Home Page

Table of ContentsChapter 1: IntroductionChapter 2: General Protocol and Policy StatementsChapter 3: Risk AssessmentChapter 4: Physical Security PoliciesChapter 5: Information Security Policies

Chapter 6: Software Security PoliciesChapter 7: User Access Security PoliciesChapter 8: Network and Internet Security PoliciesChapter 9: Administrative Policies and ProceduresChapter 10: Training ProtocolAppendices Index

 

10  Training Protocol


This site constitutes a dynamically changing security protocol. This is only the beginning of its possibilities. It is designed to assist Indiana School Boards, Administrators, and Teachers to implement safe data and information systems. As schools develop policies and encounter changing technological systems, there will be a need for amendments to this document. If school districts would like to share documents that could be used on this site as examples, we would welcome that. Suggestions, additions, comments, or questions about this protocol should be directed to the webmaster at <securityinfo@purdue.edu>. Thank you.



Educational Administrators and School Board Member Responsibilities

Procedures on how to develop protocol / policy

1. Policies generally cannot be adopted from another source and issued. Policies must be tailored for each specific organization. Factors that need to be addressed vary from organization to organization. These factors include, but are not limited to, the following:

  • objectives

  • legal requirements

  • organizational design

  • organizational culture

  • prevailing ethics and morals

  • extent of worker education

  • the information system technology used by the organization  [Wood, pp 2-3]


2. Concepts behind information security policies are similar from organization to organization or school district to school district. Consequently, there are essential ideas that should go into all information security policy statements. See examples in Appendices D, E, and H for examples.

3. One of the best ways to become familiar with the policy factors from #1 above is to do a risk assessment or analysis to determine the organization's unique information security needs. Each of these needs will then be addressed in a policy.  [Wood, p 798]  An example of network vulnerabilities and defenses charts is displayed in Chapter 3 .

4. Clarify roles and responsibilities related to information security and policy generation. This includes responsibility for issuing and maintaining policies. Identify management staff who will approve the final information security document.

5. Collect and read all existing internal information security awareness materials. List the underlying messages that they contain. Do a brief internal survey to gather ideas that the staff believe should be included in the policy document  [Wood, p 798].

6. Identify the persons to receive the policies, their computer knowledge and receptivity to security messages. Decide what orientation or training efforts should be conducted before security policies are issued.  Id.

 

Training Goals  [Source: Safeguarding, p. 109]

1.  Raise levels of awareness of user groups of all information security issues.


2. Make sure that users are aware of local, state, and federal laws and regulations related to confidentiality and security.


3.  Explain overall organizational security policies and procedures.


4.  Stress that security is a team effort and that each person has an important role in helping to meet security goals and objectives.


5. Train staff to perform the specific security responsibilities of their positions.


6. Alert staff that security all activities will be monitored.


7. Review consequences that accompany breaches in security policies and procedures.


8. Assure staff that reporting potential and actual security breaches and vulnerabilities is their responsibility and is necessary to remedy situations.


9. Convey to users that creating a secure trustworthy system is achievable, and every user plays a part to ensure the realization of this goal.


Training Resources



Indiana Assessment System of Educational Proficiencies, Training Manual (June 1999)
 

I.A.S.E.P. Training Information page http://iasep.education.purdue.edu/Training_info/welcome.htm 



National Cooperative Education Statistics System & National Center for Education Statistics, Safeguarding Your Technology: Practical Guidelines for Electronic Education Information Security, Chapter 10         
http://nces.ed.gov/pubs98/safetech/ 



Charles Cresson Wood, Information Security Policies Made Easy, Version 7 (Sausalito, Ca. October, 1999).


 

green horizontal line
 
 

Go to the Top of the Page To the Purdue University Home Page Go to the I.A.S.E.P. Project Home Page


Draft 7/16/00  v2
 
 

Updated 10/23/00.

Copyright 1999 - 2000 (c)  Purdue Research Foundation, Inc.  All Rights Reserved.
Questions? Comments? Suggestions? Additions?  Send them to the webmaster at securityinfo@purdue.edu.