Home Page

Table of ContentsChapter 1: IntroductionChapter 2: General Protocol and Policy StatementsChapter 3: Risk AssessmentChapter 4: Physical Security PoliciesChapter 5: Information Security Policies

Chapter 6: Software Security PoliciesChapter 7: User Access Security PoliciesChapter 8: Network and Internet Security PoliciesChapter 9: Administrative Policies and ProceduresChapter 10: Training ProtocolAppendices Index



 

9   Administrative Policies & Procedures


This site constitutes a dynamically changing security protocol. This is only the beginning of its possibilities. It is designed to assist Indiana School Boards, Administrators, and Teachers to implement safe data and information systems. As schools develop policies and encounter changing technological systems, there will be a need for amendments to this document. If school districts would like to share documents that could be used on this site as examples, we would welcome that. Suggestions, additions, comments, or questions about this protocol should be directed to the webmaster at <securityinfo@purdue.edu>. Thank you.



9.1  Importance of Administrative Policies -- Policies related to the administration of computer systems and networks are also necessary to ensure that school boards, administrators, teachers, and staff are not found liable for breaches in any data security measures.

9.1.1  Legal Implications -- School systems are responsible for the security of all confidential, sensitive, and private information that is entrusted to them and which resides on their computer systems. If this information or data is compromised school boards, administrators, and teachers could be found liable for this information being revealed in any way that is not authorized by statute or the individuals whose information is compromised. This is one of the major reasons for the formulation of data security policies on all levels. See FERPA Fact Sheet link in Appendix B. 


9.1.2  Responsibility of all members of the education team -- each member of the education team from teachers to school board members have a level of responsibility that they should be aware of, should be trained about, and should respect. Security breaches provide not only legal vulnerabilities, but credibility and trust vulnerabilities.


9.2  Administrative security -- Top level administrators must have access to almost any information related to system users, use patterns, audit trails, confidential and other information, and whatever other level of information that will allow them to do their jobs appropriately. Just because administrators are allowed top level access does not mean that they need top level access. Their requirements will also need to be assessed. If they do not need to access confidential and other levels of information on a regular basis, it is best not to allow access until or if it is needed. A method for special access should be established for occasional access needs. 


9.2.1  Training and increasing awareness


9.2.1.1 All persons involved with the computer system and its confidential, sensitive, or private information need training as to the security requirements involved in using the system, their responsibilities, and their level of security clearance. See Chapter 10 of this document for further training information.


9.2.1.2 Reasonable efforts are imperative to alert both authorized and unauthorized users that the school computer systems are monitored and that unauthorized access and use of the system will have legal sanctions. See Chapter 7.


9.2.2  Reporting of security problems -- Anyone who encounters actual or potential security problems should be reported to the appropriate systems administrators as soon as the problems are detected.


9.3   Compliance -- The overall responsibility of administrators is to ensure that there is compliance with all data security policies and to investigate and sanction all breaches of policies. 


9.3.1  How to follow policy -- All users of a school's computer system or network must be trained to help them understand how to best follow new and well-established data policies. Users are more likely to comply if they understand the reasons for the policies and the consequences of not following them. 


9.3.2  How policy exceptions are handled -- There may be times when exceptions to established policies will need to be made. It's important to have a procedure in place to handle potential exceptions. For most data security policies, any exceptions must be addressed by top level systems and other administrators. If the exception approval process is outlined clearly there will be no excuse for not following the procedure if needed. 


9.3.3  Consequences of policy noncompliance -- All users must understand the consequences for not following security policies. Because breaches of some policies can carry with them legal consequences, those policies need to be specifically addressed. Consequences may range from warnings to exclusion from use of the system to expulsion from the job. Clearly defined consequences define the importance of the policies. 


9.4   Periodic Reviews of the System and its use -- The need for policies may change as the laws, practice, and technology changes. Consequently, there should be a pre-determined time each year to review the computer system or network and to further refine security policies. This will ensure that the most up-to-date procedures are in place. 


9.5  Password Management Policies -- Password management is one of the first lines of defense to protect a school's data security system. The risk assessment that determines the level of security measures should be done yearly at a pre-determined time. If there is a higher risk in a particular area than previously, different measures may need to be put into place for greater protection of confidential, sensitive or private information. 


9.6  Granting access to confidential data -- All users must be assessed as to their need for access to confidential, sensitive, and personal data and information. The job description and other assigned duties will define their needs to which level, and what part of the information. No users should be granted any greater level of access than necessary for them to do their jobs appropriately. 


9.7   Data Security Contingency plans -- Contingency plans for potential breaches are necessary to ensure that there is a reasonable measured response to infractions or major breaches. Initial plans may fail and backup plans will ensure appropriate responses. 


green horizontal line


Go to the Top of the Page To the Purdue University Home Page Go to the I.A.S.E.P. Project Home Page


Draft 7/16/00  v2
 

Updated 7/27/00.

Copyright © 1999 - 2000  Purdue Research Foundation, Inc.  All Rights Reserved.

Questions? Comments? Suggestions? Additions?  Send them to the webmaster at securityinfo@purdue.edu.