Trott/Turpin

Lesson 16

This document details the methods that the Los Fresnos ISD will implement to ensure that FresNet is a safe environment for all users. This is the third component of the Los Fresnos Technology Infrastructure Plan as developed by the District’s Technology Leadership Taskforce. Earlier this year, this Taskforce was formed to implement the District’s mandate to update its technological infrastructure as part of Project WIRE (Working, Integrating, and Rewarding Excellence).

Our security plan is segmented into several sections. The first section explains the school district’s view of security and its importance to the Technology Infrastructure Plan. The next section explains the risk assessment tasks that will be completed as part of the overall project. Then, we describe the security policy and procedures that will be developed from the risk analysis findings. Lastly, we provide sections that discuss physical, information, software, user access, and network security issues.

The Need for Security

Year earear One

Like most school districts, Los Fresnos has adopted technology as the primary means by which it organizes and accesses information. Sharing information via computers and networks has proven time and time again to be a cost-effective way of getting things done. Clearly, information is power. In schools, it is the power to make the entire educational process more efficient. Information about students, staff, courses, programs, facilities, and fiscal activities is collected and maintained so that Los Fresnos can effectively coordinate services offered to students, measure learning progress, assign and monitor staff responsibilities and resource use, and provide other valued services to their communities.

Because information has become so critical in daily operations, it is equally critical that this data is protected. To educators, information about students, staff, and other resources is a valuable asset. This data can represent an enormous investment and may be irreplaceable.

It is also important to understand that education information is often considered to be confidential by its very nature. Certain types of sensitive information must, by law, be protected from all parties who do not have a verifiable need-to-know. In addition to numerous state and local confidentiality laws, the Family Education Rights and Privacy Act of 1974 is a federal law designed specifically to protect the privacy of a student's education record. This is just one example of legislation enacted specifically to protect confidential student information maintained in education record systems. The Los Fresnos ISD is ultimately responsible for the integrity and security of its data.

There is a balance to maintain, though. The goal of security is to protect system assets and information without unnecessarily limiting its utility. The system shouldn't be so secure that authorized users can't get to the data they need to do their jobs or complete coursework. At the same time, however, unauthorized access, especially to critical systems and sensitive information, must be prevented. Because of this challenge, Los Fresnos will never be able to support a system that is absolutely secure. The ideal of developing and maintaining a "trusted system" is, however, achievable and our approach to implementing such a system is detailed in the sections that follow.

Risk Assessment

When implementing our security plan, the first step will involve conducting a comprehensive network/system risk assessment. The risk analysis process will enable Los Fresnos to identify:

· All computer and network assets,

· Potential threats to the operation of those assets,

· Points where Los Fresnos may have vulnerabilities to those threats,

· Probabilities of threats being realized, and

· The potential costs associated threat realization.

While this process may seem time consuming, it is nevertheless important. The risk assessment process is a straightforward and necessary step in decision-making. By evaluating our risks, we will be able to prioritize needs so that valuable resources are not expended on unnecessary safeguards.

Our guide for risk assessment activities will be the Federal Information Processing Standards (FIPS). FIPS Standards 31 and 65 provide organizations with best practice guidelines for performing risk analyses. The following eight steps will be performed as part of this process:

1. Identify Sensitive Information and Critical Systems

2. Estimate the Value of System Components

3. Identify Threats

4. Identify Vulnerabilities

5. Estimate the Likelihood of an Actual Incident

6. Identify Countermeasures Against Perceived Threats and Vulnerabilities

7. Estimate Costs of Implementing Countermeasures

8. Select Suitable Countermeasures for Implementation

By performing this risk assessment activity, Los Fresnos will be forced to consider the full range of potential threats and vulnerabilities it faces. The findings of this analysis can then be used as the foundation for the security policies that will follow.

Security Policy and Procedures

Year earear One

Once we have identified the threats to our networks and data, we will be able to formulate the security policies needed to maintain a trusted educational system environment. While policies themselves don't solve problems, they can define the ideal toward which our efforts should point.

