This site constitutes a dynamically changing security protocol. This is only the beginning of its possibilities. It is designed to assist Indiana School Boards, Administrators, and Teachers to implement safe data and information systems. As schools develop policies and encounter changing technological systems, there will be a need for amendments to this document. If school districts would like to share documents that could be used on this site as examples, we would welcome that. Suggestions, additions, comments, or questions about this protocol should be directed to the webmaster at <securityinfo@purdue.edu>. Thank you.

2.1 Policy Underpinnings / Beliefs

• Effective policies must be consistent with other directives, law, organizational culture, guidelines, procedures, and the organization's overall mission. It should also be integrated into and consistent with other organizational policies.
   
  

• Good policies are developed for a specifically defined or finite group with similar goals. Consequently, a large organization may need to be divided into components or units in order to clearly articulate policy that will meet the needs of the organization.
  
  

• Once the policies are identified they need to be visible in order to be effective. That means that policies will need to be fully communicated throughout the organization. Computer security training and awareness programs can effectively notify system users of security policies.  
  
  

• Policies need to be introduced in a manner that indicates management's unqualified support and commitment to their implementation. 
  
  - Data security policies are the vehicle for emphasizing management's       commitment to these policies and clarifying its expectations for employee performance, behavior, and accountability.  [NIST at13]
  
  - Data security policies are a way for management to demonstrate its belief 
  that information security is important and that employees should pay close attention to  securing information. [Wood at 9]
  
  

• Data security policies must include provisions to protect the integrity of data in all phases of collection, use, storage, and transmission. 
  
  

• Data security policies should include all activities to preserve the authenticity and accuracy of information and data through the entire chain of custody. 
  
  

• Data security policies should also include efforts to ensure validity, integrity and appropriateness for the particular viewer in specified situations.  
  
  

• Security policies set the stage for privacy. Privacy takes into account who has access to what information and data on school computer systems and the vulnerabilities in the systems throughout the entire process of information collection, use, storage, and transmission. 
  
  

• The need to protect information and data must be balanced against the need to make the information and data easily accessible to those who are authorized and need to use it. 
  
  

• Security policies facilitate consistent implementation of controls. They establish a standard and provide the basis to document compliance with system requirements. They also form the basis for disciplinary action if needed.
  
  

• Security policies provide a systematic way for an organization to help avoid liability for negligence and breach of fiduciary duty.
  
  

• The security system policies should be easy to understand and used to ensure that the system's safeguards are not circumvented.
  
  

• A well-articulated data security policy should guide security product selection and implementation.  
  
  

• Security system information should be disseminated to all persons in the organization, with enough orientation to ensure that everyone understands the purpose of the system, accepts its use by everyone, and then uses it appropriately.