Data Security
Data security is how data are collected stored and transferred through a district’s infrastructure. Infrastructure includes district-owned servers and devices, including mobile devices. All district-controlled applications, networks and cloud-based storage should also be included. Traditionally, firewalls served as the divide between internal and external security threats but now this is not always the case. Increased use of mobile devices both personal and district-owned devices along with the increased usage of online applications in the classroom has brought new challenges and more potential security risks.
There are two main types of risks to be mitigated by school districts. Technical risks like hackers and human risks like passwords written on easily found sticky notes. Having a comprehensive security plan can reduce both types of risk. A district security plan should include two major areas of policies:
- Policies and guidelines for work and personal use of district-owned devices and data systems as well as working from personal devices.
- Policies and guidelines for data use, assessing data risk, how to handle breaches, and how the compliance of these policies is monitored.
Professional Development & Audits
Regular professional development and compliance audits are necessary to be sure procedures are understood and followed. Poorly trained staff can result in unnecessary breaches and be costly to a school district. Here are some ways a district can protect itself from technical and human threats:
- Physical security – protect computing resources from unauthorized access by securing areas where PII or sensitive data are stored. Monitor access to these areas by requiring digital ID badges or having visitors log in prior to gaining access.
- Network security – Create a network map that includes servers, routers, applications, and data. The map should show dependencies and highlight vulnerabilities. The use of firewalls and intrusion prevention systems should be put in place. Firewalls and the rules they follow for either permitting or denying network transmissions should be examined. Regular reporting of suspicious or malicious activity should be put into place and monitored.
- Secure configurations – New hardware or software should never be introduced into a network without being tested and configured properly. Incorrect configurations and permissions can unintentionally leave a technical system vulnerable.
- Patch management – Regular use of patches to protect against vulnerabilities is common in the world of technology. Patches should be applied as part of a plan for regular system testing and for rollouts of software updates.
- Two-factor authentication – Identification of authorized users is traditionally done with passwords, key cards, or biometrics (like fingerprints). Two-factor authentication requires the use of two of these methods to gain access.
- Access control – Requiring strong passwords, locking devices that have been idle for a period of time, setting multiple levels of user authentication and limiting access to sensitive data to only those who need to know for the purpose of their work is an important part of security.
- Encryption of data – Data that is stored in servers and mobile devices needs to be encrypted. This will help to control the likelihood that sensitive data could be retrieved from such devices in case they are stolen or lost. In addition, data that is being sent via email should also be encrypted or desensitized before it is sent.
- Staff security training – There are many common issues that can be problematic among staff. Staff negligence can often result in data and security breaches. It is important to have procedures for staff to follow in the event they have caused some exposure. Here is a link to PTAC’s password data breach response training kit and their data breach response checklist to assist districts in the preparation of this training. These resources contain multiple resources for district use.
Topics that should be covered in this training are listed below.
-
- Password Management
- Locking computers
- Sending sensitive data via email
- Using Personal mobile devices
- Data destruction
- Phishing