|
5.1
General Information & Data Protection Policies. After the school
does an assessment of its information security status and a plan set in
motion for its security, policy statements about that information are needed.
Policies related to a school's handling of information, particularly related
to school children, are essential to ensure that the school is in compliance
with federal and state laws. A clear and consistent policy related to securing
that information at all phases of its collection, use and storage is imperative.
5.1.1. Confidentiality of information.
One of the most
valuable assets of a school is its information, and specifically information
related to individuals. This information must be safeguarded.
State and federal laws require that information related to individuals
be kept secure, confidential, and protected from unauthorized release.
The Family Education Rights and Privacy Act of 1974
(FERPA) requires that
all individual student records be protected from unauthorized disclosure.
See Appendix
B.
5.1.2 Integrity of information. All confidential and non-confidential
system information must be protected from unauthorized creation, modification
or deletion of that information. Consequently, policies about who may create,
modify and delete this information are critical to provide guidance to
all administrators and staff of the organization.
5.1.3 Availability of information. All confidential and non-confidential
information must be protected from unauthorized access, delay or denial
of information.
5.2
Data or Information
Classification. Data
is raw information that lacks any context, and therefore is not meaningful
in and of itself. When data is placed in a context, it becomes information.
The number 76 lacks meaning standing alone, but when it is associated with
the words intelligence quotient, it takes on meaning. All data or information
must be classified into the security level necessary for its protection.
5.2.1
Sensitive
information: Information
that requires special precautions to assure the integrity of the information,
by protecting it from unauthorized modification or deletion. It is
information that requires a higher than normal assurance of accuracy and
completeness. Examples of sensitive information include school financial
transactions and regulatory actions.
5.2.1.1 Collection of sensitive information:
Collection
of sensitive student information must be done by authorized persons in
a manner that will protect the confidentiality of that information.
5.2.1.2 Modification of sensitive information:
Only authorized
persons may modify any sensitive students records.
5.2.1.3 Disclosure of sensitive information: Sensitive
information may be disclosed only to those persons with authorization.
5.2.2
Confidential
information: This
is the most sensitive student information that is intended strictly for
use within the school. This information is exempt from disclosure
under the provisions of the Freedom of Information Act or other applicable
federal laws or regulations. Its unauthorized disclosure could seriously
and adversely impact the school, its students and their parents, its teachers
and administrators, and the school board.
5.2.2.1 Collection of confidential information:
Collection of
confidential student information must be done by authorized persons in
a manner that will protect the confidentiality of that information.
5.2.2.2 Modification of confidential information:
Only authorized
persons may modify any confidential students records.
5.2.2.3 Disclosure of confidential information:
Confidential
information may be disclosed only by authorized persons to authorized persons.
5.2.3
Private
information: The
term private data refers to data of a personal nature, which if disclosed
to individuals other than those with an authorized "need to know" would
be seriously detrimental to an individual or would be an invasion of a
person's right to privacy. This applies
to information covered by federal or State privacy laws and information
ordered private by a court. Its unauthorized disclosure could seriously
and adversely impact the student and the school.
5.2.3.1 Collection of private information:
Collection of private
student information must be done by authorized persons in a manner that
will protect the confidentiality of that information.
5.2.3.2 Modification of private information:
Only authorized
persons may modify any private students records.
5.2.3.3 Disclosure of private information:
Private information
may be disclosed only to those persons with authorization.
5.2.4
Public information: Public information is
information that does not clearly fit into the sensitive, confidential
or private information classifications. Its unauthorized disclosure
may be against policy in some instances, but that disclosure does not seriously
or adversely affect the school, its employees, and/or its students.
5.2.4.1 Collection of public information:
Collection of public
information may be done by anyone employed for that purpose.
5.2.4.2 Modification of public information:
It's always important
that information of any kind be accurate and be kept up-to-date. There
are potential legal problems with the use of inaccurate information.
5.2.4.3 Disclosure of public information:
If information is public,
it may be generally released upon request without permission, but it must
also be released consistent with any applicable policies. It's important
to ensure that that information is accurate, up-to-date, or at least contains
a disclaimer stating the source of the information and when it was last
updated.
5.3
Transmission of information. Before any information is transmitted,
it is necessary to know its level of sensitivity and the extent to which
it can be transmitted according to other policies in place. Policies should
identify what persons may access, prepare, and transmit the information,
along with any disclaimers that go with the information.
5.3.1 Copying and printing.
As part of ensuring the privacy of
information, copying and printing additional copies of any confidential
information should be limited or restricted, except with appropriate permissions.
5.3.2 Shipping and manual handling of information.
Use caution
in sending information in any format. If sending information by U.S. mail
or express carriers, be sure that recipient addresses are correct, and
include a notice to anyone who is not the recipient related to the confidential
nature of the materials and no one by the named recipient should read the
materials.
