Chapter 8: Network and Internet Security Policies

8 Network and Internet Security Policies

This site constitutes a dynamically changing security protocol. This is only the beginning of its possibilities. It is designed to assist Indiana School Boards, Administrators, and Teachers to implement safe data and information systems. As schools develop policies and encounter changing technological systems, there will be a need for amendments to this document. If school districts would like to share documents that could be used on this site as examples, we would welcome that. Suggestions, additions, comments, or questions about this protocol should be directed to the webmaster at <securityinfo@purdue.edu>. Thank you.

8.1 Authentication -- Authentication refers to the many processes of making sure that the persons who log on to a computer system or network are who they say they are. Authentication actually makes decisions based on 'who' was at the source. Authentication can be as simple as a computer ID and password or as complex as one time passwords, challenge response passwords, or physical identification (retinal, voice, image, etc). [NIST Policy, p 33]

8.1.1 Risk Assessment is a needed first step. An organization's initial Risk Assessment will provide information on how extensive the authentication process should be. The Risk Assessment step should never be eliminated, since this process is what provides guidance for decision making on authentication systems.

8.1.2 Authentication Resources -- There are many resources available that discuss authentication resources in more depth. The following list may be of use:

Organization for Economic Co-operation and Development. Information, Computer and Communications Policy Committee Working Party on Information Security and Privacy Joint OECD-Private Sector Workshop on Electronic Authentication, Background Paper on Electronic Authentication Technologies and Issues (June 1999) http://www.nzcs.org.nz/nzpkaf/jointoecd.htm

Center for Information Technology, National Institutes of Health, Authentication and Encryption Software (May 2000) at http://www.alw.nih.gov/Security/prog-auth.html

8.2 Firewall Administration

8.2.1 Internet Firewall Policy - A firewall refers to a special kind of software used to control access into and out of a designated computer network. The purpose a firewall is to protect a computer system from intrusion from outside the system. It will also control the access of users to sources outside the system. Firewalls are an important and essential component to any computer network.
8.2.2 Firewall-related issues

8.2.2.1 Dial-in numbers -- Do not publicly list dial-in numbers, since all remote access users should have those numbers.
8.2.2.2 Automatic answer mode -- Do not leave a modem on automatic answer mode. This could subject the system to unauthorized and unsupervised system access.
8.2.2.3 Modem use only from secure locations -- Modems connected to system machines should always be protected by a firewall or gateway.
8.2.2.4 Security of external networks -- External networks to which the school network connects must be secure. If they cannot be verified as secure, precautions such as gateways and firewalls will need to be installed. Install automatic terminal identification, dial-back, and encryption mechanisms to protect transmissions to and from off-site users. [Safeguarding, p. 69]
8.2.2.5 Internet connections -- The Internet and other networks provide two ways of communication and access. The internal school system or network must be secured to protect against access from these networks.

8.2.3 Firewall Resources -- there are many resources available related to firewalls, including some of the following:

Center for Information Technology, National Institutes of Health, Firewall Software (December 1999) http://www.alw.nih.gov/Security/prog-firewall.html

8.3 System Integrity, security, documentation & incident handling -- These are all the responsibility of systems administrators. There need to be policies in place to ensure that all these areas are dealt with appropriately.

8.4 Logs and Audit Trails (Audit/Event Reporting and Summaries) -- Logs and audit trials must be maintained at all times and stored in a secure place.

8.4.1 System logs. Logs should keep track of who is granted access to specific student information, who actually accesses the records, and when access occurs. Other access logs should also be established according to the results of the risk assessment.

8.4.2 Event Reporting. A system of performing and reporting event audit results should be implemented to ensure appropriate administrative evaluation and handling of access events. Policies for when and how those audits will be done, and who is responsible for them, should be established initially when a computer network or system is placed in service.

8.4.3 Network Monitoring Resources -- Regular monitoring of a computer system or network should be implemented and used regularly. Regular reports should be reviewed by system and school administrators.

