Helping schools to manage data securely

1

• Helping schools to manage data securely

2

• Information management
• Data Handling Security guidance for schools
• Bectas Information Management Strategy framework
• Protective markings Information risk management

3
Interoperability
Identity Assurance Access Management
Data security
Information Management Strategy framework
Standards specifications
4

• Interoperability

5
Statement of Intent

• "Becta is clear that SIF has proven potential to
  deliver a wide range of benefits at the front
  line and at local and national levels, and now
  recommends SIF as a preferred solution. Proof of
  concept projects and other development work
  continues. But the expectation is that the SIF
  standard will be adopted by local authorities and
  system suppliers to meet specific local business
  needs over the next 18 months or so. These
  activities will mainly focus on front-line
  service delivery".
• See link http//www.becta.org.uk/industry/interope
  rability/statement

6
(No Transcript)
7
What is SIF?
Not a product, but a technical blueprint for
education software Designed for education
technology suppliers and educators Manages data
within the education environment Enables diverse
applications to interact and share data
Systems
8
What is the SIF Specification?
Data standard Document that defines accepted
rules Describes the data (what) infrastructure
(how) Provides a complete set of rules from
start to finish
Systems
9
Components of SIF
MIS
Network Account
Library

• Zone Integration Server
• Software
• Routing
• Access Control

14 to 19

• SIF Agents
• Communicate with ZIS
• Assemble and process messages

Meals

• Data Objects
• Sets of information
• XML

Data Analysis Reporting
Moodle
Other
10
Why?

• Lack of interoperability...
• isolates data
• duplicates data entry
• increases support costs
• complicates reporting
• reduces data quality
• restricts access to data for decision makers
• Increases risk of security breaches

11

• Identity Assurance Access Management

12
The UK Access Management Federation for education
and research
Phil Moore, CEO of YHGfL Foundation commented,
We see membership of the federation as an
important and logical step towards securing
eSafety for all learners in our region. The
benefits of membership are significant and will
enable us to be more responsive to the needs of
our consortium of local authorities."
13
Membership

• 719 full members (at 29 June 2009)
• 127 school sector members
• 460 FE members
• 279 HE members
• Universities, FE Colleges, Adult Education, LAs,
  RBCs, C2K, LTS, outsourced IdPs, commercial
  non-commercial SPs Microsoft, Serco, Pearson
  Education, Netmedia, Espresso, SAM Learning,
  Mathletics, National Archives...

14
The benefits of identity assurance access
management

• Control over who can access what
• Privacy preserving
• Simplified sign-on fewer, stronger passwords
• Central management of passwords
• Common approach to logon
• Potential for 2-factor authentication
• Standards based approach
• Greater security

15

• Standards specifications

16

• Functional and technical requirements for
• Management information systems
• Learning platforms
• Institutional infrastructure
• Underpin procurement frameworks and Partnership
  for Schools BSF Output specification.
• Mandatory and recommended standards including
  common approach to security
• More secure systems

17

• Information Management Strategy framework

18
(No Transcript)
19

• Data security

20
(No Transcript)
21
(No Transcript)
22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25
(No Transcript)
26
(No Transcript)
27
(No Transcript)
28
(No Transcript)
29
(No Transcript)
30
Data security The background

• Data Handling Procedures in Government
• HMG Security Policy Framework
• Data Protection Act 1998

31
Our revised good practice guides
guidance available from www.becta.org.uk/schools/d
atasecurity
32
Keeping data safe, secure and legal

• Summary document for SLT
• Introduces concept of information risk management
• Senior Information Risk Owner (SIRO)
• Senior member of staff
• Owns the information risk policy and risk
  assessment
• Act as an advocate for information risk
• Information Asset Owner (IAO)
• Information assets are collections of data that
  are valuable to an organisation, such as the
  Management Information System
• Each information asset needs an owner who must
  understand what information is held, what is
  added, what is removed, how information is moved
  and who has access and why
• Understand how information is retained and
  disposed of

33
Data encryption

• It is a legal requirement of the Data Protection
  Act 1998 to protect and secure personal data.
• The Information Commissioners Office (ICO)
  recommends that portable and mobile devices
  (including media) used to store and transmit
  personal information, the loss of which could
  cause damage or distress to individuals, should
  be protected using approved encryption software
  which is designed to guard against the compromise
  of information.
• Lists example encryption products

34
Audit logging and incident handling

• Describes why you should maintain logs and
  describes how to implement a logging
  infrastructure
• Outlines the key points to effectively manage
  data security incidents

35
Secure remote access

• Outlines some solutions that organisations can
  use to allow users secure remote access,
  including UK federation and Employee
  Authentication Service
• Recommends secure remote access over taking
  information out of school
• Recommends 2-factor authentication for staff
  accessing MIS
• Explains why 2-factor is generally not required
  for parental engagement

36
Key recommendations for individuals

• Read Becta's Data security Dos and Don'ts
• Take care to logout of services
• Keep computers up-to-date
• Take particular care with laptops if out of the
  office
• Use secure remote access where possible
• Encrypt media if secure remote access not
  available
• Protect your passwords and online identity

37
Key recommendations for organisations

• Appoint a Senior Risk Information Officer and
  Information Asset Owner(s)
• Read HMG Security Policy Framework
• Assess information risk for your organisation
• Train users in data security
• Shred, pulp or incinerate paper when no longer
  required
• Make staff and learners aware of what data is
  being held about them and what it is being used
  for by issuing privacy or fair processing notices
• Enhanced Criminal Records Bureau clear staff
  accessing personal data on young people or
  vulnerable adults
• Put in place a policy for reporting, managing and
  recovering from incidents which put information
  at risk
• Make sure that, where appropriate, contracts for
  employment state that misuse of such data is a
  disciplinary matter

38
Key recommendations - technical

• Implement secure remote access to personal data
  in management information systems, learning
  platforms and portals
• Put in place two-factor authentication for power
  users and users accessing large data sets
  recommended all staff accessing MIS
• Encrypt media containing personal data
• Securely delete and overwrite all files that
  contain personal data when no longer required

39
Summary

• More info
• simon.harrison_at_becta.org.uk
• karen.mitchell_at_becta.org.uk
• john.chapman_at_becta.org.uk
• Current guidance
• http//www.becta.org.uk/schools/datasecurity
• Collaboration site
• http//collaboration.becta.org.uk/community/inform
  ationmanagement/datasecurity

40

• Questions?

41

• Information risk management

42
Information Management Strategy framework -
background

• Developed to respond to the need for schools to
  manage an increasing requirement for data
  effectively and securely
• Designed to allow schools to assess their current
  position
• .. and develop their own strategy
• Developed with 5 LAs plus schools
• Designed to work with existing tools
• Designed to encompass all areas of Information
  Management including security

43
How Becta frameworks work together
Parental engagement Framework
Leadership and management
Professional development
Learning and teaching
Self review framework
Resources
Curriculum
Extending learning opportunities
Assessment
Impact on learner outcomes
44
The need for an Information Management Strategy
Parents
Agencies
Local Authorities
DCSF
Diploma providers
Data Security
45
Objective To help schools make more effective
use of data and develop an information management
strategy to
46
Using the framework
47
(No Transcript)
48
IMS framework content
49
Supporting materials

• Guide for each strand
• Suggested possible sources of evidence
• Hint and tips on possible actions
• Further help and information
• LA guidance booklet

50
(No Transcript)
51
(No Transcript)
52
How to use the framework

• How do you envisage you will use it with your
  schools?
• Make them aware and then its up to them
• Run workshops/events
• Offer 1-1 support
• Other suggestions?
• Let Becta know what improvements you would like
  to see in the future

53

• Protective markings and information risk
  management

54
Dealing with Information

• Value of an asset is determined by considering
  the consequences likely to occur in the event of
  its compromise.
• Recommended that schools adopt the HMG Protective
  Marking Scheme
• Schools handle information at the PROTECT and
  RESTRICTED levels
• However, these still require good security
  practice
• Be carefully on assessing a sub-set of
  information or aggregated information

Note value is not just s but also the
importance of data, e.g. Children at risk data.
55
The Importance of Information
Impact Levels
?
?
Protection
?
?
Protection levels increase as value of
information increases
?
Value

• It is important to understand the
• Value of information (if it was disclosed,
  corrupted or not accessible)
• The classifications/protective markings used
• Types of information that are the most valuable
• Steps that you can take to protect information

56
HMGs Protective Markings Scheme
Protective Marking
Increasing Protection
Value
Impact Level
NOT PROTECTIVELY MARKED (IL0)
57
The Information Asset Jigsaw
Ethnicity
Clearance
Sickness
NOK
Annual Leave
Bank Acc
Appraisals
Salary
Business Address
This data sub-set is IL0
Unique ID
Name
Tel No
The totality of this information asset is judged
to be Impact Level 2. But not all the sub-sets
of the information is at this Impact Level.
Different combinations will give different Impact
Levels due to impact of association and
aggregation
58
Which protective marking?

• Do you need a protective marking?
• You do not need to protect all your data. Imagine
  a potential security breach
• Will it affect any member of the public?
• Will someone lose more than 100?
• Will it cause any kind of criminal case to fail?
• Is there a risk of discomfort to someone?
• Is anyones personal safety at risk?
• Will it embarrass anyone?
•  
• If you answered no to all the questions you can
  leave your data unmarked. However, we suggest
  that you label it with NOT PROTECTIVELY MARKED.
  This shows that you have assessed it.
• If you answered yes ?

59
Which protective marking?

• Should you use the RESTRICTED protective marking?
• Imagine the same potential security breach as you
  did above.
• Will it affect many members of the public and
  need extra resources locally to manage it?
• Will an individual or small trader lose 1000 to
  10,000?
• Will a serious criminal case or prosecution fail?
• Is someones personal safety at a moderate risk?
• Will someone lose his or her reputation?
• Will a large company or organisation lose
  100,000 to 1,000,000?
•  
• If you have answered yes to any of the above
  questions you need to label your documents with
  the RESTRICTED protective marking.

All documents that do not fall into the NOT
PROTECTIVELY MARKED or RESTRICTED category should
be marked as PROTECT.
60
Actions

• Promote common sense awareness of data security
  among users
• Label output with simple, clear statements
• Encourage schools to implement a policy to
  report, manage and recover from incidents
• Destroy paper containing protected data when no
  longer needed
• Implement secure remote access to protected data
  contained in school management information
  systems, learning platforms and portals
• Encrypt all media that contains protected data
  that is to be removed from the school premises
• Securely delete and overwrite to government
  standards all files that contain protected data
  when no longer required

61
Whats next

• Protective marking and information risk
  management July 2009
• Further engagement with suppliers ISO27001/2
• Becta procurement framework contracts being
  explicit about Data Protection
• Investigating online training package
• More feedback from you!
• FAQs
• Use case scenarios
• Sharing your solutions

62

• Questions?