By definition, security policy refers to clear, comprehensive, and well-defined plans, rules, and practices that regulate access to an organization's system and the information included in it. Good policy protects not only information and systems, but also individual employees and the organization as a whole. It also serves as a prominent statement to the outside world about the organization's commitment to security.

Los Fresnos’ new security policy statement will detail the methods to be used in the secure operation of computer networks. This document will be updated annually and minimally include the following types of information:

· The reason for the policy,

· The individuals responsible for authoring and maintaining the policy,

· The process involved for approving policy,

· The laws or regulations on which the policy is based,

· How the policy will be enforced,

· The individuals and organizations that the policy will affect,

· The information assets that must be protected,

· What users are actually required to do, and

· How security breaches and violations are to be reported.

Before the benefits of security can be realized, Los Fresnos’ staff must be properly informed of their roles, responsibilities, and organizational expectations. To ensure the optimal operation of FresNet’s systems, District staff must be told in writing:

What is and is not acceptable use of equipment,
What the penalties for violating regulations will be,
That their activities may be monitored, and
That security will be a part of performance reviews.

Staff should be reminded that District resources, including computers, belong to the organization. There should be no expectation of privacy for information stored on or transmitted with the organization's equipment. Employees should be required to sign a Security Agreement to acknowledge that they are aware of their responsibilities and verify that they will comply with security policy.

All new employees should be expected to meet the organization's security requirements and procedures as a part of their job description. Once hired, new employees should be informed of, and trained on, security policy as a part of their initial orientation in order to impress the importance of security upon them.

Security Management

Management of FresNet’s security involves nurturing a security-conscious organizational culture, developing tangible procedures to support security, and managing the myriad of pieces that make up FresNet’s systems. The designated security manager ensures that administration and staff are aware of their security roles, support security efforts, and are willing to tolerate the minor inconveniences that are inevitably a part of system change and improvement. After all, if personnel circumvent security procedures (e.g., write down passwords, share accounts, and disable virus-checking software), they put the entire system at risk.

Effective system security depends on creating a workplace environment and organizational structure where administrators understand and fully support security efforts, and where users are encouraged to exercise caution. The security manager leads this effort and performs the following activities:

· Communicates to staff that protecting the system is not only in the organization’s interests, but also in the best interest of users,

· Increases staff awareness of security issues,

· Provides for appropriate staff security training, and

· Monitors user activity to assess security implementation.

Maintaining a secure environment involves many activities that must be aggressively pursued. Effective security management would involve the following tasks:

· Security Breach Response Planning—There are two common responses to an attack on an information system: "protect and proceed" or "pursue and prosecute." If administrators fear that the site is particularly vulnerable to attack, they may choose a "protect and proceed" strategy. Upon detection of an attack, attempts are made to actively interfere with the intruder's penetration, prevent further encroachment, and begin immediate damage assessment and recovery. This process may involve shutting down facilities, closing off access to the network, or other drastic measures. With “pursue and prosecute,” the primary goal is to allow intruders to continue to access the system until they can be identified and have evidence of their unauthorized activities gathered against them. While this approach is endorsed by law enforcement agencies and prosecutors because of the evidence it can provide, the major drawback is that the system and its information remain open to potential damage while the organization is trying to identify the source and collect its evidence.

· Contingency Planning—This prepares the organization for recovery from a breach in security as quickly and efficiently as possible. In fact, another term for contingency-type planning is recovery planning. Planning for recovery from loss or downtime is not pessimistic as much as it is realistic. Contingency planning can be complex and detailed; after all, it amounts to a blueprint for recovering District operations immediately after an interruption event has occurred.

· Protecting Data through System Backups—This process not only protects the District in the event of hardware failure or accidental deletions, but also protects staff against unauthorized or accidental changes made to file contents. If an error is made, having the option of accessing an unaltered backup is important. To make this possible, backup files need to be created at appropriate intervals and themselves must be well protected from damage and destruction.