Center for Information Technology, National Institutes of Health, Network and Network Monitoring Software (June 2000) http://www.alw.nih.gov/Security/prog-network.html
Center for Information Technology, National Institutes of Health, System Monitoring Software (June 2000) http://www.alw.nih.gov/Security/prog-monitor.html

8.5 Internet and World Wide Web (WWW) -- The Internet, and specifically Web, have provided great opportunities for students and faculty for educational purposes. However, it has also created numerous security and privacy issues. For that reason, it is essential to have policies that address the use of the Internet, the Web, and e-mail systems.

8.5.1 Internet Use Policies -- Internet use policies should be developed to guide teachers, students, staff, and school administrators in their use of the Internet.

STATE OF INDIANA REQUIREMENTS FOR PUBLIC SCHOOL INTERNET ACCEPTABLE USE POLICIES AND GUIDELINES

Source: <http://www.siec.k12.in.us/aup/require.html>

A. Each public school corporation in Indiana must adopt an Internet Acceptable Use Policy which:

1. Describes general instructional philosophies and strategies to be supported by Internet access in the schools.

2. Describes the process for governing local internet system security, user accounts and user privileges.

3. Describes sanctions to be taken when violations of the policy occur.

4. Makes specific reference to prohibiting the use of school corporation Internet resources/accounts:

A. To access, upload, download or distribute pornographic, obscene or sexually explicit material.

B. To transmit obscene, abusive or sexually explicit language.

C. To violate any local, state or federal statute.

D. To vandalize, damage or disable the property of another person or organization.

E. To access another person's materials, information or files without the implied or direct permission of that person.

F. To violate copyright, or otherwise use another person's intellectual property without their prior approval or proper citation.

5. Requires that parents be notified that their students will be using school corporation resources/accounts to access the Internet, and provides parents the option to request alternative activities not requiring Internet access.

6. Requires the permission of and supervision by the school's professional staff for a student to use a school account or resource to access the Internet.

7. Indicates that the educational value of student Internet access is the joint responsibility of students, parents and employees of the school corporation.

8. Makes the school corporation's Internet policies and procedures available for review by all parents, guardians, staff and members of the community.

B. Each public school corporation in Indiana must provide staff and student Internet users guidelines for:

1. Responding to unsolicited online contact.

2. Safeguarding personal information, such as name, address, telephone number, etc.

Indiana Department of Education -- Revised November 1995

STATE OF INDIANA RECOMMENDATIONS FOR PUBLIC SCHOOL INTERNET ACCEPTABLE USE POLICIES AND GUIDELINES

Source: http://www.siec.k12.in.us/aup/recomm.html

A. It is strongly recommended that each public school corporation in Indiana establish an Internet Acceptable Use Policy that is consistent with existing policies for print media, and that the local Internet Acceptable Use Policy include:

1. A brief explanation of the Internet, content that is available via the Internet, and the potential educational value of student access to the Internet.

2. Disclaimer limiting the school corporation's liability relative to:

A. Information stored on school corporation diskettes, hard drives or servers.

B. Information retrieved through school corporation computers, networks or online resources.

C. Personal property used to access school corporation computers, networks or online resources.

D. Unauthorized financial obligations resulting from use of school corporation resources/accounts to access the Internet.

3. Parent/Guardian responsibilities.

4. A description of the privacy rights and limitations of school sponsored/managed Internet accounts.

5. Notification that, even though the school corporation may use technical means to limit student Internet access, these limits do not provide a foolproof means for enforcing the provisions of local Acceptable Use Policies.

6. Notification that all provisions of the policy are subordinate to local, state and federal statute.

7. Notification to parents/guardians that it is possible for students to purchase goods and services via the Internet and that these purchases could potentially result in unwanted financial obligations.

B. It is strongly recommended that each public school corporation in Indiana develop guidelines that:

1. Include suggestions to help parents and students to take full advantage of Internet access from home or public access terminals.

2. Require students of an appropriate age to read and sign (indicating their acceptance of the provisions and agreement to comply) the school corporation's Acceptable Use Policy.

