elsiegee40 (7th May 2009)
Becta have updated their guidance on data handling and it can be found at Becta Schools - Data handling security guidance for schools.
The "Dos and Don'ts" and the Quick Wins are pretty on the button, the language is a chunk simpler and more usable with others but there are still pretty detailed instructions in the various docs.
Ray Fleming has also been having a read of them too so expect a blog post from him about it soon.
Don't forget to go on the Becta collaboration forums to give feedback as well.
elsiegee40 (7th May 2009)
Have people had a chance to look at this yet and what do they think of it compared to the previous docs?
I can't remember the old versions of these, but I've scanned through these documents relatively quickly, and they seem very helpfull, well laid out and easier to read than some documents I've downloaded from the BECTA site.
That they've now been written more for the audience rather than cut&pasted out of nasty CESG/whatever docs with all those orders (MUST do blah). Have only skimmed, but they're more accessible and much less silly now.what do they think of it compared to the previous docs?
Still there a bit, but it's interesting to see the de-emphasis of the categorisation stuff. Again no especially useful info/suggestions on what may or may not need PROTECTing.. now seems to leave that to "whatever DPA says", but people tend to know what that is so there's probably more mileage in it.
The do's & don'ts was a good idea.
This bit from RA security caught my eye: "Authentication mechanisms support X.509 client certificates (typically for student access to learning platforms and portals)". Is it fair to assume that's more or less what they think entry-level remote auth. security ought to be i.e. staff access needs more?
Last edited by PiqueABoo; 7th May 2009 at 12:36 AM.
The Do's and Don't's is good. It'd be a good place for those of us crafting AUPs etc...
One thing to add to that particular document - if a laptop is left somewhere in a school, such as on a desk, it may be physically secure - ie. chained their by a lock, but if the person doesn't lock it, or disables the screensaver/auto-lock then data could be compromised. I think something mentioning that should be in a Do's and Don't's document really.
I agree, the Do's and Don'ts was in a language that anyone could understand. It also mentions, several times, to consult your IT team, not always done but at least they have been told.
The Data Encryption one, which I'm currently reading, appears somewhat ambiguous. At one point recommendation is made for whole disc encryption and file/folder level encryption. I'm left a little confused as to which is best or which to implement under what circumstances. However, all may become clear when I've read the whole paper.
I missed this it when you posted... I'll spend some time on it over the weekend going through it again.
Well you don't need Becta for that - full disk encryption whenever you can because it's a lot more reliable than some folk will be at a) deciding something needs to be encrypted, and b) actually encrypting it.I'm left a little confused as to which is best or which to implement under what circumstances.
That's a no-brainer for data on staff laptops, it's servers that are more interesting. Do you or don't you do/risk full disk encryption on those.. the overheads shouldn't matter on a typical server with oodles of MIPs to spare... but if they're seriously physically secure is it worth the trouble given the very low risk of someone running off with one. Same argument applies to server folder encryption. Lots of factors, no one-size answer.
The Advice sets that within the network is secure once outside the school network is not secure.
So servers/desktops are fine but laptops which are taken away from school need to be encrypted
I think that the guide (which was in the previous version of the guidance) was meant to be put up on the Open Source School site ... I'll check with Miles and co.
Mr.Ben (8th May 2009)
The mobile device should have disk level encryption as it can be taken off-site and is at risk of increased access and loss of device.
On-site you should use encryption or additional protection on those areas that require it (eg storage of SEN data) but no requirement for disk-level encryption because there is little chance of physical access to the machine. The additional protection may be to consider increased control and ownership over folder / file permissions or to place in password protected folders (therefore require authentication at login and then a password to access the folder.
The main reason for encryption is the high risk of loss of mobile devices and storage.
leco (8th May 2009)
There are currently 1 users browsing this thread. (0 members and 1 guests)