· Virus Protection—Any machine that is connected to a network or that interacts with others via diskettes or a modem is vulnerable to rogue programs: computer viruses, worms, Trojan horses, and the like. It is the security manager's duty to develop and monitor procedures for preventing viruses and other rogue programs from infiltrating the system.

· User Account Management—Users other than the system managers should be given access to the system based solely on their job needs. Restricting user access minimizes the opportunities for accidents and other possibly inappropriate actions. Through the use of user accounts, each authorized user is identified before accessing the system, and any action that is made by that user is classified as such. Users should be given access only to files and systems that they need to do their jobs, and nothing more.

Physical Security

Physical security refers to the protection of building sites and equipment (and all information and software contained therein) from theft, vandalism, natural disaster, manmade catastrophes, and accidental damage (e.g., from electrical surges, extreme temperatures, and spilled coffee). It requires solid building construction, suitable emergency preparedness, reliable power supplies, adequate climate control, and appropriate protection from intruders.

When developing FresNet’s physical security plan, many questions must be answered. Depending on the answers discovered, specific changes or policies must be implemented in order to fully secure the District’s computer and network assets. A partial list of these questions is included in the sub-sections below.

Data Center Construction

· Does each secure room or facility have low visibility (e.g., no unnecessary signs)?

· Has the room or facility been constructed with full-height walls?

· Has the room or facility been constructed with a fireproof ceiling?

· Are there two or fewer doorways?

· Are doors solid and fireproof?

· Are doors equipped with locks?

· Are window openings to secure areas kept as small as possible?

· Are windows equipped with locks?

· Are keys and combinations to door and window locks secured responsibly?

· Have alternatives to traditional lock and key security measures (e.g., bars, anti-theft cabling, magnetic key cards, and motion detectors) been considered?

· Have both automatic and manual fire equipment been properly installed?

· Are personnel properly trained for fire emergencies?

· Are acceptable room temperatures always maintained?

· Are acceptable humidity ranges always maintained?

· Are eating, drinking, and smoking regulations in place and enforced?

· Has all non-essential, potentially flammable, material (e.g., curtains and stacks of computer paper) been removed from secure areas?

Equipment Protection

· Has equipment been identified as critical or general use, and segregated appropriately?

· Is equipment housed out of sight and reach from doors and windows, and away from radiators, heating vents, air conditioners, and other ductwork?

· Are plugs, cabling, and other wires protected from foot traffic?

· Are up-to-date records of all equipment brand names, model names, and serial numbers kept in a secure location?

· Have qualified technicians (staff or vendors) been identified to repair critical equipment if and when it fails?

· Has contact information for repair technicians (e.g., telephone numbers, customer numbers, maintenance contract numbers) been stored in a secure but accessible place?

· Are repair workers and outside technicians required to adhere to the organization's security policies concerning sensitive information?

Theft Deterrence

· Has all equipment been labeled in an overt way that clearly and permanently identifies its owner (e.g., the school name)?

· Has all equipment been labeled in a covert way that only authorized staff would know to look for (e.g., inside the cover)?

· Have steps been taken to make it difficult for unauthorized people to tamper with equipment?

· Has security staff been provided up-to-date lists of personnel and their respective access authority?

· Is security staff required to verify identification of unknown people before permitting access to facilities?

· Is security staff required to maintain a log of all equipment taken in and out of secure areas?

Attend to Portable Equipment and Computers

· Do users know not to leave laptops and other portable equipment unattended outside of the office?

· Do users know and follow proper transportation and storage procedures for laptops and other portable equipment?

Power Management

· Are surge protectors used with all equipment?

· Are Uninterruptible Power Supplies (UPSs) in place for critical systems?

· Have power supplies been "insulated" from environmental threats by a professional electrician?

· Has consideration been given to the use of electrical outlets so as to avoid overloading?

