Developing a security strategy for K12 education
The more education goes digital, the more important it is to safeguard digital assets and data. But security and privacy issues are more critical and complex than ever. With budgets stretched to the breaking point, how do you implement a privacy and security strategy that makes the most of scarce resources? Intel Education can show you how.
Why is there so much focus on privacy and security right now?
School systems can fall prey to global criminals who lock the systems’ digital data and demand a ransom to release it. High-profile breaches, whether in school systems or in our lives as consumers, have made everyone more aware of the need for rigorous protection.
The amount and variety of data is rising and more third parties have access to sensitive data. Families are more sensitive to the downsides of digital data collection. It used to be that the worst you had to worry about was a student hacking grades. Today, we are at risk of identity theft if relevant data falls into the wrong hands. But security and privacy issues are not only more critical than ever—they’re also more complex.
What do I need to protect?
Protection needs to cover all elements that are at risk, including:
• Mobile devices and other physical technology
• Confidential student data, including data mandated confidential by state, national, or regional laws or regulations
• Employee data, such as payroll information and data that could contribute to identity theft
What’s the difference between security and privacy?
Security refers to safeguarding digital assets from theft, misuse and loss, as well as from malicious or inadvertent disclosure. Privacy addresses the need to protect the confidentiality of students, families and employees while maximizing the educational value of data. Protecting privacy requires policies and procedures that define how the school system and any third parties it works with will collect, access, use and share any data that can be used to identify the user.
Where are my points of vulnerability?
Risk can occur at any point where data is collected, stored, used or transmitted, whether it’s at rest (when it’s stored) or in flight (moving over the network). People and processes can
expose you to risks—for example, users with weak passwords, service providers with lax security practices, or trusted employees who aren’t properly trained in using technology.
Why is it important to have a comprehensive strategy for security and privacy?
Security and privacy requirements are complex, diverse and interrelated. To be successful, you need a flexible, holistic strategy that covers your entire environment, including third-party partners and mobile devices used beyond the school walls.
What is at risk if my strategy fails?
Your school can incur costs to replace lost or damaged resources. The school or district may face lawsuits or financial penalties, especially if security failures result in a violation of legal or regulatory requirements. High-visibility breaches can damage the school system’s reputation, and the resulting loss of trust can make innovation more difficult. Last but not least, hacking or exposing grade and exam systems will impact students’ trust in the system and their desire to learn and excel.
So where do I start, and how do I pay for all this?
We recommend basing your strategy on a three-level hierarchy of security and privacy requirements that allows you to spread the costs while meeting important priorities.
1. Baseline. Comply with the defined needs for your state, area, region and country. Work with legal advisors to ensure you are fully compliant with regulations pertaining to data acquisition, use and disclosure. Pay close attention to federal standards. Baseline capabilities include virus and firewall technologies and single-factor identity management to help keep “bad actors” off the district’s network and provide a basic level of protection for information assets.
2. Enhanced security. Work independently or with an industry-recognized organization to conduct regular, thorough risk assessments that identify the points where your assets and data are at greatest risk. Then, develop a road map for addressing them.
3. Advanced security. The third tier of security execution includes more sophisticated capabilities such as end-to-end encryption of all data, predictive threat monitoring to identify attempted intrusions before they can get through, and digital forensic tools to investigate threats.
What technologies are going to be essential?
Several technology solutions exist to address three specific security goals:
1. Protect. Protecting the environment involves the use of solutions such as firewalls, virus software, data encryption, and identity management solutions to keep attacks from occurring and avoid damage if a breach occurs.
2. Detect. Intrusion detection solutions proactively watch for signs of an attack, enabling a faster response to an impending or ongoing breach.
3. Correct. Rapidly responding to a breach is essential to mitigating its damage. Solutions that automate the detection and response functions can reduce risk while reducing the burdens on busy IT staff.
What should I consider in addition to the technologies?
People are one of the most important elements of a comprehensive security strategy, so explore what changes to training, policies and processes can strengthen your school system’s security and privacy protections. Provide thorough training and encourage everyone to make security and privacy a priority. Consider physical as well as digital security, including basics such as access-controlled server rooms, locked cabinets for servers and physical security of the network operation center. Explore solutions for identifying visitors and maintaining the physical security of the school.
What best practices can help us increase security?
Comprehensive security is an ongoing and interactive process that needs to be continuously monitored and improved. Please consider these practices:
• Establish a security chief to lead the creation of a security aware school culture. The security chief must keep up with the latest federal and state regulatory requirements, and work with stakeholders to protect digital resources while using them to drive student outcomes.
• Practice minimalism. Don’t collect and store more data than you need. This helps reduce storage costs as you safeguard data.
• Examine the security implications of all purchases, including mobile devices. For example, will devices have mature management software available? Are any security and privacy protections built in?
• Choose robust, proven security solutions that are easy to use. Solutions that simplify IT operations can enhance IT productivity and reduce costs.
• Make it a “living” program. Create a cycle of continuous improvements based on lessons learned. Continue to evolve your security strategy as threats and compliance requirements change, and new solutions become available.
To see how Intel Education can help, visit DAmag.me/intel-education