Why Information Security
A Brief History of Security in Education
Robbery is illegal, but people still find it prudent to lock doors and close windows in their homes; so too must we lock up our information systems. Like people who lock their doors, schools have always been concerned about protecting their valued resources, including confidential information contained in student and staff records.
There are numerous legitimate reasons for collecting, using, and sharing education information appropriately.
Before the widespread use of computers, educational administrators
were responsible for safeguarding paper records that were often kept in
filing cabinets. The cabinets were probably locked in the administrator's
office, and were perhaps themselves locked. Maybe the administrator
held the only key; at most, a secretary was given a copy in case of unforeseen
problems. In recent years, however, most education organizations
have joined other public and private sector entities in adopting technology
as the primary means by which they organize and access information.
Sharing information via computers and networks has proven time and
time again to be a cost-effective way of getting things done. In
fact, today's society relies upon computers now more than ever and will
more than likely continue to increase its use of technology. As the
saying goes, information is power. In schools, it is the power
to make the entire educational process more efficient. Information
about students, staff, courses, programs, facilities, and fiscal activities
is collected and maintained so that schools can effectively coordinate
services offered to students, measure learning progress, assign and monitor
staff responsibilities and resource use, and provide other valued services
to their communities.
Technology is simply a tool for accomplishing necessary tasks more efficiently.
But as new as technology is to the workplace, its application is an
extension of the way schools have always conducted their business.
While computers and networks contribute to the efficiency of educational
record-keeping, data access, and use, they have not changed the
reasons schools need to maintain, share, and use student and staff information.
The education community has always required these types of information
to carry out its mission to instruct students.
Although it may be fitting to discuss analogies between paper files
in wooden cabinets and electronic files on hard drives or 3½-inch
there are significant differences in the specific processes required to
maintain appropriate security in the age of computer networking.
With the flip of a switch, information can be damaged irreparably.
With the careless turn of your head, a pocket-sized disk containing
thousands of records can disappear. And with the connection of a
single wire, sensitive material can be shared with millions of users.
While these scenarios may seem foreboding and even scary, they are only
part of the story--and, in fact, a small part--because by flipping a different
switch, properly storing disks, and connecting the right wires, information
stored on school computers and networks can be secured more safely than
any paper file in any administrator's office filing cabinet, whether locked
by deadbolt or protected by an armed guard.
same technology that can be the source of so much concern when in the hands
of untrained users can actually be used to protect information more securely
than ever before imaginable if it is used wisely.
It Really Happens!
Hillary Johnson saw the headline in the Sunday paper. It just
couldn't be true, could it? She read further and realized how bad
the situation really was:
Hillary was beside herself with worry. She had very definitely
been told in her first interview that she needed to bring proof of high
school graduation when she went to meet with the supervisor. What
would they do when she told them that she couldn't get a copy of her school
records? She really needed that job. Would they understand her predicament,
or just hire the person who had all of the paperwork?
Unfortunately, Hillary wasn't the only one upset at the loss of academic
history. Amanda Chang was equally concerned when she saw the story.
Five years after finishing high school, she was finally ready to apply
to college, but knew that doing so required a high school transcript as
a part of the application process. Did this mean that maybe she really
wasn't meant to go to college after all?
But poor Chet Wilcox was perhaps most distraught of all. He had
been planning to use his school records to verify his age for retirement.
What would he do if he couldn't prove that he qualified for benefits?
As the Superintendent of Schools acknowledged in her statement after
the fire, for countless numbers of people, school records are not just
"memories of days gone by," but vitally important documentation of their
life experiences. They retain meaning and significance long after
high school graduation and really do affect people's lives.
While such an article may only be anecdotal in this instance, the point it illustrates is real: school records are not just important for administrative reasons--they affect people for the rest of their lives, as they are used to apply for employment, for admission to higher education, and, in some cases, even retirement benefits.
What's at Risk?
Most people see the necessity of securing computer equipment.
Machines cost money and therefore have value unto themselves. But
if you take a moment to consider why organizations are so willing to spend
large amounts of money on their computer systems--to store, access, and
transmit information--the value of that information becomes more apparent.
