Over the last ten years information security has become a critical issue for every organization. As threats build and the amount of information in digital form increases, it is ever more critical to squarely address the protection of information systems and users as a fundamental part of district operations.

School districts large and small across the country have so far been able to avoid major incidents of information theft or tampering. Unrecognized by many, however, in nearly every community the school district is the largest employer with a trove of personal data that is generally unprotected except for rudimentary measures. In addition, districts have a mandated responsibility to protect students from unauthorized interaction and content via the Internet. Thirdly, districts also hold information that is required by law to be protected such that someone may not make inferences through associations within the data.

Security Through Obscurity

The issue is not completely unrecognized, however. Most districts implemented rudimentary security measures during development of their networks and information systems. But even if security measures were robust and capable when implemented, times have changed. Many districts are now deep into implementation of new solutions for student information and enterprise management. These applications have a Web-based user interface and rely on the network for intercommunication. In addition, WiFi and IP telephony add complexity and requirements that were not envisioned during the first wave of network development ten years ago. Finally, it has become even more apparent that the most critical link in information security is the user and precious little has been done to assure that users understand and implement necessary security protocols.

From our experience, many districts large and small rely on security through obscurity for their information systems protection. Information systems run on old mainframes; networks use outdated protocols; no one knows where the routers are; there has never been a theft of information. This is a crisis waiting to happen. Even if it does not seem real in your district, it is imminent somewhere. It is only a matter of time as districts move their information systems into the 21st century and hackers come to realize the wealth of information that is available.

It is obviously necessary to prevent disclosure of private or protected information. A security incident can have a wide-ranging negative impact on district operations, user confidence and public opinion. This should make information security an essential component of district operational strategy. Establishing an information security program that addresses the risks the district faces should also be a high priority.

A comment from one of our clients says it all: "It must be clearly understood at every level and by every person throughout the district that information security is not a technology problem to be solved but rather it is a critical operational process to be implemented."

In this newsletter we discuss three fundamental questions for information security:
• How do you justify the need for information security?
• What is the best way to provide information security?
• What does it take in time, talent and cost?

Information security decisions need to be made from a rational and practical perspective independent of the fear that is often the real product being delivered by those attempting to influence your decisions. In addition, there is little precedent for information security in K-12 education so methodologies for commercial organizations may not make sense in your district. There is, however, a great deal of information available and many security methods, controls and protocols can be readily adapted for your use.

Background

Information systems security can be approached using a layered model for the primary elements of enterprise information systems. The optimum approach to security addresses the whole and the constituent elements simultaneously. Layers also apply to security policy and plans to provide a diversified approach to help assure that a failure in one area will not cause a complete breakdown of security throughout the enterprise.

Securing information systems against the full spectrum of threats requires the use of multiple, overlapping protection approaches to thoroughly address personal, technological and operational aspects. This is required by the interactive nature of systems and networks, and the fact that any single system cannot be adequately secured unless all interconnecting systems are also secured. By using multiple, overlapping protection approaches, the failure or circumvention of any individual protection approach will not leave systems completely unprotected. And that does not even address people... Thorough user training and awareness, well-crafted policies and procedures, and redundancy of protection mechanisms, enables effective protection of information systems for the purpose of achieving mission objectives.

The various elements of information security are called controls. Controls address the use, operation and administration of information systems. Controls apply to all layers of the functional model and include, primarily, behaviors, operations and documents that are defined through plans, policies and metrics established and monitored by the organization. Each control provides a specific security action or capability needed to protect a particular aspect of an information system.

Controls are grouped into three classes including management, operation and technology. These classes correspond to major sections of the security plan. The table below summarizes the classes and the further breakdown into families within the security control catalog.

The final background issue is developing a cost and loss model for information systems security implementation.

In the model, threats and hazards result in attacks and events if left unabated. Threats and hazards drive defense measures to prevent or mitigate resulting situations as well as responses if there is a breech or disruption. The breech or disruption is focused on specific assets within the larger context of information assets. Vulnerabilities can be identified for each information asset and each asset has an associated level of confidentiality, integrity and accessibility that must be maintained in the face of hazards and threats. Within school districts, the CIA level of many information assets is driven by regulatory law.

There are costs associated with removing threats, building defenses and fixing vulnerabilities. These costs are derived from a security budget that is part of the larger budget for information systems deployment and maintenance. Two ex post facto costs associated with a breech or disruption include the cost to the district for loss of service and the cost to reclaim information, repair systems and rebuild systems integrity.

