|
|
Executive Summary
Accessing, manipulating, and sharing information electronically has
proven time and time again to be a cost- effective way of getting things
done. Thus, it isn't surprising that many schools, school districts,
state education agencies, and colleges and universities now use technology
to manage student, staff, and administrative records. Unfortunately,
safeguarding electronic information is not as straightforward as simply
assigning a technical staff person to verify that the "system" is protected.
It requires that top-level administrators invest time and expertise into
the development of a well-conceived, comprehensive, and customized security
policy. This policy must then be applied appropriately throughout
the entire organization, which again requires the commitment and authority
of top-level administrators. After all, while technical staffers
might be responsible to top-level educational administrators for information
technology security, the top-level administrators are in turn responsible
to the greater public.
What's at Stake?
-
Computer and networking equipment (including both hardware and software)
used for both instructional and administrative purposes
-
Vital administrative information education organizations must use to operate
efficiently and fulfill their mission effectively (e.g., class management
information, password archives, and financial records)
-
Confidential student and staff information education organizations maintain
and are responsible for
|
Most people see the necessity of securing computer and networking equipment.
Machines cost money, and therefore have value unto themselves. But
if you take a moment to consider why organizations are so willing to spend
large amounts of money on technology--to store, access, and transmit information--the
value of the information becomes more apparent. After all, it makes
no sense to spend vast amounts of limited resources on a system for processing
information unless the information itself is of value. And because
information has become so useful, it's not only the hardware and software
that demand protection, but also the data. When information is lost,
damaged, or otherwise unavailable when needed, it can have a serious effect
on the day-to-day operations of an education organization. And when
the information at risk is an individual student record, the consequences
can be even more serious. What would be the damage, for example,
if student report card files were modified inappropriately or confidential
student aptitude scores were revealed improperly?
Would the cost of such a security breach be $2,000 to rekey information?
Or $20,000 to readminister tests? Perhaps $200,000 in settling legal
suits?; How about $2,000,000 in lost technology funding when lawmakers
become fearful of entrusting private information about their constituents'
children to record systems that are perceived to be unsafe?
You should not, however, conclude that the repercussions of mishandling
information are limited to simple dollars and cents. Failing to secure
confidential information can carry other consequences as well. Educational
staff have not only an ethical responsibility to protect confidential information
about students and their parents, but also a legal obligation to do so.
Many states and localities have enacted laws and regulations to protect
a student's right to privacy. So, too, has the federal government--the
Family Educational Rights and Privacy Act of 1974 (FERPA) is a federal
guarantee of the privacy of educational records for students and their
parents.
Educational administrators are well trained and knowledgeable about
the protection of education records in a paper world. But as information
management becomes more and more technologically advanced, they must also
be able to protect electronic information and the software and hardware
used to manage it. What makes the issue of information security more
difficult is that many, if not most, educational administrators do not
have the technical expertise or, given their other vitally important duties,
the time to devote to single-handedly developing, implementing, and monitoring
information security policies and procedures for their organizations.
Nonetheless, the responsibility for both meeting the public's demands for
accountability and adequately securing information, software, and equipment
is inescapable for top administrators. Like it or not, it comes with
the job. And that is why this document has been developed.
Unlike other resources on electronic information security, this guide
has been developed specifically for educational administrators at the building,
campus, district, system, and state levels (e.g., school principals, district
superintendents, state chiefs, college deans, and their assistants).
It is meant to serve as a framework to help them better understand why,
and how, to effectively secure their organization's information, software,
and computer and networking equipment. Because this intended audience
has in most cases been trained to manage education organizations and not
computer systems, the document is written in non-technical language and
emphasizes a step-by-step approach to protecting education information
in a technology-based system, regardless of computer or network type and
technical savvy. Since only the reader understands his or her organization,
its needs, capabilities, limitations, and unique circumstances, the guidelines
are presented as well-researched recommendations (not canned solutions)
for developing security policies that are customized to meet each organization's
specific needs.
The document is organized into ten content areas (chapters):
- Why
Information Security in Education? (An Introduction)
,
- Assessing Your
Needs (Risk Assessment)
,
- Security Policy (Development and Implementation)
- Security Management
- Physical Security
- Information Security
- Software Security
- User Access Security
- Network (Internet)
Security
- Training (A Necessary Investment in Staff)
Each chapter includes:
-
An overview
-
Commonly asked questions
-
Anecdotes illustrating real-world relevance
-
Security guidelines (actual recommendations)
-
A summary checklist of "things to do" (based on the guidelines)
Key points about the development and implementation of effective
information security policies that are conveyed throughout the document
include:
-
Successful information security policy requires the leadership, commitment,
and active participation of top-level educational administrators.
-
Information security initiatives must be customized to meet the unique
needs of the organization.
-
Effective information security is the result of a process of identifying
an organization's valued information, software, and computer and networking
equipment; considering the range of potential risks to those resources;
tailoring security policy to those specific conditions; and ensuring that
policy is not only developed properly but also implemented reliably.
-
Critical information security strategies rely primarily upon appropriate
conduct on the part of personnel, and secondarily on the use of technological
solutions.
Above all, this document hopes to convey that increasing information
security is both a necessary and achievable task. It is the prudent
thing to do for organizations and the right thing to do for students, parents,
staff, and communities. These practical guidelines provide direction
for those top-level educational administrators who must lead the effort.
|