After all, it makes no sense to spend vast amounts of limited resources
on equipment for processing information unless the information itself is
of value. And because information has become so useful, it's not
only the equipment that demands protection, but also the data. In
the education community, information about students, staff, and other resources
is far more valuable to the operation of school buildings, campuses, and
district and state education agencies than even the most costly equipment.
How could it be so?
For starters, education data can represent years' worth of investment
in collection and maintenance activities, and may be irreplaceable as an
What would happen, for example, if a school "lost" grade information and
was unable to calculate cumulative grade point averages for its graduating
"Need-to-know" refers to a legitimate educational reason for accessing confidential student records.
In the larger scheme, education information is often considered to be
confidential by its very nature-that is, certain types of sensitive
information (in particular individually identifiable student and staff
records) must, by law, be protected from all parties who do not have a
verifiable need-to-know. In addition to numerous state and
local laws designed to preserve the confidentiality of education records,
the Family Education Rights and Privacy Act of 1974 (FERPA) (see Appendix B
) is a federal law designed specifically to protect the privacy of a student's
education record. It applies to all schools that receive funding
under an applicable program of the U.S. Department of Education, and is
but one example of legislation enacted specifically to protect confidential
student information maintained in education record systems.
|Another document published by the National Forum on Education Statistics, Protecting
the Privacy of Student Records: Guidelines for Education Agencies, describes
what and why specific types of information about students and their families
are considered to be confidential and clarifies relevant laws governing
proper and improper release of such records. This document, in turn, explains
how to satisfy these requirements.
|Since the institution is ultimately responsible for the integrity and
security of its data, the organization and its management need to take
active steps to ensure that valuable equipment and, more importantly,
information (such as private student and staff records) are being adequately
protected. If an education organization fails to protect its confidential
information in a manner that satisfies "standards of due care" and "reasonable
safeguards," it opens itself to a host of potential problems from allegations
of negligence and incompetence, to law suits charging "computer malpractice,"
and forfeiture of insurance claims due to "preventable losses."1
In addition to the legal ramifications of privacy violations, the potentially
priceless asset of public confidence is also at risk. School
boards, legislatures, and other governing bodies often look quite unfavorably
upon institutions and staff responsible for upsetting public confidence
in the government's need to collect, maintain, and use information about
its constituency. And the public might justifiably lose confidence
if a list of student aptitude scores was accessed improperly or a mischievous
student managed to modify report cards or attendance data.
Why Administrators Should Read These Guidelines
What makes the issue of information security more difficult, however,
is that many, if not most, education administrators do not have the technical
expertise nor, given their other vitally important duties, sufficient time
to devote to single-handedly developing, implementing, and monitoring information
security policies and procedures within their organizations. Nonetheless,
to paraphrase President Harry Truman, it is upon the heads of those very
education administrators that "the buck stops." Responsibility for
both meeting the public's demands for accountability and securing sensitive
information is inescapable for an education institution's chief administrative
officer. Like it or not, it comes with the job. And that is
why this document has been written.
|Document Purpose and Audience
The guidelines are written to help educational administrators and staff at the building, campus, district, and state levels better understand why and how to effectively secure their organization's sensitive information, critical systems, and computer and networking equipment.
Because top educational administrators are ultimately responsible for information security; they must develop a sufficient understanding of sound security strategies and how they can be realized through organizational policy.
|The intent of this document is to provide basic and timeless guidance
to decision-makers by identifying factors that should be taken into consideration
when (not if) they develop security strategies and policies to meet their
organization's particular conditions and local circumstances. It
is designed specifically to help educational staff as they endeavor to
walk the fine line between keeping education data secure and yet at the
same time available to authorized persons with legitimate purposes.
Because the technical methods for securing digital data lie outside the
training and expertise of most educational administrators, these guidelines
(which are exactly that--well-researched recommendations rather than canned
solutions) are written in non-technical language that is specifically tailored
Although a key recommendation of this document is that each education
organization designate a technically competent staff person (or hire a
consultant) to manage data security operations, administrators cannot be
content to otherwise disregard security issues entirely. While operational
can and should be delegated to staff or contractors, the actual burden
of responsibility cannot be lifted from the shoulders of chief administrators.