In very practical terms, when the cost to prevent and mitigate threats and hazards is less than the cost for lost service and to rebuild, the decision to implement information security is justified. The difficult factors to assess are estimates of the actual value for loss of service and cost to rebuild. These costs can also include significant intangible expenses such as loss of public trust and collateral effort to overcome a breech or disruption. Additionally, there is an intangible cost associated with the failure to meet regulated levels of security that are not well defined, but can be actualized in civil penalties, criminal indictments or tort of negligence.

How do you justify the need for information security?

There are three reasons to implement information security:
• Regulations require it.
• A threat or hazard has been identified.
• Systems are vulnerable.

The question is not really whether information security is required but rather to what level. An assessment of need follows each of the reasons noted above to arrive at the final decision case.

Regulatory requirements for protection of health information, lunch status and student learning plans is well understood. Less well understood are similar requirements for protection of email and other communications as well as the practical need for protection of private staff information.

In many cases the threat is only hypothetical and without the tools, techniques and understanding to discern a threat it will remain so. That is, until systems are shut down or the damage is discovered and reported via external channels. Fortunately, the nature of most threats is well reported and understood. These range from viruses and trojans riding on email to WiFi war tagging and packet sniffing on the network. The trick becomes accurately determining which can be actual threats for your district.

Sometimes it is easier to determine vulnerabilities. One can start with a list of potential threats and build a matrix aligning these with existing security controls for information systems. While this may seem a very practical way of assessing need, it only provides a view looking backwards to known threats and the past. A better way to establish requirements for security is based on a review of the requirements for confidentiality, integrity and availability for each information resource and then establishing the nature and level of controls required to mitigate the risk for each system.

In the end, however, it is often inappropriate practices and policies that exposes information resources and systems to threats. With even the best of controls, if staff are not trained and held accountable the likelihood of disruption, exposure or loss is almost assured.

The means to assess the security requirements of individual information systems is to quantify the following security factors for each:
• Confidentiality: The requirement that private or confidential information not be disclosed to unauthorized individuals. Confidentiality protection applies to data during entry, in storage, during processing and while in use, review or transit. For many organizations, confidentiality has a lower priority than availability and integrity in terms of importance for very practical reasons. Yet for some systems and for specific types of data, including that defined by regulation, systems confidentiality is of supreme importance.
• Integrity: The property that data has not been altered in an unauthorized manner while in storage, during processing or while in transit. It is also the quality that a system has when performing the intended function in an unimpaired manner, free from unauthorized manipulation. Integrity is commonly an organization's lowest priority security objective, but it often becomes a critical factor in times of crisis when accurate data is vital to effective response. Additionally, it is critical to have the same data at the central office and the schools in real time.
• Availability: Assuring that information is promptly accessible and that service is not denied to authorized users. This security objective protects against intentional or accidental attempts to perform unauthorized deletion of data or otherwise cause a denial of service or data, or to use systems or data for unauthorized purposes. Availability is frequently an organization's foremost objective for practical reasons, but only to reduce the overhead required of staff to authenticate their access.

The confidentiality, integrity and availability factor for each information resource or system is quantified as high, medium or low. A value of low indicates that reasonable efforts to meet the base requirements of assurance are adequate for information protection. Medium requires extenuating measures but information disruption will not incur significant harm to the district or violation of regulations. A value of high indicates that information disruption will cause severe harm or liability for the district including violation of law. This is presented in the following table.

A fourth factor, impact, is derived for each resource or system based on the overall impact the loss of that information resource will have on district operations. Levels are severe, moderate and limited. Impact levels for each security objective are used in conjunction with vulnerability and threat information to assess the overall risk to the organization from a disruption. The impact factor is also used to assess the need for continuity planning and points up the need for interconnection between security protocols and continuity protocols for that resource.

What is the best way to provide information security?

Once security needs are quantified, it is possible to establish what must be done to provide the required level of security. One of the best ways to begin is to establish a framework for implementation of a security program. An information security program is a coherent assembly of controls, policies and procedures that integrates systems functions, organizational operations and user behaviors. Program development is driven by security needs, established culture and the district's mission making it unique for each district. While information security programs are sometimes implemented following an actual loss or incident, prudent organizations address security early and establish needs independent of an actual breech most often using a phased approach.

