Home Page

Table of ContentsChapter 1: IntroductionChapter 2: General Protocol and Policy StatementsChapter 3: Risk AssessmentChapter 4: Physical Security PoliciesChapter 5: Information Security Policies

Chapter 6: Software Security PoliciesChapter 7: User Access Security PoliciesChapter 8: Network and Internet Security PoliciesChapter 9: Administrative Policies and ProceduresChapter 10: Training ProtocolAppendices Index



1 Introduction
 
 

This site constitutes a dynamically changing security protocol. This is only the beginning of its possibilities. It is designed to assist Indiana School Boards, Administrators, and Teachers to implement safe data and information systems. As schools develop policies and encounter changing technological systems, there will be a need for amendments to this document. If school districts would like to share documents that could be used on this site as examples, we would welcome that. Suggestions, additions, comments, or questions about this protocol should be directed to the webmaster at securityinfo@purdue.edu. Thank you.

 


1.1  Purpose 

      The Indiana Assessment System of Education Proficiencies [IASEP] team is currently working with the Center for Education Research in Information Assurance and Security (CERIAS) at Purdue University to develop a prototype for security for electronically transmitted student assessment data. As the IASEP system is distributed across the State, the difficulties with potential PC platform incompatibilities must be addressed.
 

        One solution is to translate the IASEP software to an HTML format for access through the Internet. As we move toward the HTML format for data transmission, it will be critical to create safeguards to ensure the confidentiality and safety of the information that is submitted.
 

        While use of the Internet offers tremendous benefits for the IASEP system, Internet connectivity is dangerous for sites with low security levels.
The Internet suffers from glaring security problems that, if ignored, could have disastrous results for unprepared sites. [The fundamental problem is that the Internet was not designed to be very secure.] Inherent problems with TCP/IP services, the complexity of host configuration, vulnerabilities introduced in the software development process, and a variety of other factors have all contributed to making unprepared sites open to intruder activity and related problems. [NIST at pp. 7-8] 

      

  Organizations are, rightly concerned about the security implications of using the Internet: 

 

Will hackers disturb internal systems?

Will valuable organizational data be compromised (changed or read) in transit?

Will the organization be embarrassed? [NIST at p.7]

[And worse yet, will the organization be sued for its lack of security if its system is compromised and confidential data is accessed?] 

 

        The purpose of a protocol for security policy development is to assist the educational organizations that use the IASEP system to decide how they are going to protect themselves. This document provides information for policy makers, administrators and school boards, to understand the importance of developing and implementing organization-specific original policies to protect and secure their organization's data access, storage, and transmission.

         A committee consisting of representatives from the Indiana State Department of Education, the IASEP team, and CERIAS has analyzed the system needs and developed corresponding system architectural safeguards. In addition, the same group has been discussing the need for a protocol or policy facilitation document to accompany the IASEP system. It is likely that the IASEP prototype and the protocol for policy development for this system will serve as models for future educational data transmission and storage for many of the evolving electronically-based educational data systems in the State.
 

        This document presents an organizational framework and recommendations for securing information and equipment. It does not presume to dictate local policy, except in the areas where the State of Indiana has already required certain specific policies.

Go to the Top of the Page

1.2  General security goals:  The goal of security is to protect information and the system without unnecessarily limiting its utility. At the same time, unauthorized access to critical systems and sensitive information, must be prevented. The purpose of maintaining information in our schools is to help better serve students. In order to do that, the system should not be so secure that authorized users cannot get to the data that they need to do their jobs.
 

1.3  Goal of this project:  The goal of this project is to develop a general protocol for the management of all electronic educational data that complies with our state and federal laws. This protocol will contain a variety of resources for educational administrators and teachers.
 

1.4  Protocol-specific Objectives:


1) Identify current education-related and general data security policies, procedures, guidelines, and standards for review and make these available to IASEP constituents through a protocol document. 

2) Identify current education-related and general data security state, federal and private laws and regulations for review, and make these available to IASEP constituents through a protocol document.
 

3) Using the laws, policy resources and other data security information collected, develop a protocol document that will assist IASEP constituents to develop data security policies that will affect how data is accessed, entered, stored, transmitted and reported in Indiana.
 

4) Coordinate with CERIAS, state educational and legal consultants to coordinate with the architectural security work underway with the current IASEP system. Supplement the architectural activities with procedural or policy assistance through a protocol document.
 

5) Develop a set of schematics to display the information compiled and written so that readers and practitioners can readily visualize and understand how the protocol elements fit together and how they could be used to develop and implement individual school district data security policy plans.
 

6) Develop a training protocol to disseminate critical information.


1.5  Intended Audience -- This protocol is written for school board members, educational administrators, and teachers to assist them to write and implement data security policies for their respective organizations. Every organization is different, so we do not propose specific policies. However, there are enough similarities in organizations and areas of risk that this document will outline the areas that need to be addressed, suggest resources to assist policy-makers, and give examples for consideration.

Go to the Top of the Page

1.6  Major types of policy documents  --  Working Definitions  
 

For purposes of this project, the following terms and their project-specific definitions are being used. Please see Appendix A for additional terms used throughout this document.
 

Data or Information -- In many parts of this document the words "data" and "information" are used interchangeably, although these terms have distinct meanings that will be discussed in later chapters. Data or information refers to records that are directly related to students and maintained by an educational agency or institution or by a party acting for the agency or institution.
 
Type of Document Responsible Person 
or Entity
Protocol -- a set of recommendations, rules, and laws governing the treatment and formatting of data in an electronic communications system. This includes policy samples and suggestions for overall treatment of data security in individual school districts.   This type of document is prepared by persons with statewide perspective to provide overall guidance to policy makers. 