That is why top educational administrators need to develop a sufficient
understanding of information security and its related issues: so that they
can judge whether their subordinates are acting competently and thoroughly
and can subsequently ascertain whether proposed policies and procedures
will be adequate and effective. After all, each policy will still
be implemented over the administrator's signature.
This document presents recommendations for security information and equipment, but does not presume to dictate local policy.
In a nutshell, this document is:
An outgrowth of another National Forum on Education Statistics' document,
the Privacy of Student Records: Guidelines for Education Agencies
Concerned primarily with information technology security as it relates
to the privacy and confidentiality of education information
Designed specifically for use by education administrators and staff at
the building, campus, district, and state levels
Organized so as to walk policy-makers through the steps of developing and
implementing sound security policy that is tailored to meet the
needs of their individual organizations
Focused on both technical and procedural requirements (i.e., both computer-related
and staff-related issues)
Presented as a set of recommended guidelines
Also available electronically at the Web site for the National Center for
Education Statistics (NCES) at http://nces.ed.gov
This document is not:
An attempt to dictate policy (although it can and should serve as a guide
to policy-makers as they consider their policy options and needs)
Focused on a high-end discussion of security issues that requires readers
to have advanced knowledge of technology issues
Presented as a manual of technical solutions for securing systems
A source for specific software product recommendations
|This document does not presume to dictate local policy because, among
other reasons, the parties responsible for developing these guidelines
have no authority to issue or enforce security policies to autonomous education
institutions. Nor does the document endorse specific products or
vendors of security devices. Given the rapid pace of change in this
field, such endorsements might be rendered obsolete by emerging technologies
even before they could be printed and distributed.
The document includes the following chapters:
Chapter 1 - Why Information Security in Education? Chapter 1
describes the document's purpose, scope, intended audience, and organization.
Chapter 2 - Assessing Your Needs. Chapter 2 discusses the necessity
of assessing an organization's unique needs as the first step to developing
a security plan. It includes a description of the various components of
risk and an outline of steps necessary for effectively conducting a risk
Chapter 3 - Security Policy: Development and Implementation.
Chapter 3 recommends procedures and practices that contribute to the development
of effective security policy. It also presents a range of issues
that demand consideration before policy is created.
Chapter 4 - Security Management. Chapter 4 discusses a security
manager's role and numerous responsibilities, including generating organizational
support from top to bottom, directing contingency planning, overseeing
system testing and reviewing, and performing day-to-day administrative
Chapter 5 - Protecting Your System: Physical Security. Chapter
5 examines potential threats and vulnerabilities to a system that are of
a physical nature. Practices by which equipment and other assets
can be secured from such risks, referred to as countermeasures, are recommended.
Chapter 6 - Protecting Your System: Information Security. Chapter
6 considers potential threats and vulnerabilities that are directly related
to a system's information (the data). It focuses on maintaining information
confidentiality, integrity, and availability, and recommends strategies
for protecting information while in transmission, in use, and in storage.
Chapter 7 - Protecting Your System: Software Security. Chapter
7 focuses on potential threats to computer software and specific countermeasures
to those threats and software-related vulnerabilities.
Chapter 8 - Protecting Your System: User Access Security. Chapter
8 details threats and vulnerabilities that are related to those people
who actually use a system. It describes security strategies that
can be used to allow, prevent, and monitor access to system information.
Chapter 9 - Protecting Your System: Network (Internet) Security.
Chapter 9 recommends strategies for protecting your network when connecting
to other networks, and for transmitting information over the Internet in
a secure manner.
Chapter 10 - Training: A Necessary Investment in Staff. Chapter
10 emphasizes the necessity of appropriate staff training when trying to
implement security policy in any organization. It describes normal
and predictable staff training needs and includes a sample outline of a
It also includes the following Appendices:
Appendix A. Additional Resources about Computing
Appendix B. FERPA Fact Sheet
Appendix C. Related NCES Publications
Appendix D. Sample Acceptable Use Agreements
Appendix E. Bibliography and Selected Reference Materials
Appendix F. Citations
Each chapter is organized in the same general way. Expect to find:
An Introduction - An overview of the topic
Commonly Asked Questions - Issues people often wonder about
It Really Happens - Anecdotal accounts of real-world relevance
Content Body - General information, guidelines, and rationale
- Checklists - A summary of security guidelines
A Final Word on Considering Security Issues
Security involves more than keeping intruders out of confidential files.