3. Describe appropriate staff use of school corporation Internet resources/accounts.

4. For internal use, assign specific staff with specific security, management and account responsibilities associated with the school corporation's Internet resources and accounts.

5. Include procedures for users to subscribe to Internet services, such as list servers and news groups.

Indiana Department of Education -- Revised November 1995.

8.5.2 Acceptable Use Policy Examples

Model Acceptable Use Policy
Access to Electronic Information, Services, and Networks
published by the Indiana Department of Education

This model meets all the requirements for an AUP for Indiana public school corporations.

Source: <http://www.siec.k12.in.us/aup/modelaup.html>

{SCHOOL DISTRICT} Policy on District-Provided

Access to Electronic Information, Services, and Networks

Freedom of expression is an inalienable human right and the foundation for self-government. Freedom of expression encompasses the right to freedom of speech and the corollary right to receive information. Such rights extend to minors as well as adults. Schools facilitate the exercise of these rights by providing access to information regardless of format or technology. In a free and democratic society, access to information is a fundamental right of citizenship.

In making decisions regarding student access to the Internet, the {SCHOOL DISTRICT} considers its own stated educational mission, goals, and objectives. Electronic information research skills are now fundamental to preparation of citizens and future employees. Access to the Internet enables students to explore thousands of libraries, databases, bulletin boards, and other resources while exchanging messages with people around the world. The District expects that faculty will blend thoughtful use of the Internet throughout the curriculum and will provide guidance and instruction to students in its use. As much as possible, access from school to Internet resources should be structured in ways which point students to those which have been evaluated prior to use. While students will be able to move beyond those resources to others that have not been previewed by staff, they shall be provided with guidelines and lists of resources particularly suited to learning objectives.

    Outside of school, families bear responsibility for the same guidance of Internet use as they exercise with information sources such as television, telephones, radio, movies, and other possibly offensive media.

    Students utilizing District-provided Internet access must first have the permission of and must be supervised by the {SCHOOL DISTRICT's} professional staff. Students utilizing school-provided Internet access are responsible for good behavior online just as they are in a classroom or other area of the school. The same general rules for behavior and communications apply.

    The purpose of District-provided Internet access is to facilitate communications in support of research and education. To remain eligible as users, students' use must be in support of and consistent with the educational objectives of the {SCHOOL DISTRICT}. Access is a privilege, not a right. Access entails responsibility. Users should not expect that files stored on school-based computers will always be private. Electronic messages and files stored on school-based computers may be treated like school lockers. Administrators and faculty may review files and messages to maintain system integrity and insure that users are acting responsibly.

The following uses of school-provided Internet access are not permitted:

1.) To access, upload, download, or distribute pornographic, obscene, or sexually
explicit material;

2.) To transmit obscene, abusive, or sexually explicit language;

3.) To violate any local, state, or federal statute;

4.) To vandalize, damage, or disable the property of another individual or organization;

5.) To access another individual's materials, information, or files without permission; and,

6.) To violate copyright or otherwise use the intellectual property of another individual or organization without permission.

Any violation of District Policy and rules may result in loss of District-provided access to the Internet. Additional disciplinary action may be determined at the building level in keeping with existing procedures and practices regarding inappropriate language or behavior. When and where applicable, law enforcement agencies may be involved.

The {SCHOOL DISTRICT} makes no warranties of any kind, neither expressed nor implied, for the Internet access it is providing. The District will not be responsible for any damages users suffer, including--but not limited to--loss of data resulting from delays nor interruptions in service. The District will not be responsible for the accuracy, nature or quality of information stored on District diskettes, hard drives, or servers; nor for the accuracy, nature, or quality of information gathered through District-provided Internet access. The District will not be responsible for personal property used to access District computers or networks or for District-provided Internet access. The District will not be responsible for unauthorized financial obligations resulting from District-provided access to the Internet.