 
Policy -- Those broad decision making statements made by administrators related to
educational data security. 		 School boards and school administrators are responsible for the evolution of policies, which provide direction for implementation of more specific measures.
Security policy -- a collection of statements about the sensitivity of information on a system or LAN, the requirements for how that data must be protected, and the actions to be taken in the event the protection is violated.  School boards and school administrators, in conjunction with computer system administrators
Standards and guidelines both generally refer to specific technologies and methodologies to be used to secure systems. 

More specifically, standards refer to the criterion against which the technologies and methodologies are measured. 

Guidelines are guiding principles or courses of action that should be followed when securing systems.

 School Administrators
Procedures normally assist
in complying with applicable
security policies, standards,
and guidelines. They are 
detailed steps to be followed
by users, system operations
personnel, or others to accomplish particular security-related tasks
(e.g., preparing new user accounts and assigning the appropriate privileges). 
 		 System administrators and individual teachers 
 

 Some organizations issue overall computer security "manuals," "regulations," "handbooks," or similar documents. These may mix policy, guidelines, standards, and procedures, since they are closely linked. While manuals and regulations can serve as important tools, they are most useful when they clearly distinguish between policy and its implementation (sometimes a difficult process). This promotes flexibility and cost- effectiveness by offering alternative implementation approaches to achieving policy goals.

Go to the Top of the Page

 1.7  Methodology, Initial Findings, and Presentation

 

        The purpose of this section of the data security project is to outline ways to secure IASEP data, hardware, software, network and e-mail components from destruction or corruption.  We began by researching federal, state, and private security policies for insight into how to best construct our own document. A web search of private, federal, and state data security laws, regulations, policies, guidelines, and procedures was done.  Jennifer Radecki, a part-time graduate research assistant, and Shelly Shinevar, a part-time paralegal student, did the state policy and statutory research, under the direction of Professor Deborah Bennett and the author of the protocol, Candace Elliott Person.
 

        The resources gathered were any policy, protocol, law, guide, document or plan that mentioned or focused on data security in its many forms.  As the research progressed, the resources were divided into four categories: data security, physical security, computer/software security, and other (which included network security and e-mail security).  The research per state is presented in Appendix C and Appendix E of this document.
 

        General documents, guides and Web sites not affiliated with any state were also collected. These resources can be found in Appendix F and Appendix H.  Books and written guides are included for reference.  Many of the applicable federal and state laws, regulations and legal procedures pertaining to data security are also summarized in the Appendix BAppendix D, and Appendix G.

       
 
       We found that most state Information technology sites had security policies mentioned or slated for creation in the near future. However, the state Department of Education and Educational Technology sites contained very few security policies or plans. Most of the sites did contain links to technology plans, but very few articulated a cohesive system security plan. The focus of most of the technology plans was technology acquisition and set-up and creation of curriculums that would utilize and incorporate technology. Internet Acceptable Use policies and Network Acceptable Use policies, respectively, were the most prevalent documents found on both the state and education Web sites.

        Because we found so few comprehensive security documents on the web, we sent an e-mail letter to the authors of the Web sites researched to request further documentation. Some encouraging responses from the authors of some Web sites gave us additional security material with which to work.

        Overall, we found very few education-specific data security policies on the Web. That is not to say that these types of policies are not written. They were just not found on the Web. However, written documents were also not readily shared with us in response to our e-mail request to the Web sites.

        There may be several reasons for this finding. First, because of the large push in schools to make the technology available for teachers and students, there has been little time spent on articulating how the technology will be used safely. Secondly, for those educational entities that may have articulated their security policies internally, they may not want them to become public. The reason for this secrecy may be to prevent their systems from being compromised and to preserve the integrity of their systems. A third possibility for finding little data security policies articulated is that educational institutions have not yet had time, or have chosen not to articulate data security policies. This could be because policy formulation can be very time-consuming, and there simply has not been time with the rapid influx of technology. Another reason may be that educational institutions are waiting for direction on their data security formulation.

         Whatever the reason for educational institutions not having data security policies in place, this document is designed to assist in that process. Because policy formulation can be very confusing and difficult to perform, it is our intent to make this document and our accompanying web site as user-friendly as possible.

 

1.8  Web Site Development 

 

         We have constructed a web site to disseminate the information gathered to all the constituents involved in the IASEP project. The web site is available to anyone, but especially to the teachers, parents, administrators and staff involved in the IASEP project. 

         The Web site's design uses a top horizontal table of contents to allow the reader to jump to different sections of the protocol. Movement to the top of the page, to the Purdue home page and to the IASEP are provided through buttons at the bottom of each main chapter page.  Each Appendix Index page (i.e. the Appendix C Index) utilizes the same top horizontal table of contents, but has no Purdue or IASEP links.  The "daughter" Appendix pages (i.e. the Alabama statutes page within Appendix C) have connections to their respective Index page and to other pages within that Appendix. 

         This document is a meld of information from all the documents and resources referred in the Appendices. Since this document is intended as a resource manual, we did not want to include extensive amounts of references within the text itself. However, sprinkled throughout the document are we have referred to the major resources from which this document is formed. Those resources are identified either in introductory sentences to a chapter or in bracketed, numbered citations to specific resources.

         These citations are linked to Appendix H -- Bibliography & Resources for Internet Security Information.  


green horizontal line

 
  
Go to the Top of the Page To the Purdue University Home Page Go to the I.A.S.E.P. Project Home Page


 Draft 5/27/00 v3

Updated 7/25/00.

Copyright © 1999 - 2000 Purdue Research Foundation, Inc.  All Rights Reserved.
Questions? Comments? Suggestions? Additions?  Send them to the webmaster at securityinfo@purdue.edu.