|
|
CHAPTER 6
Protecting Your System:
Information Security |
|
|
|
|
|
|
The terms data and information are often used synonymously, but information refers to data that have meaning. For example, "87 percent" is data. It has no meaning by itself until it is reported as a "graduation rate," and then it becomes information. | |
|
Introduction to Information Security
As stated throughout this document, one of an organization's most
valuable assets is its information. Local, state, and federal laws require
that certain types of information (e.g., individual student records) be
protected from unauthorized release (see Appendix B for a FERPA Fact
Sheet). This facet of information security is often referred to as protecting
confidentiality. While confidentiality is sometimes mandated by law,
common sense and good practice suggest that even non-confidential
information in a system should be protected as well-not necessarily
from unauthorized release as much as from unauthorized modification and
unacceptable influences on its accessibility.
Components of Information Security20 |
Confidentiality: |
Preventing unauthorized disclosure and use of
information |
Integrity: |
Preventing unauthorized creation,
modification, or deletion of information |
Availability: |
Preventing unauthorized delay or denial of
information |
|
|
|
|
|
Commonly Asked Questions
Q. If an organization maintains physical, software, and user access
security, isn't information security addressed by default?
A. Yes and no. Information backups and their storage are surely safer
when the building is secure, software is used properly, and
unauthorized users are effectively restricted. However, these security
features are meaningless if the information that is being backed up and
stored wasn't maintained in a sound way in the first place. While there is
no doubt that physical, software, and user access security strategies all contribute to protecting information, ignoring those initiatives that are
aimed directly at securing information is not a wise plan.
|
|
|
While encryption prevents others from reading your information, encrypted files can still be damaged or destroyed so that they are no longer of any use to you. | |
|
Q. Isn't there software that can protect my information?
A. Yes, a variety of software products can help your organization in its
effort to secure its information and system, but only a thorough, well-conceived,
and committed effort to develop and implement an overarching
security plan will prove effective in the long run.
Q. Doesn't it make sense to just go ahead and encrypt all information?
A. Not necessarily. Encryption and decryption are time consuming. If
information is confidential, then additional time for encrypting and
decrypting makes sense. But if the files aren't confidential, why would you
slow down processing speed for an unnecessary step? And while
encryption is a good practice for sensitive information or information
that is being transmitted over unsecured lines, it should be noted that it is
not a complete security strategy in itself. Encrypting information protects
files from breaches in confidentiality, but the risks of unauthorized or
accidental modification (including destruction) and/or denial of use are still
real.
|
|
Guidelines for security policy development can be found in Chapter 3.
|
|
Policy Issues
Perhaps more than any other aspect of system security, protecting
information requires specific procedural and behavioral activities.
Information security requires that data files be properly created, labeled,
stored, and backed up. If you consider the number of files that each
employee uses, these tasks clearly constitute a significant undertaking.
Policy-makers can positively affect this effort by conducting an accurate
risk assessment (including properly identifying sensitive information
maintained in the system). They should also provide organizational support
to the security manager as he or she implements and monitors security
regulations. The security manager must be given the authority and budget
necessary for training staff appropriately and subsequently enforcing
information security procedures at all levels of the organizational hierarchy.
A final consideration for policy-makers is information retention and
disposal. All information has a finite life cycle, and policy-makers should
make sure that mechanisms are in place to ensure that information that is
no longer of use is disposed of properly.
|
|
As discussed more completely in Chapter 2, a threat is any action, actor, or event that contributes to risk.
|
|
Information Threats (Examples)
As discussed more completely in Chapter 2, a threat is any action,
actor, or event that contributes to risk. Examples of information threats
include:
- Natural events (e.g., lightning strikes, and aging and dirty media)
- Intentional acts of destruction (e.g., hacking and viruses)
- Unintentionally destructive acts (e.g., accidental downloading of
computer viruses, programming errors, and unwise use of magnetic
materials in the office)
|
|
|
A countermeasure is a step planned and taken in opposition to another act or potential act.
|
|
Information Security Countermeasures
The following countermeasures address information security concerns
that could affect your site(s). These strategies are recommended when
risk assessment identifies or confirms the need to counter potential
breaches in your system's information security.
