Wednesday, 2 September 2009

Laptop security and data protection in schools

Schools, as is the case with any person or organisation handling personal data, must comply with the Data Protection Acts. Personal data collected by schools for their own purposes is the responsibility of the schools as they are the Data Controller. The website of the Data Protection Commissioner has advice and information in relation to the responsibilities of Data Controllers.

Sensitive data should not leave the school unless it is absolutely necessary. Other options of accessing the school based data such as remote accessing your schools network can ensure that the data does not physically leave the network and any information used in the manipulation of the data can be securely disposed of. This may be considered before transferring data onto a device that will be accessed outside of school.

Laptop and Portable Data Security – Some advice and support

All schools should have a policy pertaining to use of all portable data storage (PDS) media i.e. laptops, USB sticks, external hard drives, PDA’s, memory cards etc.

The assignment of laptops or other devices to teachers should always be recorded so that they can be easily tracked from an asset management point of view. A record of serial numbers, list of hardware features (DVD, wireless mouse, etc.) and other information that can be used to identify the laptop or device should be compiled and retained in the school. These items should be included on the school insurance policy. If the laptop is for teachers’ work at home use , this should also be noted in the school insurance policy. Any policy should include procedures for reporting loss/theft. It may also be useful to inform the manufacturer technical support in case the laptop or device is sent back for repairs.

Security issues to consider

There are a number of issues and questions to consider before removing sensitive data from a school location.

* Is the need to access information outside of school justifiable?
* Has the data been backed up before it leaves the building?
* Have you reduce the risk of the device being lost or stolen?
* Have you taken efforts to make it more difficult for an unauthorised person to access that device?
* Have you taken efforts to make it more difficult for an unauthorised person to access data on that device?


Security measures to implement

* All essential data leaving the office should be adequately backed up. In regards to email, it is important that there is a copy backup not on the physical laptop. Consider using web based mail (or use IMAP) or ensure a copy of mail is saved on the server.
* Where possible the School name and contact details should be identifiable on purchased equipment to deter thieves and aid recovery. A well secured security label on the frame of the laptop is advisable. The desktop background could contain the name and address of the school to aid return if the laptop is lost.
* Cable locks should be used wherever possible to secure the laptop to the desk if used in areas where there is a risk of theft.
* Schools should also ensure that security features within the Operating System are enabled and user profiles are protected. It is possible to set a password at the boot up stage of the laptop to make it more difficult to access the hard drive or reinstall the operating
system.
* Strong passwords should accompany any log in user authentication
* A secure password policy should be implemented, requiring staff to
change their passwords on a regular basis (monthly is industry standard
practice).
* Use “strong” passwords consisting of letters (both uppercase and lowercase),
numbers and symbols such as w£Ty78&Q
* Check your password strength at http://www.passwordmeter.com/
* A school should give serious attention and thought to where sensitive data is stored and accessed. For example if a laptop contains sensitive data it may then not be wise that this laptop is used throughout the school by many users. It may be best kept in the principals’ office.
* Where sensitive data is saved on the laptop, schools should make the effort to ensure data security of that data. It is possible to password protected files and folders within the popular operating systems used in schools.
* There are different levels of data sensitivity. Data relating to a person’s bank details will be more sensitive than results of in school exams. The level of security should reflect the data it is protecting.
* There are also different encryption solutions available if required. These cost of these solutions range from free to expensive and have varying degrees of encryption which may make it more difficult to access the data.

Blogged with the Flock Browser

No comments: