speckytecky (6th July 2008)
Ray has put in another good blog post on the MS UK Schools blog.
Microsoft UK Schools News Blog : Information Security ? a week on
From reading the links, the two points that strike me as the most technically difficult to ensure are:
- Do not remove sensitive or personal data from the school premises unless the media is encrypted and is transported securely for storage in a secure location.
- Protect all desktop, portable and mobile devices, including media, used to store and transmit personal information using approved encryption software.
It is of course possible to find software that will encrypt files/devices but how do you ensure that the data is intercepted and encrypted in the first place?
For some time I have been looking for a solution that will prevent SIMS for producing ad-hoc reports that can be printed and taken out of school with no accountability.
It's always been possible to take paper copies of personal data out of school (or anywhere else) and all you can reasonably do is make sure people know that they shouldn't do it (or should take reasonable care of the documents if they do do it)
What you might be able to do is add a header saying something like "Do not remove this document from the school" - this just serves as a reminder.
Then at that point need process in place to be audit it etc to make sure people are being secure with data.
That way school has done best effort to make sure data is secure, staff understand importance of the issues involved.
What I would actually like is a document management system to store all this personal information so that there is an audit trail of who does what with it (view, edit, print, copy).
I would then like some kind of hook into SIMS so that any data that comes out is sent to the document management system instead of straight to MS Office or the printer. The information could of course then automatically open/print after passing through the system so that it is transparent to the end user. It is this hook that is vital IMHO but nobody produces a system with this capability.
I've summarised what I believe are the systemic issues with data protection in schools, admittedly from a secondary viewpoint. There are some issues that are better or worse in primary or special ... and I dare not even touch on HE/FE ...
I see the main barriers to securing data in schools as follows.
1 - Understanding what data needs to be secured. The interim category of Protected Personal Data needs to be defined within education and a better understanding of the roles of people working with this data.
2 - Systemic changes of contracts within schools to include reference to the correct use of personal information. This then needs to be backed up with training and guidance for staff, tailored for their specific roles within the school.
3 - Systemic analysis of access to information within the MIS. Too many schools have blanket access to Management Information Systems within schools rather than having the access defined by the role of the member of staff. Even with those that do have some granularity in place, when staff move roles within schools they are likely just to have the extra access plonked on top rather than their whole access revised.
4 - Too many companies working with schools do not follow good practices to protect the data schools send them. I hesitate to think of the number of companies that have asked for information to set up services for students to use and just ask for information to be emailed over. Schools should refuse to use these companies until they change their practices. They should also make sure that have signed agreements to abide by the school's Data Protection policy.
5 - Staff taking responsibility for security of data. I am not expecting all staff to be geeks or hackers, but the simple attitude of making sure that information is only ever left in the proper place for it. This attitude is not just for electronically stored data but all information about students (and other staff). Technology can only do so much, but password security and not losing planners full of personal / confidential information are simple ideals.
I tend to take the view that common sense will prevail with a lot of this, but I am not holding my breath. I already know that in my school we will be making a number of changes and the LA guidance will be updated very quickly as well.
As the year end approaches (Monday 25th August is an important date for secondaries as we can now start basing things on the timetable for next year!) it is important for schools to make sure that information and data is going to be used correctly and legally.
It is going to be an interesting year, that's for sure.
It is going to be an interesting year. The government shake up its own data protection systems and schools suffer
I like this part of the MS Schools' Blog:
"If you’re purchasing laptops or desktop computers that are for staff use, then opt for Windows Vista Enterprise licences, because that has full-drive encryption built-in through BitLocker."
"If you’ve got existing computers with Windows on them, then you’ll either need to plan to upgrade them to Windows Vista Enterprise (or Ultimate), or buy an alternative encryption package (there’s some listed on this page, referenced by Becta) "
I can understand that Bitlocker allows for full drive encryption- (of course you only get *full* drive encryption with SP1) because it uses AES to encrypt (128 bit) and decryption requires the FVEK (Full Volume Encryption Key) which in turn requires the Full Volume Master Key (256 bit). TPM and USB flash drive can be used to store this. But for Bitlocker to *work* you need:
2. TPM plus USB Flash Drive
3. TPM plus PIN
You can also use flash drive startup key only (your laptops may not have a TPM module- ours don't). This options isn't as secure as the others but still lets you have a certain level of security. Without TPM though, anyone can take your HDD and as long as they have the flash based key, access the drive's information. Oh- and you can also use the "clear key" method. A bit like leaving the keys in your front door
You need Vista Enterprise or Ultimate; TPM Version 1.2 (and enabled); BIOS support for USB class 2; at least two volumes.
There are alternative encryption software applications (including open source versions) equally as good if not better than Bitlocker. And of course Mac OS X comes with its own security methodology (keychain and Filevault to name two) which are pretty robust in their own right. Linux has SELinux to support those who need a broader set of security tools.
Whilst I agree with the premise of the blog, and understand that it is a *Microsoft* schools' blog, it is of course biased. What is good is that BECTA are translating all this into technician's language for us and the advice (I think) needs to be heeded as much as possible.
The advice here is common sense-based and something I will assess as soon as possible:
Becta Schools - Leadership and Management - Security - Information security guidance for schools
Thanks for the link Tony- good information to have!
Last edited by kingswood; 6th July 2008 at 07:40 PM. Reason: Spelling was waaay off!
true crypt anyone?
As I seem to have started this hare running on the blog, I thought I'd jump in with thoughts too...
Firstly, Kingswood is absolutely right - my advice on the UKSchools blog is biased towards Microsoft (but then, like Kingswood points out, it is the Microsoft schools blog
My view is that we're heading towards a big crunch-time. It's likely that there will be a group of people, especially in secondary schools, who'll look at the generic advice, and will have the time/inclination/interest/skills to develop their own methodology to deal with the updated advice. BUT there's a huge number who won't - think about 28,000 primary schools who should be implementing better information security (or 5,000 nurseries, and probably 2,000+ secondary schools), who probably won't know where to start, and will be reliant on somebody else to offer advice. And that advice is likely to be in a format that's indigestible for them! (If any of the conversations I've had with 'security-types' have been representative..).
The kind of regime schools are going to be facing has been the precint of official-sounding Govt types (as soon as you start talking about FIPS 140-2 Level 2, it doesn't take long before somebody mentions CESG or GCHQ - and lots of the info they publish wouldn't win a plain English mark
Grumbledook's summary of the issue is excellent - and we need to strive for the same kind of simplicity in advice for "what do I do about it", that a non-ICT-centric Head Teacher of a primary school can follow. Something that leaves them feeling that they've done the right thing. We can't afford too many grey areas, because we'll stay in today's situation - today it's too confusing to understand what's right and wrong, and how to fix it.
The current work of the Cabinet Office, and Becta, is going to make it easier for schools to understand Right and Wrong in data handling. But in all the conferences I've been to this year, on ICT, I haven't heard a single person (including me ) giving advice about how to improve Information Security. I guess this next year's going to be different!
There are currently 1 users browsing this thread. (0 members and 1 guests)