Countermeasures come in a variety of sizes, shapes, and levels
of complexity. This document endeavors to describe a range of
strategies that are potentially applicable to life in education
organizations. In an effort to maintain this focus, those
countermeasures that are unlikely to be applied in education
organizations are not included here. If after your risk assessment,
for example, your security team determines that your organization
requires high-end countermeasures like retinal scanners or voice
analyzers, you will need to refer to other security references and
perhaps hire a reliable technical consultant.
|
|
|
|
|
|
|
|
Transmit Information Securely (including e-mail):
- Use e-mail only for routine office communication: Never send
sensitive information as e-mail. If e-mail absolutely must be
used, encrypt the file and send it as an attachment rather than in
the text of the e-mail message.
- Encrypt everything before it leaves your workstation: Even your password needs to be encrypted before leaving the workstation
on its way to the network server-otherwise it could be
intercepted as it travels network connections.
- Physically protect your data encryption devices and keys: Store
them away from the computer but remember where you put
them. Use the same common-sense principles of protection you
should be giving your bank card's personal identification number
(PIN).
- Inform staff that all messages sent with or over the organization's
computers belong to the organization: This is a nice way of saying
that everything in the office is subject to monitoring.
- Use dial-up communication only when necessary: Do so only after the line has been satisfactorily evaluated for security. Do not
publicly list dial-up communication telephone numbers.
- Confirm that outside networks from which there are dial-ins satisfy your security requirements: Install automatic terminal
identification, dial-back, and encryption features (technical
schemes that protect transmissions to and from off-site users).
- Verify the receiver's authenticity before sending information
anywhere: Ensure that users on the receiving end are who they
represent themselves to be by verifying:
- Something they should know-a password or encryption key;
this is the least expensive measure but also the least secure.
- Something they should have-for example, an electronic keycard or smart card.
Something they are-biometrics like fingerprinting, voice
recognition, and retinal scans; these strategies are more
expensive but also more secure.
Consider setting up pre-arranged transmission times with regular
information trading partners: If you know to expect transmissions
from your trading partners at specific times and suddenly find
yourself receiving a message at a different time, you'll know to
scrutinize that message more closely. Is it really your trading
partner sending the message? Why has the pre-arranged time
been ignored? Has the message been intercepted and
consequently knocked off schedule?
Maintain security when shipping and receiving materials: When
sending sensitive information through the mail, or by messenger
or courier, require that all outside service providers meet or
exceed your security requirements.
|
|
Select only those countermeasures that meet perceived needs as identified during risk assessment and
support security policy.
|
|
|
Countermeasures like biometrics are probably beyond the realm of possibility (and necessity) in most, if not all, education organizations.
|
|
|
|
Pre-arranged transmission times set for the middle of the night (e.g., 1:37 a.m.) may seem odd, but
they can increase security because there is less traffic on telephone lines and fewer hackers snooping around at such odd hours. |
|
|
|
|
|
Present Information for Use in a Secure and Protected Way:
- Practice "views" and "table-design" applications: A "view" selects
only certain fields within a table of information for display, based
on the user's access rights. Other table fields are excluded from
the user's view and are thus protected from use. For example,
although a school record system may contain a range of
information about each student, Food Services staff can view
only information related to their work and Special Education
staff can view only information related to their work. This type
of system maintains information much more securely than
traditional paper systems, while at the same time increasing
statistical utility and accountability options.
- Use "key identifiers" to link segregated information: If record
information is maintained in a segregated manner (e.g., testing
files are kept in a different database than special education files)
for security purposes, a common file identifier (e.g., a Social
Security Number) can be used to match records without
unnecessarily divulging the identity of individuals and
compromising confidentiality.
|
|
|
|
Back up Information Appropriately (see Chapter 4):
- Back up not only information, but also the programs you use to
access information: Back up operating system utilities so that
you retain access to them even if your hard drive goes down.
Also maintain current copies of critical application software
and documentation as securely as if they were sensitive data.
Caution: Some proprietary software providers may limit an
organization's legal right to make copies of programs, but most
allow for responsible backup procedures. Check with your
software provider.
- Consider using backup software that includes an encryption option
when backing up sensitive information: Encryption provides
additional security that is well worth the extra effort, since it
ensures that even if unauthorized users access your backup files,
they still can't break confidentiality without also having access to your encryption key. If you adopt this recommendation, be sure to change your encryption key regularly.
- Verify that your backups are written to the disk or tape accurately:
Choose a backup program that has a verification feature.
