Information Security for Schools - It's an Issue
As people say, information is power. But it’s also a responsibility ... a major responsibility that you and your school face in a myriad of ways, more so than ever before.
Today, every school requires an inordinate amount of information and data to carry out its mission to instruct students. In days past, our data was stored (and not always locked) in filing cabinets. Fortunately, that is no longer the case. We have now developed and embraced hi-tech tools such as cloud-based partnerships to manage this critical commodity. Yet it is increasingly clear that, unfortunately, this development far from guarantees a breach-free environment.
There is ample evidence that times have changed and our data is now a target. In fact, it may be easier for these thieves to try to attack our student management systems or shared folders versus gaining access to good old fashioned, locked filing cabinets. So, with all of the opportunity to steal data from the corporate or government spheres, why would a "hacker" mess with our schools? The answer is simple - because they can and personal information of our students and staff is valuable!
There are a great many threats to protecting our data and information including:
- Natural events (e.g., lightning strikes and floods)
- Intentional acts of destruction (e.g., hacking and viruses)
- Unintentionally acts of destructive (e.g., accidental downloading of computer viruses, programming errors, and failure to protect information, i.e. back-up)
It is critical to begin by assessing how your school is currently protecting its data and private information. The development and application of a thoughtful Information Security Policy is no longer a nice-to-have, it is a must-have today. An “Info-Sec Policy” defines the data management environment and assigned roles and responsibilities for your school’s non-public information from unauthorized access, disclosure, or misuse. It is the responsibility of every school employee who accesses non-public data and information to secure and protect that data. For members on our learning platform, you will find an example of this important policy in our resource library.
Local, state, and federal laws require that certain types of information such as individual student records be protected from unauthorized release. This facet of Information Security is often referred to as “protecting confidentiality.” While confidentiality is often mandated by law, common sense and good practice suggest that even non-confidential information within a system should be protected as well. That is not necessarily because of potential unauthorized release as much as from unauthorized modification and unacceptable influences on its accessibility.
In addition to Confidentiality of Information, there are two other key terms that relate to Information Security. The first is Information Integrity, which seeks to prevent the unauthorized creation, modification, or deletion of information. The second, Information Availability, focuses on preventing unauthorized delay or denial of information for your team. All three of these facets are crucial when talking about protecting your data.
In our Information Security work with schools, we consistently get asked the same two critical questions:
- Should our school convert its records to digital format only?
While there are times that you may need to print a paper document (permission to treat and medical cards, for example), there are really no general restrictions to converting your files to digital. Strong limits to access are needed to protect against an intrusion of your student records. The application of a records retention policy across all school departments is always critical whether your school is using paper or digital files.
- Should our school use our student management system (SMS) or a cloud-based alternative like Apple iCloud or Google Drive as our primary method of storage?
In our work with schools, it is the recommendation of our team that you should use the SMS as much as is possible. The company has taken great pains to create security and reliability. Login and password controls are well managed. Of course Apple or Google offer tremendous security, but there is significantly too much opportunity to share folders and files, which could result in a security breach. That said, be certain that ALL outside partners and networks are required to meet your security expectations.
Maintaining and managing Information Integrity, Confidentiality, and Availability is no small task in our world. True information Security in an educational environment is a tremendous challenge due largely to the number of diverse stakeholders who contribute to and manage the workflow.
I hope you enjoyed this blog and you will consider joining our Membership Platform. Information Security is the topic for June.
Steve Mandell has spent 25 years in education, most recently serving as Head of School of Pinewood Preparatory School in the Charleston, SC area. In addition to being a Head of School for 10 years, Steve has held various administrative posts in independent schools including Chief Financial Officer and Guidance Director, where he created numerous programs and curriculum for student guidance, faculty professional development, and health education. He is a Certified School Safety Manager through the Institute for Safety and Health Management as well as an Authorized Facilitator for Darkness to Light Stewards of Children Training.