Parents of students in the {SCHOOL DISTRICT} shall be provided with the following information:

The {SCHOOL DISTRICT} is pleased to offer its students access to the Internet. The Internet is an electronic highway connecting hundreds of thousands of computers and millions of individual users all over the world. This computer technology will help propel our schools through the communication age by allowing students and staff to access and use resources from distant computers, communicate and collaborate with other individuals and groups around the world, and significantly expand their available information base. The Internet is a tool for life-long learning.

Families should be aware that some material accessible via the Internet may contain items that are illegal, defamatory, inaccurate, nor potentially offensive to some people. In addition, it is possible to purchase certain goods and services via the Internet which could result in unwanted financial obligations for which a student's parent or guardian would be liable.

While the District's intent is to make Internet access available in order to further educational goals and objectives, students may find ways to access other materials as well. Even should the District institute technical methods or systems to regulate students' Internet access, those methods could not guarantee compliance with the District's acceptable use policy. That notwithstanding, the District believes that the benefits to students of access to the Internet exceed any disadvantages. Ultimately , however, parents and guardians of minors are responsible for setting and conveying the standards that their children should follow when using media and information sources. Toward that end, the {SCHOOL DISTRICT} makes the District's complete Internet policy and procedures available on request for review by all parents, guardians, and other members of the community; and provides parents and guardians the option of requesting for their minor children alternative activities not requiring Internet use.

NOTICE: This policy and all its provisions are subordinate to local, state, and federal statutes.

Sample Acceptable Use Policy
and Application for Classroom use of the Internet

Adapted from Kevin Barry, Florida Institute of Technology, Academic & Research Computing Services and originally recommended by the Southern Indiana Education Center.
Source: http://www.siec.k12.in.us/aup/Acceptable.Use.txt

TERMS AND CONDITIONS FOR USE OF INTERNET

Please read the following carefully before signing this document. This is a legally binding document. Internet access is now available to students and teachers in the ______ County School District. The access is being offered as part of a collaborative project involving ______________ School, the Indiana Department of Education, and _________________. We are very pleased to bring this access to ________ County and believe the Internet offers vast, diverse and unique resources to both students and teachers. Our goal in providing this service to teachers and students is to promote educational excellence in the ________ County Schools by facilitating resource sharing, innovation and communication.

The Internet is an electronic highway connecting thousands of computers all over the world and millions of individual subscribers. Students and teachers have access to:

1) electronic mail communication with people all over the world.

2) information and news from NASA as well as the opportunity to correspond
with the scientists at NASA and other research institutions.

3) public domain and shareware of all types.

4) discussion groups on a plethora of topics ranging from Chinese culture to
the environment to music to politics.

5) access to many University Library Catalogs, the Library of Congress, CARL and ERIC.

With access to computers and people all over the world also comes the availability of material that may not be considered to be of educational value in the context of the school setting. _________ and _______ have taken available precautions to restrict access to controversial materials. However, on a global network it is impossible to control all materials and an industrious user may discover controversial information. We, at ____________ School, and ___________ firmly believe that the valuable information and interaction available on this worldwide network far outweighs the possibility that users may procure material that is not consistent with the educational goals of this Project.

Internet access is coordinated through a complex association of government agencies, and regional and state networks. In addition, the smooth operation of the network relies upon the proper conduct of the end users who must adhere to strict guidelines. These guidelines are provided here so that you are aware of the responsibilities you are about to acquire. In general this requires efficient, ethical and legal utilization of the network resources. If a ________ school user violates any of these provisions, his or her account will be terminated and future access could possibly be denied. The signature (s) at the end of this document is (are) legally binding and indicates the party (parties) who signed has (have) read the terms and conditions carefully and understand (s) their significance.

Internet - Terms and Conditions

1) Acceptable Use - The purpose of NSFNET, which is the backbone network to the Internet, is to support research and education in and among academic institutions in the U.S. by providing access to unique resources and the opportunity for collaborative work. The use of your account must be in support of education and research and consistent with the educational objectives of the ________ County School District. Use of other organization's network or computing resources must comply with the rules appropriate for that network. Transmission of any material in violation of any US or state regulation is prohibited. This includes, but is not limited to: copyrighted material, threatening or obscene material, or material protected by trade secret. Use for commercial activities __________ is generally not acceptable. Use for product advertisement or political lobbying is also prohibited.

