Physical security is aimed at reducing loss or disruption by discouraging misuse, damage and theft. Physical barriers are used to achieve this. For example, schools should:
- locate servers and central network assets in a restricted area with secure access
- have an accurate assets database, and check it daily
- undertake regular audits and safety checks of school ICT assets
- have a reliable asset checkout system to keep track of the use of all equipment
- ensure that reporting arrangements for missing or damaged items are timely, effective and well known
- protect desktops, peripherals and other access devices physically with individual, room or perimeter security
- prevent ‘prank’ or accidental turning off, which may disrupt classes, with locks and keys or combination locks on cabinets or devices
- use a central key safe with controlled access, and know the location of padlock keys so that their security is assured.
Data security is focused on the integrity of the information kept in the school’s computers. Drawing on advice from Becta, schools should:
- keep all information safe and make it available only to those who are authorised to access it
- match security measures to the sensitivity and value of the information, providing higher security for highly sensitive or high-value data
- not permit the removal of sensitive or personal data from the school premises, unless this is part of the school’s security policy
- protect all desktop, portable and mobile devices, including media, used to store or transmit personal information, using encryption software where appropriate
- protect sensitive data from unauthorised access through the network by recording important events that occur on the network, including:
- logon and logoff activity, including through network and remote connections
- file creation, deletion and access, including access to folders, and print jobs
- access and changes to user privileges
- user and group management, including creation, deletion, renaming and other changes to user accounts and passwords
- adopt reliable and effective system backup strategies to protect against hardware failures and accidental or malicious loss of data.
Access security aims to reduce loss by discouraging damage to, inappropriate access to or theft of the information on computers. This is achieved by creating barriers called ‘access controls’ and ‘firewalls’.
To maintain network security, schools should:
- conduct a network security audit, possibly by using a third-party service, such as the school’s network supplier
- control access administrator account information on servers and workstations in line with the school’s ICT network policies
- record and review network and server activity periodically, to be informed of use and to reveal inappropriate behaviours or unusual errors on the network
- review policies in line with the requirements of the school’s jurisdiction
- stop intrusion or harmful attacks on workstations through up-to-date protection software.
Security responses should be based on the types and potential impacts of risks. Security measures can affect the usability of the school’s network, and impact on teaching, learning and the effectiveness of the ICT investment. Decisions on security should be informed by considering both the likely impacts of security on teaching and the impacts of a breach in security. Therefore, schools should:
- plan security in balance with the functionality envisaged in the school’s ICT strategic plan
- ensure that the technicians who implement security practices work with teachers to understand how security can affect teaching and to develop alternatives that support both learning and security.
Balancing security with usability is an ongoing process. Sometimes, access is given to students based on trust, to allow for flexibility in learning. As with other privileges, access can be removed if trust is broken and re-established when appropriate.