- Rotate backup tapes: Although backup tapes are usually quite
reliable, they tend to lose data over time when under constant
use. Retire tapes after two to three months of regular use (i.e.,
about 60 uses) to a backup activity that requires less regular use
(e.g., program backups). Also note that routine tape drive
cleaning can result in longer tape life.
- Maintain a log of all backup dates, locations, and responsible
personnel: Accountability is an excellent motivator for getting
things done properly. Remember to store the logs securely.
- Avoid over-backing up: Too many backup files can confuse users
and thereby increase the possibility of exposing sensitive
information. Clear hard drives, servers, and other storage
media that contain old backup files to save space once you have
properly secured (and verified) the last complete and partial
backup.
- Test your backup system: This point has been made numerous
times throughout the document, but it truly cannot be
overemphasized!
|
|
Many organizations prefer that users back up only their own data files-leaving software and
operating system backups in the responsible hands of the security manager or system administrator.
|
|
|
|
|
Store Information Properly (see Chapter 5):
- Apply recommended storage principles as found in this document to
both original and backup files alike: Backup files require the same
levels of security as do the master files (e.g., if the original file is
confidential, so is its backup).
- Clearly label disks, tapes, containers, cabinets, and other storage
devices: Contents and sensitivity should be prominently marked
so that there is less chance of mistaken identity.
- Segregate sensitive information: Never store sensitive information
in such a way that it commingles with other data on floppy
disks or other removable data storage media.
- Restrict handling of sensitive information to authorized personnel:
Information, programs, and other data should be entered into, or
exported from, the system only through acceptable channels and
by staff with appropriate clearance.
- Write-protect important files: Write-protection limits
accidental or malicious modification of files. Note that while
write-protection is effective against some viruses, it is by no
means adequate virus protection in itself.
- Communicate clearly and immediately about security concerns:
Train staff to promptly notify the system administrator/security
manager when data are, or are suspected of being, lost or
damaged.
- Create a media library if possible: Storing backups and
sensitive material in a single location allows for security to be
concentrated (and perhaps even intensified). Note, however,
that an on-site media library is not a substitute for off-site
backup protection.
|
|
|
|
It Really Happens!
As Principal Brown's secretary, Marsha didn't have time for all the difficulties she was having with her
computer--well, it wasn't really her computer that was having problems, but her most important files (and that
was worse). Fed up with having to retype so many lost files, she finally called in the vendor who had sold the
school all of its equipment. The vendor appeared at her office promptly and asked her to describe the problem.
"Well," Marsha explained, "I keep a copy of all of my important files on a 3
1/2 inch disk, but when I go to
use them, the files seem to have disappeared. I know that I'm copying them correctly, so I just can't understand
it. I don't know if it's the word processing software or what, but I'm tired of losing all of my important
files."
The vendor asked whether it was possible that Marsha was using a bad disk. "I thought about that," she
replied as if prepared for the question, "but it has happened with three different disks. It just has to be something
else." Marsha reached for a disk that was held to the metal filing cabinet next to her desk by a colorful
magnet. "You try it."
"That's a very attractive magnet," the vendor said as Marsha handed over the disk. "Do you always use
it to hold up your disks?"
"Yes, it was a souvenir from Dr. Brown's last conference. I just think it's beautiful. Thanks for noticing."
"It is beautiful," the vendor replied, "but you know that it's also the root of all your problems. Every time
you expose a disk to that magnet, it erases the files. That's just the way magnets and computer disks get
along-like oil and water. Try storing the disk away from the magnet and your troubles, not your files, will soon disappear." |
|
|
|
|
Dispose of Information in a Timely and Thorough Manner:
- Institute a specific information retention and disposal policy as
determined by the organization's needs and legal requirements: All
data have a finite life cycle. Consult local, federal, and state
regulations for guidance before implementing the following:
- Establish a realistic retention policy.
- Mark files to indicate the contents, their expected life cycle,
and appropriate destruction dates.
- Do not simply erase or reformat media, but overwrite it with
random binary code. Sophisticated users can still access
information even after it has been erased or reformatted,
whereas overwriting actually replaces the discarded
information.
- Consider degaussing (a technique to erase information on a
magnetic media by introducing it to a stronger magnetic
field) as an erasure option.
- Burn, shred, or otherwise physically destroy storage media
(e.g., paper) that cannot be effectively overwritten or
degaussed.
