Ive had my office managers come back from their forum meeting and our new worry is Audit, Data Protection, Encryption & Fines.
I have a huge task ahead of implementing whole disk encryption on laptops, buying in more encrypted memory sticks and ensuring our APUs reflect the new requirements.
Ok so it will take time and some money but the biggest issue to come out of it is how we as individuals as well as the school can be fined for failing to encrypt our data (someone even said inprisonment but how true that is I dont know).
I want to know how they are going to enforce these fines and even if I should personally accept my own AUP im writing that will allow them to fine us in the first place!
Baring in mind the requirements are any data that has 2 items of personal identification on them, so thats a childs name and school or a childs name and parental contact details, school reports and everything like that.
I am all for taking responsibility for our data but this seems like a way over the top kneejerk reaction that will be difficult to police and a nightmare to manage.
Does anyone have any further info they can relay back or have any guideance on best ways to implement and sustain staffwide encryption?
We have done a few laptops so far with Truecrypt on full hard disk encryption but it takes a lifetime on some laptops to do this before i can give em back to staff. The truecrypt bit took hours on one laptop that was a bit old. I would only put this on machines or laptops that would leave the school premises obviously.
Most sensitive data is on the MIS and stays there. What does not is on the encrypted drive and is safe.
There are some threads you should be able to pluck out with the search words "truecrypt" or "encryption" which go through how others handle encryption on hard disks and how they managed the recovery disks and such. I found it useful when i read it before trying Truecrypt myself.
Last edited by dalsoth; 3rd December 2009 at 06:36 PM.
Were these the half day meetings held this week Chris?
I actually went to one with the secretary..
The school needs to have a designated SIRO (Senior Information Risk Officer) this must be a member of the SLT. You then need Asset owners. All of your school Data is an asset. These assets need to be divided up and an Asset owner designated for each.
These are then the people who will be heavily fined personally if the data is lost etc...
As for encryption, I have put full disk encryption on all staff laptops, regardless of weather they take them out of school. Set the laptops to encrypt over night and they will be done the next morning. I did all ours in the summer and our oldest Celerons with 1GB RAM took about 4-5 hours each. At the moment there is no official you must do this from Link2ICT BUT they have said that coming in the new year they will be supporting SOPHOS as the encryption method and more details will be to follow.
As with the laptops, all memory sticks are encrypted. I decided against truecrypt and actually brought AES 256 bit encrypted memory sticks. 2GB ones cost around £13 i think. Staff were then told that these are the only memory sticks to be used in school period! if anyone was caught using a non school issued memory stick after a certain date then they would be pulled up infront of the head. The only problem with the sticks we have is they are PC only and not Mac compatible so i know that Viv wouldn't be able to use them on her macbook.
Its a big can of worms at the moment. Are you going to the meeting next Wednessday at the ICC?