· Are the negative effects of static electricity minimized through the use of anti-static carpeting, pads, and sprays as necessary?

Information Security

As stated earlier, one of Los Fresnos’ most valuable assets is its information. Local, state, and federal laws require that certain types of information be protected from unauthorized release. This facet of information security is often referred to as protecting confidentiality. While confidentiality is sometimes mandated by law, common sense and good practice suggest that even non-confidential information in a system should be protected as well--not necessarily from unauthorized release as much as from unauthorized modification and unacceptable influences on its accessibility.

Perhaps more than any other aspect of system security, protecting information requires specific procedural and behavioral activities. Information security requires that data files be properly created, labeled, stored, and backed up. If you consider the number of files that each employee uses, these tasks clearly constitute a significant undertaking.

When developing security policies, the following questions must be answered and associated changes made.

Information Transmission

· Is e-mail used for only the most routine of non-sensitive office communication?

· Is everything, including passwords, encrypted before leaving user workstations?

· Are encryption keys properly secured?

· Have policy goals and objectives been translated into organizational security regulations that are designed to modify staff behavior?

· Is dial-up communication avoided as much as is possible?

· Are outside networks required to meet your security expectations?

· Is the identity of information recipients verified before transmission?

· Have times for information transmission been pre-arranged with regular trading partners?

· Are security issues considered before shipping sensitive materials?

Information Backup

· Are programs that are used to access information backed up?

· Does backup software include a verification feature that is used?

· Are backup tapes retired after a reasonable amount of use?

· Is a log of all backup dates, locations, and responsible personnel kept and maintained securely?

· Is an effort made to avoid "over-backing up" (i.e., are old backups removed to avoid "clutter")?

· Does the backup system pass regularly administered tests of its effectiveness?

Information Storage

· Are recommended storage principles applied to master files and their backups alike?

· Are disks, tapes, containers, cabinets, and other storage devices clearly labeled?

· Is sensitive information segregated (i.e., is it maintained separately from normal use information at all times)?

· Is the handling of sensitive information restricted to authorized personnel?

· Are important files write-protected?

· Does staff know to communicate security concerns immediately?

· Has a secure media library been created as is possible?

Software Security

Application software affects all areas of computing. It defines the concepts of word processing and spreadsheets, and allows for e-mail and other forms of electronic communication that have recently become so prevalent. Its security, therefore, is essential to the overall security of your information and system.

When developing security policies, the following questions must be answered and associated changes made.

Software Management

· Is critical system software controlled by central administration?

· Has a formal testing and certification procedure for new/modified software been developed and initiated?

· Are backups of critical software and information maintained in secure facilities at an off-site location?

· Have all master copies of software been properly secured?

· Has all software documentation been secured appropriately?

· Does the organization expressly forbid lending or giving proprietary software to unlicensed users?

· Does workplace equipment store and use only licensed and organizationally approved software?

· Are software use and hard drive inventories monitored for copyright violations?

· Is installation of software limited to authorized personnel?

· Is staff adequately trained in software use and security?

Software Acquisition and Development

· Are risk assessment findings considered before purchasing and developing new software?

· Is written authorization required before any software is modified?

· Is software design reviewed throughout the development process?

· Are active applications and files (i.e., those actively running on the system) properly shielded from experimental/developmental software?

· Are all master copies of internally developed software maintained by the organization and not the programmer?

· Is suitable documentation prepared for all newly developed software?

· Has all public software accessed via the Internet been verified for authenticity?

Software Testing

· Are common types of viruses searched for specifically during new software testing?

· Have all user functions been verified before new software is put into operation?

· Are all files backed up before installing and upgrading software?

· Are "live" data protected from new application testing?

· Is new application testing done on non-networked computers?

· Has old and new software been run in parallel to compare results?

Year earear One

User Access Security

Year earear One

User access security refers to the collective procedures by which authorized users access a computer system and unauthorized users are kept from doing so. Additionally, user access security limits authorized users to those parts of the system that they are explicitly permitted to use.

