LESSON 16: SECURITY AND SENSITIVE INFORMATION CONCERNS

 

 

 

 

                                      COMM 5350

KARIN PORTER

                   KARON TARVER

JAMYE SWINFORM

KATHERINE SQUIRES

 

 

Introduction[1]

 

According to the Federal Information Technology Security Assessment Framework,  “Information and the systems that process it are among the most valuable assets of any organization. Adequate security of these assets is a fundamental management responsibility.” It is therefore critical to implement and maintain a program to adequately secure information and system assets. “Programs must: 1) assure that systems and applications operate effectively and provide appropriate confidentiality, integrity, and availability; and 2) protect information commensurate with the level of risk and magnitude of harm resulting from loss, misuse, unauthorized access, or modification.” School Districts must plan for security, and ensure that the appropriate officials are assigned security responsibility and authorize system processing prior to operations.”

 

In addition to the three primary elements mentioned above, it is also critical to consider these additional elements when securing computer networks that manage school records and financial data and allow Internet access to and from the classroom. First, there needs to be security to prevent unauthorized access to the systems on the network. This can be accomplished through user education and the effective use of passwords. Second, it is important to take measures to protect the information on the system and as it passes through the network. This can be accomplished through system and network configuration methods and encryption products. Finally, authentication schemes are a critical element to the ongoing protection of applications and data.

 

Purpose and Scope of a Security Policy

 

Every school district and individual school needs a security policy that covers all major facilities and operations. The security policy should cover security planning, risk management, review of security controls, rules of behavior, life-cycle management, processing authorization, personnel, physical and environmental aspects, computer support and operations, contingency planning, documentation, training, incident response, access controls, and audit trails. The security policy should clearly identify the purpose of the security program and its scope within the district and the school.

 

Security Policy Primary Objectives:

1. Ensure that appropriate consideration is given to security in the design of new systems or enhancements to existing systems
2. Ensure that compliance with standard will result in protection of the information resources and its users in a matter befitting the value and risks to which they are exposed.

Security Policy Standards:

1. System designs must plan to use and meet the needs of the standard Information Access Control System of the hardware/operating environment on which the system will operate.
2. System design must identify the resources the system will use and assess their sensitivity from a security perspective.
3. System design must identify how the security system will be used to prevent, minimize or detect occurrence of the security risks inherent in the system.
4. System design must specify the ownership of the system resources for purposes of authorizing access.
5. If there is no standard security system for the hardware/operating environment in which the system will run, appropriate controls must be provided within the application system.
6. System designers will have the System/Security administrator sign-off before implementing the system into the production environment. Systems/applications developed by developers outside of Crane ISD will run in the Crane ISD environment will also need the signature of the Crane ISD Security Officer prior to installation into the Crane ISD computing environment.
7. Configurations and setup parameters for all hosts attached to the network must comply with security management policies and standards.

 

Responsibilities

 

The security program needs to have a security management structure with adequate authority including the expertise of IT security manager(s). Security responsibilities and expected behaviors should be clearly identified and defined for all stakeholders, including owners and users, information resources management and data processing personnel, senior management, and security administrators. One way to ensure compliance with security responsibilities is through user education.

 

“Network security education should begin with a general discussion regarding the interdependence of all users on the system and the ethical/moral obligation each user has to protect the system. Second, clear definitions should be provided to users explaining the differences between those resources which are publicly available and those that are proprietary. Third, user education should strongly emphasize the legal aspects of security. Another important aspect of security education is an explanation to users of the role played by passwords (both to their accounts and to other restricted resources on the network).”[2] In order to measure the effects of user education there need to be general compliance and specified penalties and disciplinary actions should also be identified in the security policy.

Security System Protection Measures

The primary issue when protecting networked information is preventing unauthorized access to data and user accounts. Several ways to eliminate or minimize a security threat include:

Establishing User Access Privileges. One step toward protecting systems is to compartmentalize user access to applications and data stored on networked computer systems, (e.g., protect the users from one another so that one user cannot damage the applications or data of another);

Creating a Firewall. Physically configuring the network in a manner which restricts access will allow the protection of sensitive data on a network. This can be accomplished by using a dedicated router which functions as what is referred to as a packet filtering firewall; and

Utilizing Encryption Software. The solution most often offered to insure privacy of information is encryption. Encryption involves the scrambling of data through a hardware or software embedded algorithm. The information passes through the network in this encrypted form and is decrypted via a similar mechanism once it arrives at its designated destination.

            A secondary issue, which is unique to education, is protecting data from within.  Unlike industry, education must recognize that students have a built in curiosity to “crack the system.”  This curiosity or maliciousness is coupled with opportunity unless the district is vigilant in monitoring and enforcing acceptable use policies.  One solution for Crane ISD has been to implement Service Management Sever (SMS).  This program electronically monitors for illegal software, both harmful and innocuous.  SMS regularly searches the network and inventories selected programs such as software designed for privacy invasion like Orifice or bandwidth demanding software like Napster and allows the technology staff to remove and protect the network more effectively.

            Secondly, all users have a unique user account and must change their passwords every 60 days.  This is especially important for staff and administrator accounts.  The unique account number allows tracking of Internet usage through tools such as Proxy logs. Finally, the Acceptable Use Agreement that each network user must sign, allows for revoking all electronic usage should a network user abuse the use of the Crane ISD educational network. 

 

Disaster Recovery and Emergency Procedures

 

Crane ISD must be responsible for preparing, periodically updating, and regularly testing a campus plan for recovering from a disaster that renders certain Electronic Information Resources unavailable for an unacceptable period of time. Such a Disaster Recovery Plan should establish the frequency of testing campus disaster recovery procedures. The campus should ensure that any local operations procedures are coordinated with the campus Disaster Recovery Plan. The Disaster Recovery Plan should specify emergency response procedures, including specifying teams of personnel assigned responsibility for responding in emergency situations, and specifying procedures to enable team members to communicate with each other and with management during an emergency. Backup copies of data and software that are sufficient for recovery from an emergency situation pertaining to Essential Electronic Information Resources must be stored at a secure, commercial site providing standard protection or at a non-commercial off-campus site providing equivalent protection against fire, flood, earthquake, theft, decay, and other hazards.

 

Conclusions

Security is a major concern to anyone installing, managing, and using networks. A security plan is an important part of a technology plan. A discussion of the potential risks in the Crane ISD, an exploration of the products and strategies available to eliminate or minimize risks, and informed decisions and responsible parties to implement the security plan are essential for success.