While an organization must certainly be aware of system hackers (unauthorized
users who attempt to access a system and its information), it must more
regularly deal with threats like failed hard drives, spilled coffee, and
security concerns an organization must face are of a fairly regular nature.
For example, the phrase "mean time between failures" is quite common in
the computer sales industry. For non-statisticians, it refers to
when (not if) every computer disk you own will fail. Planning to
deal with this eventuality is not an exercise in the theoretical!
Remember, however, that the goal of system security is not to
put all of your organization's confidential records into an entry-proof
vault that even authorized users have difficulty accessing. If that
was the case, locking your keys in the car would be an effective security
strategy for protecting the vehicle--you can be pretty certain that no one
else can get into your car if even you, the owner, are unable to do so.
Rather, the goal of security is to protect information and the system without
unnecessarily limiting its utility. The system shouldn't be so secure
that authorized users can't get to the data they need to do their jobs.
After all, the only reason you bother to maintain such information in the
first place is so that it can be used to help better serve your students.
At the same time, however, unauthorized access, especially to critical
systems and sensitive information, must be prevented. Because
of this contradiction, no system, be it electronic or paper, will ever
be entirely secure, but the ideal of developing and maintaining a "trusted
system" is realistic nonetheless, and should be the goal of every educational
approach this goal, top-level decision-makers must be involved in any organization's
attempt to establish sound information security policy and procedures.
Although at times the prospect of such an endeavor may seem somewhat daunting,
especially to a person who in all probability doesn't have technical training,
it must be undertaken all the same. Simply by reading this document,
educational administrators will be better prepared to grapple with both
the general principles of security and those that are perhaps more unique
to their own situations. But despite the specific guidelines that
follow throughout this document, policy-makers must understand that in
order to successfully institute security practices within an organization,
the following overarching prerequisites must first
Senior management must provide strong outward support.
empowered staff member must be made specifically responsible
for security initiatives (and have the time needed for testing, monitoring,
and other activities designed to provide feedback on the system).
Employees must be educated through well-conceived training programs.
All employees must participate at all times.
The bottom line is that if, as an educational administrator, you
are prepared to commit to these requirements and make the effort to educate
yourself on the issues affecting information security, protecting your
organization's resources more effectively becomes entirely possible.
By developing and implementing a well-conceived set of safeguards that
are customized to your organization's specific needs, you can increase
the security of your system significantly.
|Introductory Security Checklist
While it may be tempting to simply refer to the following checklist
as your security plan, to do so would limit the effectiveness of the recommendations.
They are most useful when initiated as part of a larger plan to develop
and implement security policy throughout an organization. Other chapters
in this document also address ways to customize policy to meet an organization's
specific needs--a concept that should not be ignored if you want to ensure
the effectiveness of any given guideline.
Security Checklist for Chapter 1
The brevity of a checklist can be
helpful, but in no way makes up for the detail of the text.
Are top decision-makers aware that any and all information that is essential to the delivery of educational services should be maintained
in a secure manner?
- Have staff considered the implications of local, state, and federal laws
and regulations which require that certain types of education information
(particularly individual-level records) be protected from improper release?
- Has security been made a priority in the organization, as evidenced
by top-level staff commitment to read this document and refer to these
guidelines while planning the security of the organization's information
- Has a single, empowered staff person (of significant rank) been appointed
to manage the organization's security operation?
- Does the appointed security manager have the appropriate authority and
requisite time to do the job properly?
- Are decision-makers prepared to invest necessary resources in staff security
- Are all employees expected to participate in security initiatives at all
times as is applicable (and, secondarily, are they aware of this expectation)?
|About The Cover Design...
A medieval castle is an integral part of our cover design. Whenever a neighboring Prince Charming turned ugly, these stone and brick edifices were expected to protect the borders, as well as the local populace and their possessions. In today's technological age, security is just as important as it was in the medieval age. Verily, we may no longer be seeking shelter for our pigs and casks of ale, but we are looking for castle-like protection for our sensitive information, files, and equipment.