User access security demands that all persons who engage network resources be required to identify themselves and prove that they are, in fact, who they claim to be. Users are subsequently limited to access to those files that they absolutely need to meet their job requirements, and no more. To accomplish this, decision-makers must establish policies regulating user account systems, user authentication practices, login procedures, physical security requirements, and remote access mechanisms.

When developing user access policies, the following questions must be answered and necessary changes made.

User Account Management

· Is file access limited to that information users need to do their jobs?

· Are shared accounts explicitly prohibited?

· Is the list of user accounts and names maintained securely?

· Is account activity properly monitored?

· Are dormant accounts terminated after pre-set periods of inactivity?

Require Users to Authenticate Themselves

· Has an appropriate authentication system been selected based on risk assessment findings?

· Are passwords required to be at least six characters in length?

· Are names, dates, and other commonly anticipated password formats disallowed?

· Are passwords that reflect or identify the user forbidden (e.g., initials and pet names)?

· Is a mix of letters and numbers, and upper and lower cases required?

· Is the use of non-words and random characters encouraged?

· Has the system administrator changed all pre-set and packaged passwords?

· Are passwords required to be changed at regular intervals?

· Is password sharing expressly forbidden?

· Are password reminders stored securely by personnel?

· Have users been warned to never send their password as a part of an e-mail message?

· Have users been warned not to type in their passwords when someone may be watching?

· Are password characters masked on display screens?

· Have users been told that they can, and should, change their password if they think it might be compromised?

· Is a history of user passwords maintained securely and reviewed routinely to ensure that users are not recycling passwords?

· Is the workplace appropriately monitored for adherence to security regulations?

Establish Standard Log-in Procedures

· Is each user limited to acceptable times for logging into the system?

· Is each user limited to acceptable places for logging into the system?

· Is there a limit to the number of times a user can attempt to log in incorrectly?

· Does staff know to log off and turn off computers?

Recognize the Importance of Physical Security

· Have all system access points (nodes) been secured?

· Has all cabling and wiring been secured?

· Have floppy drives been disconnected from servers?

· Are lockable screen savers installed and in use?

Pay Attention to Remote Access (and Modem Use)

· Is pre-approval required for remote access capabilities?

· Is staff aware that remote access is monitored? Is it?

· Are modems set to answer only after several rings?

· Is a callback system in place?

· Is message authentication required in addition to user authentication?

· Is sensitive information prohibited from being transmitted over public lines unless the files are first encrypted?

· Is the organization aware of security features used by outside networks to which it connects? Are they acceptable?

· Are firewalls in use as needed?

· Are dial-in communication numbers protected from outsiders?

· Are modems disabled when not in use?

· Are modems always kept off automatic answer modes?

· Are modems only installed on computers in secure locations?

· Is Internet access granted to only those users who need it?

· Have all users been reminded that system use is only for approved activities?

· Are users required to sign Appropriate Use Agreements (see Chapter 3) before receiving access to the system?

Network Security

Network security, especially as it relates to the biggest network of all, the Internet, has emerged as one of today's highest-profile information security issues. Many education organizations have already connected their computing resources into a single network; others are in the process of doing so.

Year earear One

connection between their private networks (with their trusted users) and the unknown users and networks that compose the Internet.

When developing network protection policies, the following questions must be answered and changes implemented as needed.

Protect Your Network from Outsiders

· Have you fully implemented applicable security strategies as recommended in previous chapters?

· Has your network been isolated from the outside (e.g., the Internet) through the use of a firewall?

· Is equipment and information that is intended for "external" use logically located outside of your firewall?

Protect Transmissions Sent over the Internet

· Is a Secure Sockets Layer (SSL) used to secure financial and information transactions made with a Web browser?

· Are messages authenticated via digital signatures?

· Are messages authenticated via time stamps or sequence numbers?

· Are message recipients authenticated by digital certificates?

· Are all messages sent over the Internet first encrypted?