2) Privileges - The use of Internet is a privilege, not a right, and inappropriate use will result in a cancellation of those privileges. (Each student who receives an account will be part of a discussion with a _________ teacher pertaining to the proper use of the network.) The system administrators will deem what is inappropriate use and their decision is final. Also, the system administrators may close an account at any time as required. The administration, faculty, and staff of ____________ may request the system administrator to deny, revoke, or suspend specific user accounts.

3) Netiquette - You are expected to abide by the generally accepted rules of network etiquette. These include (but are not limited to) the following:

a) Be polite. Do not get abusive in your messages to others.

b) Use appropriate language. Do not swear, use vulgarities or any other inappropriate language. Illegal activities are strictly forbidden.

c) Do not reveal your personal address or phone numbers of students or colleagues.

d) Note that electronic mail (e-mail) is not guaranteed to be private. People who operate the system do have access to all mail. Messages relating to or in support of illegal activities may be reported to the authorities.

e) Do not use the network in such a way that you would disrupt the use of the network by other users.

f) All communications and information accessible via the network should be assumed to be private property.

4) Warranties - _______________ and ___________ make no warranties of any kind, whether expressed or implied, for the service it is providing. __________ School and ________ will not be responsible for any damages you suffer. This include loss of data resulting from delays, nondeliveries, misdeliveries, or service interruptions caused by it's own negligence or your errors or omissions. Use of any information obtained via _________ or __________ is at your own risk. _________ and _________ specifically deny any responsibility for the accuracy or quality of information obtained through its services.

5) Security - Security on any computer system is a high priority, especially when the system involves many users. If you feel you can identify a security problem on Internet, you must notify a system administrator or e-mail __________ . Do not demonstrate the problem to other users. Do not use another individual's account without written permission from that individual. Attempts to login to Internet as a system administrator will result in cancellation of user privileges. Any user identified as a security risk or having a history of problems with other computer systems may be denied access to Internet.

6) Vandalism - Vandalism will result in cancellation of privileges. Vandalism is defined as any malicious attempt to harm or destroy data of another user, Internet, or any of the above listed agencies or other networks that are connected to the NSFNET Internet backbone. This includes, but not limited to, the uploading or creation of computer viruses.

7) Updating Your User Information - Internet may occasionally require new registration and account information from you to continue the service. You must notify Internet of any changes in your account information (address, etc). Currently, there are no user fees for this service.

8) Exception of Terms and Condition - All terms and conditions as stated in this document are applicable to the __________ County School District and the ___________. These terms and conditions reflect the entire agreement of the parties and supersedes all prior oral or written agreements and understandings of the parties. These terms and conditions shall be governed and interpreted in accordance with the laws of the State of Indiana, and the United States of America.

I understand and will abide by the above Terms and Conditions for Internet. I further understand that any violation of the regulations above is unethical and may constitute a criminal offense. Should I commit any violation, my access privileges may be revoked, school disciplinary action may be taken and/or appropriate legal action.

User Signature:_____________________________ Date: ___/ ___/ ___

******************************************************************

PARENT OR GUARDIAN (If you are under the age of 18 a parent or guardian must also read and sign this agreement.)

As the parent or guardian of this student I have read the Terms and Conditions for Internet access. I understand that this access is designed for educational purposes and ________ has taken available precautions to eliminate controversial material. However, I also recognize it is impossible for __________________ to restrict access to all controversial materials and I will not hold them responsible for materials acquired on the network.

Further, I accept full responsibility for supervision if and when my child's use is not in a school setting. I hereby give permission to issue an account for my child and certify that the information contained on this form is correct.

Parent or Guardian (please print): _______________________________
Signature: _____________________________ Date _______________

8.7 Electronic Mail -- e-mail is an effective, accepted, and popular means of communication to and from computer users. It is not considered secure unless it is encrypted. Consequently, any authorized transmission of confidential, sensitive or private information should be encrypted and sent as an e-mail attachment.