- Clean tapes, disks, and hard drives that have stored sensitive data
before reassigning them: Never share disks that have held sensitive
data unless they have been properly cleaned. Also remember to
clean magnetic storage media before returning it to a vendor for
trade-ins or disposal.
It Really Happens!
Trent couldn't believe his eyes. Displayed before him on a monitor in the high school computer lab were
the grades of every student in Mr. Russo's sophomore English classes:
Student Name |
Grades |
Comments |
Linda Foster: |
C-, C, C+, C |
Improving slightly, but unable to make sufficient gains; a candidate for learning disability testing? |
All Trent had done was hit the "undelete" function in the word processing software to correct a saving
mistake he had made, and suddenly a hard drive full of Mr. Russo's files were there for the taking. Luckily for Mr. Russo, his sophomores, and the school, Trent realized that something was very wrong. He asked the lab
supervisor, Ms. Jackson, where the computers had come from.
"Most of them have been recycled," she admitted. "Teachers and administrators were given upgrades this
year, so their old machines were put to good use in the labs. They should still be powerful enough to handle
your word processing. Why?"
Trent showed Ms. Jackson what he had uncovered about the sophomore English students. She gasped,
"Oh my goodness, they gave us all these computers without clearing the hard drives properly. I bet it's that
way across the district. Trent, you may have just saved us from a potentially disastrous situation. That information
is private and certainly shouldn't be sitting here for anyone in the computer lab to see. I've got some
phone calls to make!"
|
|
|
Retaining data beyond its useful life exposes the organization to unnecessary risk.21
|
|
|
Even if a vendor replaces a hard drive, require that the old one be returned so that you can verify that it has been cleaned and disposed of properly.
|
|
|
|
|
Information Security Checklist
While it may be tempting to refer to the following checklist as your security
plan, to do so would limit the effectiveness of the recommendations.
They are most useful when initiated as part of a larger plan to develop and
implement security policy throughout an organization. Other chapters in
this document also address ways to customize policy to your organization's
specific needs-a concept that should not be ignored if you want to
maximize the effectiveness of any given guideline.
|
|
|
Security Checklist for Chapter 6
The brevity of a checklist can be helpful, but it in no way makes up for the detail of the text. |
|
|
Check Points for Information Security |
Transmit Information Securely (including e-mail) |
|
- Is e-mail used for only the most routine of non-sensitive office
communication?
|
|
- Is everything, including passwords, encrypted before leaving user
workstations?
|
|
- Are encryption keys properly secured?
|
|
- Have policy goals and objectives
been translated into organizational security regulations that are designed
to modify staff behavior?
|
|
- Is dial-up communication avoided as much as is possible?
|
|
- Are outside networks required to meet your security expectations?
|
|
- Is the identity of information recipients verified before transmission?
|
|
- Have times for information transmission been pre-arranged with regular trading partners?
|
|
- Are security issues considered before shipping sensitive materials?
Accomplished?
|
|
Present Information for Use in a Secure and Protected Way
|
|
- Are "views" and "table-design" applications being practiced?
|
|
- Are "key identifiers" used when linking segregated records?
|
|
Backup Information Appropriately
|
|
- Are programs that are used to access information backed up?
|
|
- Does backup software include an encryption option that is used?
|
|
- Does backup software include a verification feature that is used?
|
|
- Are backup tapes retired after a reasonable amount of use?
|
|
- Is a log of all backup dates, locations, and responsible personnel kept
and maintained securely?
|
|
- Is an effort made to avoid "over-backing up" (i.e., are old backups
removed to avoid "clutter")?
|
|
- Does the backup system pass regularly administered tests of its
effectiveness?
|
|
Store Information Properly
|
|
- Are recommended storage principles applied to master files and their
backups alike?
|
|
- Are disks, tapes, containers, cabinets, and other storage devices clearly
labeled?
|
|
- Is sensitive information segregated (i.e., is it maintained separately from
normal use information at all times)?
|
|
- Is the handling of sensitive information restricted to authorized
personnel?
|
|
- Are important files write-protected?
|
|
- Does staff know to communicate security concerns immediately?
|
|
- Has a secure media library been created as is possible?
|
|
Dispose of Information in a Timely and Thorough Manner |
|
- Has an information retention and disposal policy been implemented ?
|
|
- Are magnetic media that contain sensitive information properly cleaned
before reuse or disposal?
|
|
|
|
|
|
|
|
|