5.3.3 Transmission by fax or phone.
Great caution should be used
in talking about information with anyone on the phone and with transmitting
any confidential information by fax. Be sure that the person talking about
or sending the information has permission to do so and is the appropriate
person to send it. In addition, ensure that the recipient of the information
has permission to receive it. All faxes should be accompanied with a cover
sheet that contains a warning similar to the following:
| Warning: This material is intended only for the individual or entity
to which it is addressed. It may contain privileged, confidential
information which is exempt from disclosure under applicable laws.
If you are not the intended recipient, please note that you are strictly
prohibited from disseminating or distributing this material (other than
to the intended recipient) or copying this material. If you have
received this communication in error, please notify us immediately by telephone
and return this material (and all copies) to us by mail at the above address.
On request, we will reimburse you for any cost of return. Thank you. |
5.3.4 Transmission via the Internet. Internet transmission of
confidential information is inherently dangerous. There are many ways for
this information to be intercepted. Any confidential information sent must
be encrypted, using the organization's standard encryption policy. Any
accompanying e-mail message should also contain a warning message similar
to the one displayed above.
5.4
Identification and Authentication. It is important to make sure that
all persons using a confidential information system be authorized for its
use at the specific level of access that they are allowed. Policies and
mechanisms must be implemented to ensure that this occurs at all times.
A system for who may access what parts of an information system and at what
level will need to be in place before the system may be accessed by those
individuals.
5.4.1 General Identification Policy.
Mechanisms must be in place
to establish the identity of any individual attempting to access the information
system.
5.4.2 General
Authentication
Policy. Authentication
is the act of verifying a user's identity in order to prevent unauthorized
use. Authentication can be as simple as a computer ID and password or as
complex as one time passwords, challenge response passwords, or physical
identification (retinal, voice, image, etc). Schools should establish a
consistent method of authentication that fits the facility's needs and
which generates a log of all system use.
5.5
Information Integrity. Information integrity refers to information
that is complete and uncompromised. Administrators should implement policies
related to making sure that information remains its original uncompromised
condition. In addition, confidential information should be periodically
checked to make sure that it has not been compromised.
5.6
Digital Signatures and Certificates: Digital certificates are
electronic
transmissions that allow the recipient to authenticate the identity of
the sender via third party verification from an independent certificate
authority. A digital certificate is a code attached to an electronic message
that is used to verify that the individual sending the message is really
who he or she claims to be. Schools should consider using these forms of
verification on each computer when transporting information via the Internet.
5.7
Intellectual Property rights: Intellectual
property is the tangible or intangible results
of research, development, teaching, or other intellectual activity. This
includes things such as original written materials, software, trademarks,
or product designs. The owner of the specific intellectual property has
certain rights to control the use of that property. All staff need to be
aware of what constitutes intellectual property and need to be respectful
of the owner's rights.
5.7.1 Assignment of IP rights:
The owner of Intellectual property
may be assign his or her rights to others. Staff who write original works
as part of their employment may be required to assign those rights to their
employer or may keep them, depending on the policy of the employer. If
school personnel wish to use copyrighted materials from another, they must
first obtain permission to use those materials or an assignment of their
rights. This should be in writing and a copy should be kept on file.
5.7.2 Respect of IP rights:
All software will be registered and
used according to the licensing agreements. No one will copy software.
All software documentation should accompany each computer. Documentation
for portable computers will be placed in specified place.
5.8 Right to know about secured
data: Parents have a right to know what data is being collected
on their children. A procedure for allowing parents to see confidential
records will be written and used. See Appendix
G for sample forms.
5.9
Encryption:
Encryption is the
process of translating a file into an unintelligible format, or to encode
it, via the use of mathematical algorithms or other encoding mechanisms.
To open the document, the recipient must have a matching key to decrypt
and read the message. While encryption prevents others from reading encrypted
documents, encrypted files can be damaged, destroyed, or keys can be lost
so that the files are not accessible. This is a risk that policymakers
must consider.
5.9.1 Never send sensitive information in a regular
e-mail. Encrypt
any messages or information that must be sent via e-mail. See Appendix
F for technical resources related to encryption.
5.9.2 Encrypt all sensitive information on laptops and desktops and
any information that is stored on a network server. This includes passwords.
5.9.3 Any encryption system used should be system-wide, consistent from
computer to computer, and keys should be made available to administration
or identified IT staff to ensure that information is not lost. All encryption
products used will support a method of making encryption keys available
to management or IT staff. See Internet
Security Policy: A Technical Guide for more information on encryption
pointers. [13]
5.10
Password policies: Use consistent required passwords. See the
considerations that should be included when assembling a password system
in Chapter
7 of this document . |