8.7.1 Acceptable E-mail Usage -- Acceptable use of e-mail policies should be implemented at the same time an e-mail system is made available to users of a computer system or network. School and system administrators should provide system users with a copy of the policies. Users should be required to sign a statement that they have read and agree to comply with the policies.

8.7.2 Potential E-mail Problems -- The use of e-mail by school computer system users presents potential problems.

8.7.2.1 Accidents -- Since security of confidential information is a requirement, any accidental transmission of that information could cause personal and legal consequences. Consequently, it is important to make sure that security accidents do not occur. A procedure should be in place as to how any accidents will be addressed.

8.7.2.2 E-mail Threats -- There are many kinds of threats, both external and internal, can impact an e-mail system. E-mail use policies need to be communicated to all e-mail system users. Users should be required to sign an acknowledgment that they have read and agree to comply with the policies before they are allowed to use the e-mail system.

8.7.2.3 Harassment -- E-mail systems can be used for harassment of other users. If any users are feeling harassed they need to know the policy for reporting any threats or harassment to school and system administrators. School administrators and school boards can be held liable for these kinds of incidents that are not addressed after they are reported. Consequently, a well-established policy and system of reporting and handling those reports must be in place.

8.7.2.4 Impersonation -- Any incidents of a different person pretending to be a user must be reported immediately.

8.7.2.5 Eavesdropping -- This occurs when an outside or inside entity gains unauthorized access to a computer system or network for the purpose of intercepting messages or other information or files.

8.7.2.6 Mail bombing -- This is a mechanism used to create thousands of e-mail messages which potentially clog a system and cause it to crash.

8.7.2.7 Junk mail -- Junk mail takes up space, wastes users' time and generally wastes system resources. The system e-mail policy should address the method that will be used to handle any junk mail.

8.7.3 Use of the e-mail system for personal use

8.7.4 E-mail Safeguards -- All users must be aware of safeguards that are provided by the network for the e-mail system, as well as safety measures that are expected from users.

Users need to understand that all messages sent with or over the school's e-mail system are property of the school and are subject to inspection or monitoring. This policy is for the protection of the users, the school administration, and the school computer network. In the school environment the security of confidential information and the appropriate use of the e-mail system prevails over the privacy interests of the users.

8.7.4.1 Protection of E-mail Messages and Systems -- all e-mail systems should be protected with anti-virus software to ensure that the school computer network is not adversely affected by any viruses or other harmful programs that enter the system via e-mail messages or attachments. Users should also be aware of what is expected from them to assure e-mail safety.

8.7.4.2 Retention of E-mail Messages -- retention of e-mail messages is often one of the best methods to trace offending messages. This information is also used to provide evidence of harassment, theft, viruses, and other security breaches. Users should be instructed to keep any messages that evidence a potential for system security or personal threat. These messages should immediately be shared with systems administrators, according to the method designated in the e-mail security policy.

8.7.5 Example E-mail Policy -- see policies above. In addition, see Appendix E for various state e-mail use policies, including but not limited to the following:

State of New Jersey E-mail Use policy -- http://www.state.nj.us/cio/policy/emailpolicy.pdf

Oregon Public Education Network policy -- http://www.open.k12.or.us/sitedocs/serverdocs/deployment/spam.html

State of Arizona E-mail Use policy -- http://www.gita.state.az.us/Standards/E-Mail%20Use%20Policy.html

Resources used to formulate this chapter were primarily the following: NIST's Internet Security Policy: A Technical Guide by Barbara Guttman and Robert Bagwill at http://csrc.ncsl.nist.gov/isptg/ [13] and Safeguarding Your Technology at http://nces.ed.gov/pubs98/safetech/ [30].

Draft 7/9/00 v3

Updated 7/27/00

Questions? Comments? Suggestions? Additions? Send them to the webmaster at securityinfo@purdue.edu.