Primary objectives for a security program include:
• Establish a shared vision for security within the district with supporting authority from the Board and executive administration with commitment from key stakeholders.
• Realistically assess security requirements throughout the district.
• Identify the roles and responsibilities for program staff and systems stakeholders.
• Implement an audit process to validate the level of security implementation and update security policies and controls to meet changing requirements in the district.
• Establish requirements for awareness of security and the means to develop awareness in all persons in the district.
• Proactively identify potential security threats and hazards as well as weaknesses in systems configurations or security controls.
• Minimize the impact of security incidents on the district and provide a fast, structured and deterministic response to security incidents.
• Establish a consistent and accurate recording of incidents and their resolution, along with all relevant documentation to build a body of knowledge that helps to resolve future incidents and provides input to refine security controls and security policies.

Typical barriers to security program implementation include:
• Lack of funding to provide staff and systems to meet requirements.
• Lack of support from executive administration or the Board for a comprehensive security program.
• Relatively low priority for implementation of security measures across the district.
• Insufficient internal technical skills and staff to meet operational requirements.
• Lack of training for information systems owners to implement security controls.
• Lack of time and resources to develop a district-level security plan.
• Limited awareness of security requirements among users throughout the district.

Based on the barriers identified the following critical success factors need to be considered to help assure successful program implementation:
• Unconditional support and engagement of executive administration and the Board.
• Security policy, its objectives and activities must be integrated into and reflect the mission and culture of the district.
• A mandate from the Board to effectively implement security controls in schools and departments.
• Training for systems administrators and technology coordinators to assure adequate understanding and skills to implement security practices and controls.
• Thorough internal knowledge of security requirements, risk analysis and risk management to drive policy development.
• Development of a comprehensive security plan that organizes and prioritizes security controls for implementation centrally as well as in schools and departments.
• Funding sufficient to develop necessary plans and controls and to implement the highest priority controls in a phased approach.
• Security policy and practice is clearly communicated to all users who are also trained in a suitable manner and held accountable for implementation.
• Security policy and practice is clearly communicated to everyone providing services to the district.
• A comprehensive and balanced auditing system is included to support accountability, implementation effectiveness and continuous improvement.

What does it take in time, talent and cost?

There is a significant challenge to integrate an information security program into the existing operations and culture of any organization. Add to this the need for a reasoned approach to budgeting and the task is formidable. To simplify the issue, implementation of the information security program should be based on a best-practice approach with an in-depth assessment of district needs, requirements and constraints. The first step of the implementation should establish these factors as a foundation.

The optimum course of action for program definition proceeds along seven steps:
• Define the present situation
• Establish needs and requirements for implementation
• Define options for development
• Select the optimum approach to program development
• Assess risk of implementation
• Assess return on investment for implementation
• Mitigate risk with a proof of concept, business case and project charter.

Implementation of an information security program itself generally proceeds through three phases:
• Transition: The transition phase identifies systems and their owners and then develops structure within the technology department to establish the security program as a separate group with connections to information systems owners. This helps to assure a fully operational role for the program in parallel with Information systems owners.
• Implementation: This phase engages activities to establish the program by hiring key staff, developing operational processes and defining the policies, procedures and controls for systems protection.
• Operations: The primary actions of this phase include auditing the implementation and operation of security controls, engaging user training, updating policies, procedures and plans, and assessing potential and actual threats and hazards. Another critical operational role is to engage threat response to provide damage control and event mitigation.

Transition and implementation could take a year with the operational phase being continuous after that.

Finding suitable staff may be a challenge for districts. Qualified persons at a directorial level will require $80 to $100 thousand annually depending on experience and certification. Operational staff will also require proportionately more than their networking peers due to the specialized nature of their work, generally $50 to $70 thousand annually. The needs of any particular district are very individual, however, and staffing must be sensitive to numerous factors.

In the EDUCAUSE survey noted above, over half of institutions spent between 1 percent and 5 percent of the information technology budget on information security. 28 percent spent less than 1 percent and 17 percent spent more than 5 percent. Gartner, in a report for business, indicated that between 3 percent and 6 percent of the information technology budget is a reasonable fund for information security. Two final points; the funds for an information security program should be an expansion of the existing budget rather than a reapportionment of existing budgets and a security budget should also be added to the information technology budget in schools and departments as well to assure that information systems owners have the funds to implement necessary controls.

informative articles at our Website

© 2006 Millennium Strategies, all rights reserved