http://blogs.msdn.com/b/ukschools/archive/2008/06/18/information-security-information-so-secret-nobody-s-heard-of-it.aspxLast week I wrote that the Becta advice on “Information Security Guidance for Schools” had been updated, effectively banning schools from taking student data out of the school. A few readers commented on the news –‘impossible’ and ‘worried’ came up –en-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.msdn.com/b/ukschools/archive/2008/06/18/information-security-information-so-secret-nobody-s-heard-of-it.aspx#8617316Wed, 18 Jun 2008 19:31:46 GMT91d46819-8472-40ad-a661-2c78acb4018c:8617316sprince<p>It's wonderful how BECTA pump out this advice so readily. Unfortunately we tax payers are paying some ridiculous amount of money for these people to produce it.</p> <p>For example, this statement:</p> <p>&quot;When data is required by an authorised user from outside of the school premises – for example by a teacher working from their home –they must have secure remote access to the management information system (MIS) or learning platform.&quot;</p> <p>Is that guidance? Subtracting their favourite buzzwords, it doesn't add up to much. For example, the majority of learning platforms they have endorsed in THEIR OWN accreditation programme do not mandate an https login and some don't even have it as an option! Are we saying that &quot;secure remote access&quot; now means &quot;needs a password&quot;? I'm getting that feeling.</p> <p>They then put the nail in the coffin with:</p> <p>&quot;The Information Commissioner’s Office recommends that data controllers ensure that any solution meets the current standard of FIPS 140-2 approved encryption products&quot;</p> <p>which was also in the original document released straight after the missing discs incident. Not terribly helpful really.</p> <p>First off, BitLocker - possibly the most applicable and well-known technology in this area - has only had FIPS 140-2 validation for 3 weeks (since 2008-05-22 according to csrc.nist.gov). BECTA don't feel the need to specify a level either (BitLocker reached level 1 of 4). Are the staff of schools and LAs expected to trawl through this drivel and search through the vast NIST archives to find out if their copy of Winzip can encrypt to a high enough standard? I'd say that's unrealistic and will be ignored by at least 99.9% of schools. Remember, the people most likely to put school data at risk are not those that run the network and know what the word encryption means!</p> <p>It all smacks of someone fresh off a degree course putting a document together in a hurry on a topic they have no prior experience of. I get that feeling regularly from BECTA tbh - heavy on (mostly incorrect/irrelevant) detail; light on common sense.</p> <div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=8617316" width="1" height="1">http://blogs.msdn.com/b/ukschools/archive/2008/06/18/information-security-information-so-secret-nobody-s-heard-of-it.aspx#8615791Wed, 18 Jun 2008 14:01:54 GMT91d46819-8472-40ad-a661-2c78acb4018c:8615791arichards<p>Interesting you can't find anything on the Hannigan reports.</p> <p>I emailed BECTA directly once your first blog appeared to ask them for clarification. I received a very nice response saying my email had been passed to the relevant department.</p> <p>However I think that department was the 'Bermuda Triangle' because I haven't heard anything since.</p> <p>It's OK publishing guidelines that reference other material, but shouldn't they then gives us at the coal face access to those referenced documents.</p> <div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=8615791" width="1" height="1">