website stats
Information Security – all the guidelines are out - Microsoft UK Schools blog - Site Home - MSDN Blogs
The UK Schools Blog
News and views from the Microsoft UK Education Team

Information Security – all the guidelines are out

Home    index of content      about this blog     rss feed     email us     our website

Information Security – all the guidelines are out

  • Comments 2

And, boy, do they take some reading. We’re rocketed from ‘worry, but I can’t tell you why’ to ‘this is what you should really worry about’, in a mere 125 pages. How does that make you feel?

For the minute, if you want all of the specifics on the Becta Data Handling guidance, you’re going to have to take a look at all of the documents on the Becta website, and work your way through them as though your job depended upon it. That’s exactly what I plan to do with a small group of others from the business, starting later this week!

But, in the meantime, here’s my take on the big headlines:

Impact Levels

Appendix A, in the “Information Handling – Impact Levels” document is one of the first to deserve a look. It lists the different examples of data types, and the required authentication according to the Government requirements, and what kind of external access is allowed. If you look at Impact Level 3 data, you’ll see that it mandates two-factor authentication for teacher remote access to a learning platform or MIS system. As far as I know, there aren’t any Learning Platforms in the Becta approved list that meet that criteria, so I guess we’ve got a big shake-up coming on that front.

Now, if we can provide that easily on SharePoint/Learning Gateway systems, then that’s a quick win for you – because you can enable it for your Learning Platform, and MIS, and other systems all in one go. I know that SharePoint isn’t being used by everybody, but it’s probably now a majority of schools and local authorities

image

Encryption

The good practice guide for “Data Encryption” (54 pages of good practice – definitely no skimping on detail or Mb here!) has some specific pointers. You will need to read (and re-read!) the guide to work out what it means in your situation, but there’s some direct instructions, eg:

Page 3: “Users may not remove or copy sensitive or personal data from the school or authorised premises unless the media is encrypted and is transported securely for storage in a secure location”.

Helpfully, it goes on to warn It should also be noted that the use of encryption – installing and configuring additional software on every teacher’s laptop as well as new Authentication Tokens, SSL and perhaps SSL accelerators and logging technology – is not only time consuming but also requires a change of culture for all users. Awareness of the sensitivity of data – whether electronic or on paper – must be part of every school's duty of care to staff and pupils. At least it’s clear that these rules apply to paper and electronic data.

And, just in case you were thinking that you had time to get your ducks in a row, on page 4, in section 2.1 it says:

Note that if your school does not have encryption now, you should stop all copying, removing or accessing protected data until you have software to encrypt files and protect the communication links accessing this data.”

In Summary?

For those of your responsible for the ICT systems in your school, here’s my simple four point summary of what this all means. (You’ll have to read the 125 page detail for more!)

  • Students need username, password and SSL for remote access to the Learning Platform (SSL=the Internet “padlock”)
  • Staff will need username, password, SSL and a second factor (like a smartcard) for access to school systems remotely.
  • MIS data can’t be allowed on teachers/managers laptops.
  • Computers that may contain sensitive data should be encrypted, whether or not they leave the school.

Oh, and my simple diagram (below) in my “Information Security – it’s not black and white” post was a pretty good forecast!


And finally (ITN style!) the Data Encryption guide has 54 pages, because it contains a 29 page guide to installing TrueCrypt, an Open-Source encryption tool. “29 pages?” I hear you ask. Well, yes. Because it starts with this dire warning:

“TrueCrypt is a free open-source encryption software package for Windows Vista/XP, Mac OS X, and Linux platforms. Issues have been raised with the high level of complexity of the user interface and configuration processes for typical users.
There is a significant probability that inexperienced users will cause irrecoverable damage to their machines/data during the installation process.”

I’m guessing that things like Jerry Fishenden’s guide to using Bitlocker to secure USB memory sticks, suddenly look simple!

  • Well first the good point:

    At least we have a bit of clarity now.

    Not so good points:

    Too many of them !!

    Cost of providing 2 factor authentication

    managmanet of ensuring all devices are encrypted, staff here make massive use of USB sticks !!

    This should be fun.

    One thought Ray, maybe it would be a good idea to get the SharePoint group together to go over all of this and give some 'School based advice' whihc could be blogged here.

  • I was speaking to a school this afternoon who were just about to trial the TrueCrypt encryption on a laptop. Which is when we both realised that it's not a Government approved/certified encryption package (by CESG - the government's "National Technical Authority for Information Assurance").

    So don't rush into encrypting all of your laptops with TrueCrypt just yet, as you might have to do it all again with a properly certified encryption tool - like Vista's built-in Bitlocker :-)

    (Have sought more advice, and will write more)

    If you want to know what's certified, take a look at CESG's website

    http://www.cesg.gov.uk/index.shtml

    - and their complete list of certified products

    http://www.cesg.gov.uk/publications/media/directory.pdf

    Ray

Page 1 of 1 (2 items)
Leave a Comment
  • Please add 1 and 6 and type the answer here:
  • Post