistics (NCES) at
something you should not do (icon)
This document is not:
  • An attempt to dictate policy (although it can and should serve as a guide to policy-makers as they consider their policy options and needs)

  • Focused on a high-end discussion of security issues that requires readers to have advanced knowledge of technology issues

  • Presented as a manual of technical solutions for securing systems

  • A source for specific software product recommendations
Quote- You can take better care of your secret than another can.  (Emerson) This document does not presume to dictate local policy because, among other reasons, the parties responsible for developing these guidelines have no authority to issue or enforce security policies to autonomous education institutions.  Nor does the document endorse specific products or vendors of security devices.  Given the rapid pace of change in this field, such endorsements might be rendered obsolete by emerging technologies even before they could be printed and distributed.

Back to Top Go to Home Page

Document Framework
The document includes the following chapters:

Chapter 1 - Why Information Security in Education? Chapter 1 describes the document's purpose, scope, intended audience, and organization.

Chapter 2 - Assessing Your Needs. Chapter 2 discusses the necessity of assessing an organization's unique needs as the first step to developing a security plan. It includes a description of the various components of risk and an outline of steps necessary for effectively conducting a risk assessment.

Chapter 3 - Security Policy: Development and Implementation. Chapter 3 recommends procedures and practices that contribute to the development of effective security policy.  It also presents a range of issues that demand consideration before policy is created.

Chapter 4 - Security Management. Chapter 4 discusses a security manager's role and numerous responsibilities, including generating organizational support from top to bottom, directing contingency planning, overseeing system testing and reviewing, and performing day-to-day administrative activities.

Chapter 5 - Protecting Your System: Physical Security. Chapter 5 examines potential threats and vulnerabilities to a system that are of a physical nature.  Practices by which equipment and other assets can be secured from such risks, referred to as countermeasures, are recommended.

Chapter 6 - Protecting Your System: Information Security. Chapter 6 considers potential threats and vulnerabilities that are directly related to a system's information (the data).  It focuses on maintaining information confidentiality, integrity, and availability, and recommends strategies for protecting information while in transmission, in use, and in storage.

Chapter 7 - Protecting Your System: Software Security. Chapter 7 focuses on potential threats to computer software and specific countermeasures to those threats and software-related vulnerabilities.

Chapter 8 - Protecting Your System: User Access Security. Chapter 8 details threats and vulnerabilities that are related to those people who actually use a system.  It describes security strategies that can be used to allow, prevent, and monitor access to system information.

Chapter 9 - Protecting Your System: Network (Internet) Security. Chapter 9 recommends strategies for protecting your network when connecting to other networks, and for transmitting information over the Internet in a secure manner.

Chapter 10 - Training: A Necessary Investment in Staff. Chapter 10 emphasizes the necessity of appropriate staff training when trying to implement security policy in any organization.  It describes normal and predictable staff training needs and includes a sample outline of a training program.

It also includes the following Appendices:

Appendix A. Additional Resources about Computing

Appendix B. FERPA Fact Sheet

Appendix C. Related NCES Publications

Appendix D. Sample Acceptable Use Agreements

Appendix E. Bibliography and Selected Reference Materials

Appendix F.  Citations


Each chapter is organized in the same general way. Expect to find:
something you should do (icon)
  • An Introduction - An overview of the topic

  • Commonly Asked Questions - Issues people often wonder about

  • It Really Happens - Anecdotal accounts of real-world relevance

  • Content Body - General information, guidelines, and rationale

  • Checklists - A summary of security guidelines

Back to Top Go to Home Page

A Final Word on Considering Security Issues

Security involves more than keeping intruders out of confidential files.  While an organization must certainly be aware of system hackers (unauthorized users who attempt to access a system and its information), it must more regularly deal with threats like failed hard drives, spilled coffee, and refrigerator magnets.

excerpt icon

Most security concerns an organization must face are of a fairly regular nature.  For example, the phrase "mean time between failures" is quite common in the computer sales industry.  For non-statisticians, it refers to when (not if) every computer disk you own will fail.  Planning to deal with this eventuality is not an exercise in the theoretical!

Remember, however, that the goal of system security is not to put all of your organization's confidential records into an entry-proof vault that even authorized users have difficulty accessing.  If that was the case, locking your keys in the car would be an effective security strategy for protecting the vehicle--you can be pretty certain that no one else can get into your car if even you, the owner, are unable to do so.  Rather, the goal of security is to protect information and the system without unnecessarily limiting its utility.  The system shouldn't be so secure that authorized users can't get to the data they need to do their jobs.  After all, the only reason you bother to maintain such information in the first place is so that it can be used to help better serve your students.

At the same time, however, unauthorized access, especially to critical systems and sensitive information, must be prevented.  Because of this contradiction, no system, be it electronic or paper, will ever be entirely secure, but the ideal of developing and maintaining a "trusted system" is realistic nonetheless, and should be the goal of every educational administrator.

read closely! (icon)

To approach this goal, top-level decision-makers must be involved in any organization's attempt to establish sound information security policy and procedures.  Although at times the prospect of such an endeavor may seem somewhat daunting, especially to a person who in all probability doesn't have technical training, it must be undertaken all the same.  Simply by reading this document, educational administrators will be better prepared to grapple with both the general principles of security and those that are perhaps more unique to their own situations.  But despite the specific guidelines that follow throughout this document, policy-makers must understand that in order to successfully institute security practices within an organization, the following overarching prerequisites must first be met:2

something you should do (icon)

  • Senior management must provide strong outward support.

  • A single, empowered staff member must be made specifically responsible for security initiatives (and have the time needed for testing, monitoring, and other activities designed to provide feedback on the system).

  • Employees must be educated through well-conceived training programs.

  • All employees must participate at all times.

The bottom line is that if, as an educational administrator, you are prepared to commit to these requirements and make the effort to educate yourself on the issues affecting information security, protecting your organization's resources more effectively becomes entirely possible.  By developing and implementing a well-conceived set of safeguards that are customized to your organization's specific needs, you can increase the security of your system significantly.

Back to Top Go to Home Page


Security is Achievable! (graphic)
Introductory Security Checklist

While it may be tempting to simply refer to the following checklist as your security plan, to do so would limit the effectiveness of the recommendations.  They are most useful when initiated as part of a larger plan to develop and implement security policy throughout an organization.  Other chapters in this document also address ways to customize policy to meet an organization's specific needs--a concept that should not be ignored if you want to ensure the effectiveness of any given guideline.

Security Checklist for Chapter 1

The brevity of a checklist can be helpful, but in no way makes up for the detail of the text.
Check Points
  1. Are top decision-makers aware that any and all information that is essential to the delivery of educational services should be maintained in a secure manner?
      Click here
  1. Have staff considered the implications of local, state, and federal laws and regulations which require that certain types of education information (particularly individual-level records) be protected from improper release?
      Click here
  1. Has security been made a priority in the organization, as evidenced  by top-level staff commitment to read this document and refer to these guidelines while planning the security of the organization's information system?
      Click here
  1. Has a single, empowered staff person (of significant rank) been appointed to manage the organization's security operation?
      Click here
  1. Does the appointed security manager have the appropriate authority and requisite time to do the job properly?
      Click here
  1. Are decision-makers prepared to invest necessary resources in staff security training?
      Click here
  1. Are all employees expected to participate in security initiatives at all times as is applicable (and, secondarily, are they aware of this expectation)?
      Click here

Illustration of the Cover of Safeguarding Your Technology About The Cover Design...
A medieval castle is an integral part of our cover design. Whenever a neighboring Prince Charming turned ugly, these stone and brick edifices were expected to protect the borders, as well as the local populace and their possessions. In today's technological age, security is just as important as it was in the medieval age. Verily, we may no longer be seeking shelter for our pigs and casks of ale, but we are looking for castle-like protection for our sensitive information, files, and equipment.

back to topback to home page
back to previous chapternext chapter