Information Security – more, but not yet enough, advice from Becta

re: Information Security – more, but not yet enough, advice from Becta

alexjones — Wed, 17 Sep 2008 14:11:52 GMT

Would have been a good idea to publish all these documents at the same time...

A big issue at present for schools ICT is real-time reporting to parents. Becta have already made detailed functional and technical specifications for learning platforms that will provide real-time reporting. My question would be - do the LP specs include the data security requirements now being outlined? If they don't then how can schools possibly meet these and the real-time reporting targets. I'd bet heavily that the LP specs were written without any consideration of these more stringent data security requirements.

Perhaps someone from Becta can enlighten.

re: Information Security – more, but not yet enough, advice from Becta

Rayfl — Wed, 17 Sep 2008 15:48:17 GMT

Hi Alex,

I agree that it would have been good to haev all the guides at once - which is why I've not yet jumped too far into specific solutions that you can implement to meet the standards.

On Learning Platforms/Real-Time Reporting, and the relationship with Information Security guidelines, then I think that there will be some issues to be worked through. I don't think that the LP specs included Information Security within them originally, so I guess there'll be an update of the specs coming soon.

The way that other government departments have given guidance, there may be a circumstance where the needs of citizen-service trump the needs for Information Security (for example, providing online services where a citizen is able to look at information on themself, even though it would be 'Restricted' normally). I guess that's something that might be covered in the further guidance we'll get?

Ray

re: Information Security – more, but not yet enough, advice from Becta

tomormerod — Thu, 18 Sep 2008 01:23:14 GMT

We have been implementing Authority wide (~50K pupils + staff max) the LG framework for the past year. We are just about to start implementing MIS integration and we did not plan to use 2 factor auth. However, this document eludes that this may now be needed! Although i hope more information will become available in the 4 new guides (BTW totally agree Alex all at once!!!) I know have serious concerns about whether i should but the whole MIS Integration project on hold!

We do use ssl for all traffic but this may not be sufficient for IL-3 data any more (again I totally agree we need some guidance on what exactly is IL-3). I am now even more concerned about Realtime reporting, do we need to have dual factor auth for every parent?!?!?

re: Information Security – more, but not yet enough, advice from Becta

Rayfl — Thu, 18 Sep 2008 15:34:26 GMT

Tom,

In the Becta guide, it says:

"In certain cases, however, it will be necessary to share protected data, such as information on pupils' special educational needs that is classified as IL3-Restricted. In this case, two-factor authentication and the use of password-protected files will be necessary to enable secure communication between the school and parents. This should be seen as an exception, rather than the rule."

Here's an opinion:

I think it is clear that you're going to need two factor authentication if staff can remotely access IL-3 data. Although we haven't yet got a cut-and-dried definition of IL-2/IL-3 data, I believe it will include info such as attendance and attainment data at IL-2, and SEN data at IL-3.

Assuming that your MIS system gives access to SEN data, then you're going to need two factor authentication for all your remote MIS users. And that the guidance even says you will need that for parents if they too can access IL-3 data, like SEN data.

Ray

re: Information Security – more, but not yet enough, advice from Becta

Rayfl — Thu, 18 Sep 2008 15:35:33 GMT

Tom/Alex - you both make good points.

And you've inspired me to try and simplify, simplify, simplify.

So I've attempted a pictorial version of the Becta guides - a simple diagram of what's "bad", "good", and what's still in the "grey" zone.

http://blogs.msdn.com/ukschools/archive/2008/09/18/information-security-it-s-not-black-and-white.aspx

I'm not sure it is right yet, but a way to take the debate forward?

Ray

re: Information Security – more, but not yet enough, advice from Becta

John_Howarth — Thu, 18 Sep 2008 23:57:25 GMT

Hi Ray,

Thank you for keeping us informed.

If your definition of IL-3 data is correct, we may choose not to allow parents web access to SEN data as two factor authentication could take our project beyond its financial tolerances.

The problem will be when a school wishes to present performance analysis information to parents that includes IL-3 data. I agree with the comments above that we need VERY clear definitions from Becta of what constitutes IL-2/3 data.

I must say (and this is my personal opinion and not that of Bolton Council), Becta are very keen to push deadlines but far too slow to release the necessary detailed guidance.

Thanks again,

John.

re: Information Security – more, but not yet enough, advice from Becta

Rayfl — Fri, 19 Sep 2008 01:09:10 GMT

Interesting points John. The thing I'd throw into the mix is that these rules don't just apply to electronic data - they apply equally to paper-based data. So, for example, if you were to send home a datasheet to a parent with SEN data on it, you'd probably need to print "Must be securely shredded" on it etc

When we discussed this in a working group, it made us laugh to think of school reports coming home with "Must be securely shredded" stamped all over them. How many older students would take advantage to shred it before it got home :-)

Ray

re: Information Security – more, but not yet enough, advice from Becta

sprince — Mon, 22 Sep 2008 18:27:09 GMT

The other 4 docs are now up. I've only had chance to read a couple of them so far and they do get a little soporific in places.

It's interesting that they classify any document with a UPN in it as IL-3, meaning you would need 2-factor auth to access the document remotely. I'm not sure yet what impact that is going to have on access rights in SIMS.

They are also advocating marking all reports as IL-3 by default and downgrading them to IL-2 or lower manually. I'm not sure the recommendations will be workable given the level of free time to get staff up to speed on this information.

Certainly there are areas where we can make some improvements though - particularly in being more strict with suppliers about what we are willing to accept from a data protection point of view.

Sam