Data Security in K-12 School Districts

• By Patricia Deubel
• 04/02/07

##AUTHORSPLIT##<--->

Key words in data security are confidentiality, integrity, and availability. While K-12 school districts can address data security by putting systems and policies into place, I suspect that one additional issue is often overlooked. That is, data security is a people issue. Network administrators can't do it all.  It takes knowledgeable and vigilant staff and students to support the process. One might categorize security at macro and micro levels.

Macro security: systems and policies
Data security threats can be intentional, unintentional, or environmental. When one thinks about threats to data security, hackers, remote access to the network by students and teachers, spam, and computer viruses quickly come to mind. Data can be lost or damaged in system crashes or when software programs in use freeze-up. Data might become corrupt due to faulty disks or disk drives. People might accidentally delete or overwrite data files. Data might be lost due to power failures, flooding, fires, bombs, tornadoes, or hurricanes. The list goes on. According to John Waters (2007), new security threats now include the use of Internet resources themselves, portable technologies (e.g., laptops, PDAs, USB devices, and memory sticks), phony e-mails, instant messaging, and peer to peer file sharing.  At a macro level are the hardware/software and policies that districts put in place to minimize and contain those threats.

There are many products and services from which to choose.

Disaster Recovery. Security threats make districts more aware of ensuring plans for disaster recovery of financial, instructional, and accountability data. Districts can store data offsite using companies that provide back-up services for schools (Mills, 2006), such as Rediker Software or LiveVault. For day to day onsite recovery, Fortres Grand states that its Clean Slate will protect computers from malicious or inexperienced users by returning drives back to their original state upon reboot or log off. Thus, it protects original files from being modified and clears unwanted changes such as erased files, installed unauthorized software, downloaded spyware, adware, viruses, and Trojan horses, and any changes to icons. It also blocks unfamiliar executable files from running. Note also that Apple is building data recovery into the upcoming release of Mac OS X "Leopard" through a feature called Time Machine, which recovers not only at the file level, but also at the document content level.

Malware protection. Firewall, anti-spyware, and virus protection software are needed, but such software tends to police access. Firewalls might actually inhibit what educators can do in the classroom by preventing access to appropriate internet resources and preventing them from downloading certain software they would like to try out (Waters, 2007). Anti-spyware like Lavasoft's Ad-Aware and Spybot Search & Destroy are popular with free versions available. David Nagel (2007) reported that Sendio launched an e-mail security product for education called I.C.E. Box (Intercept, Confirm, or Eliminate). Sendio indicates that this is the only anti-spam product on the market that relies on verifying a sender's address as a means to block unwanted emails. It also rejects viruses before they enter your network. Rather than worrying about compatibility among stand-alone products, districts might prefer all-in-one suites from McAfee or Semantic, which are listed among the top-10 in 2006 by PC Magazine.

Identity-driven infrastructures. Waters (2007) indicated that district solutions are moving toward identity-driven infrastructures to manage endpoints and control network access using products from Novell and Nevis Networks, for example.  Novell's Identity Manager helps to automatically assign system resources and access privileges to users and to manage passwords. The company's Storage Manager uses identities to help assign appropriate storage on the network. It also protects schools against liability by letting you control the type of content that can be stored by individuals or groups on the network, and where and when users can store it. Nevis Networks' LANenforcer controls access to the network based on user IDs. The LANenforcer Security Appliance also identifies and eliminates a range of threats such as worms, spyware, adware, bots, Trojans, and disk operating system attacks.

Physical-level protection. At the physical level, what happens to data when student and staff laptops and classroom and administrative computers are stolen from schools? There are product solutions for that, too. For example, Cyber Angel Security Solutions states that their software not only helps recover the stolen hardware, but also prevents access to data stored on those computers with its "on the fly encryption while in the hands of an unauthorized user" and remote access to data stored on the school's network because of its password entry system.

AUP policies. School districts also implement acceptable use policies. Those documents should contain enforceable consequences for infringements including disciplinary actions (e.g., detention, suspension, and expulsion), removing computer privileges, and possible legal actions that begin with notifying police when laws are broken (e.g., hacking into computers to delete or alter student records). The Houston Independent School District Appropriate Use Policy (AUP) might be a model, as well as the Kentucky Department of Education's AUP guidelines and state requirements for access to electronic information resources. I suspect that many school districts will need to update their AUPs for the use of portable technologies (e.g., iPods, USB drives, and digital cameras), particularly in regard to authorized connections to the school's network and consequences for unauthorized connections.

Micro security: the human side
Security systems and policies alone are not sufficient. When was the last time you left your laptop open for all to see and left your classroom? Or forgot to log out of the network? Or put your password on a post-it note taped to the bottom of your desk? Or opened an e-mail attachment from an unknown sender? When might you have attached a document to e-mail with confidential information about a student that you wanted to discuss with a colleague? Have you deleted e-mails you sent with school related business, thinking you would not need them anymore? Or left a window open in the computer lab overnight? If you did any of those, you put yourself, your school, and your data at risk.

Purdue University has a new initiative, Keeping Information Safe: Practices for K-12 Schools, which considers the micro level to securing data--namely, people. Purdue recognized, "K-12 educators and support staff are largely unaware of the threats and vulnerabilities associated with the information systems they use." They might not know how their actions can affect data security. Hence, the university developed a series of modules to help people understand why information security is important to them, and what they can do to contribute to the overall information security of their organization.

I found video clips, case studies, and interactive quizzes in those modules, and learned a few new things, too. They contain security concepts, how to keep your PC and the data on it safe from physical threats, common vulnerabilities and drawbacks to using e-mail and best practices to increase e-mail safety and security, including encryption; proven techniques for creating strong passwords; how to avoid getting duped by the social engineering methods that hackers use to get passwords or physical access to the network; and software/Internet applications and operating system issues, like proper configuration and updates. Plus, key vocabulary like spoofing, phishing, viruses, worms, and Trojan horses are discussed. The entire package is provided free for non-commercial use and can easily be downloaded and burned onto CDs for mass distribution.

I urge school districts to help staff and students become knowledgeable about data security from two perspectives: the systems and policies initiated and the human side of actions they take. For further assistance with this endeavor, consider using resources provided at The Cyber Security for the Digital District website, an initiative from the Consortium of School Networking. By the way, as you read this opinion piece on your computer, did you have a cup of coffee in your hand? Oops.

Product Resources:

• Cyber Angel Security Solutions
• Fortres Grand Clean Slate
• Lavasoft’s Ad-Aware
• LiveVault
• Nevis Networks LANenforcer
• Novell products
• McAfee
• Rediker Software
• Sendio I.C.E. Box
• Spybot Search & Destroy
• Symantec

Other Resources:

• Cyber Security for the Digital District
• Houston Independent School District AUP
• Kentucky Department of Education AUP guidelines
• Purdue University, Keeping Information Safe

References

• Mills, L. (2006). Flirting with disaster? School Administrator, 63(4), 8.
• Nagel, D. (2007, March 6). Sendio launches e-mail security program for education. T.H.E. Journal K-12 Tech Trends. Available: http://www.thejournal.com/articles/20343
• Waters, J. (2007). Locked down, not out. T.H.E. Journal, 34(2), 35-39. Available: http://thejournal.com/articles/20160

:: READ MORE COLUMNS ::

---

About the author: Patricia Deubel has a Ph.D. in computing technology in education and is currently an adjunct faculty member in the graduate School of Education at Capella University. She is also the developer of Computing Technology for Math Excellence at http://www.ct4me.net.

Have any additional questions? Want to share your story? Want to pass along a news tip? Contact Dave Nagel, executive editor, at [email protected].