Last year brought into public focus as never before, the widespread data loss from trusted organisations in the UK and elsewhere. Large fines have frequently followed data loss, and the government have responded to public concern over this issue, by requiring that government organisations employ adequate security measures. Organisations are responding by stepping up data protection and deploying security measures throughout their IT systems. Schools are no exception in being vulnerable to litigation resulting from the loss of sensitive personal information.

In the event of personal data being lost, major consequences can result from malicious or criminal misuse. When such a breach occurs, questions are raised as to whether security recommendations, policy and procedures were rigorous and applied. Those responsible for the data must show that they took every reasonable preventative precaution. No one in authority wants to be seen to be lacking in diligence in such circumstances.

Becta have updated guidance on information security and are advising school management teams to take urgent steps to ensure data controllers in their institutions follow the new guidance.

These include: 

• Do not remove sensitive or personal data from the school premises unless this is part of your school's security policy, for example where backups are being taken off site. In this case make sure that the media used has been encrypted and is transported securely for storage in a secure location.
• Protect all desktop, portable and mobile devices, including media, used to store and transmit personal information using approved encryption software.

The Information Commissioner's Office (ICO) recommends that portable and mobile devices including magnetic media, used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using approved encryption software which is designed to guard against the compromise of information.

  Becta's guidance includes a recommendation that data controllers ensure that any solution meets the current standard of FIPS 140-2 Level 3 approved encryption products. School leaders should ask their support providers or technical staff to ensure that their institutions are fully adopting and using these standards.

  There are significant cost implications of Becta's recommendations, however saving money is no longer an option. For data controllers handling sensitive personal data, the cost of acquiring and implementing secure laptops can in some instances be more than double that of normal computer users.

A full assessment is needed to identify what data is sensitive, what is unrestricted and who has access to what. Other issues that need to be looked at include:

• Encryption which ensures that if a laptop is taken, data cannot be read by a third party.
• Prevent access to media such as USB memory sticks, CD-ROMs and other USB devices.
• Removing scope for user error so that data encrypts/decrypts automatically without any intervention. 
• The ease and speed in which encryption can be deployed.
• An encryption solution in an education establishment must exclude both the advanced students who have legitimate access to the network, and external threats from hackers who for example at University level might be interested in research data.
• Ensure that your institution's security policy covers how personal information is stored, transmitted or processed and that it is managed and protected accordingly and reviewed periodically

Security level requirements will vary according to the information being handled. Software and firmware encryption give basic level security. Approved passwords must be sufficiently complex to make cracking them impossible within a lifetime.

For sensitive personal data creating the right level of data protection requires a hardware based security encryption and tamper evidence, enabling the data owner to identify attempts to get at data. This can take the form of a seal or coating. In addition at the level, now being recommended by the ICO, data controllers must ensure that a solution meets the current standard of FIPS 140-2 Level 3 approved encryption products. This level requires that the system be able to detect and respond to attempts to tamper with the critical security parameters which can mean disabling or destroying data once a sufficient intrusion attack has been identified.

The challenge for schools is to find a solution that is effective whilst economical from suppliers who are product independent, experienced and competent. Suppliers exclusively specialising in IT services to schools are still on a learning curve, grappling with the complexities of building to the required data security standards. Those suppliers who are already dealing in data sensitive markets will be able to bring authoritative advice designed to optimise security with the most cost effective solutions and implementation.

Contact Akhter on: Tel: 01279 821200  http://www.akhter.co.uk/