43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED: SEPTEMBER 2013 NEXT REVIEW: SEPTEMBER 2014 The Governing Body is responsible for the maintenance of this policy. 1. Introduction Data Security This policy provides core security principles to be followed to ensure that data assets (information, property and staff) are secured in a proportionate manner and that information (including personal data) can be shared confidently, knowing it is reliable, accessible and secured to agreed standards. The Cabinet Office report Data Handling Procedures and subsequent policy document HMG Security Policy Framework outline mandatory security requirements and management arrangements to which all government departments and public agencies must adhere. Guidance for schools, colleges and universities produced by Becta, following the spirit of government procedures, is proportionate and appropriate for education and helps schools ensure compliance with the Data Protection Act 1998. The underlying principle of the guidance is that through a combination of technical and procedural solutions, organisations should do everything within their power to ensure the safety and security of any personal data (or data that is important to the secure running of an organisation). Responsibilities Data Handling Procedures in Government highlighted two roles (SIRO and IAO) that have responsibility for information security risk management. Although overall responsibility for data security rests with the Head Teacher and Governing Body, it is strongly recommended that the school adopts the titles below (and the responsibilities attached to them). All ICT policies and procedures outlined in this review assume the designation of named staff to these roles: 1. Senior Information Risk Officer (SIRO): a senior member of staff who is familiar with information risks and the school's response. The SIRO at Kingsmead is a Deputy Head (currently Peter Plowman). The key responsibilities are: a) To own the information risk policy and risk assessment b) To keep a record of all Information Asset Owners (IAOs) see below c) To act as an advocate for information risk management 2. Information Asset Owners (IAOs): compile and own specific information and their role is to be clear about: a) What information they hold, and for what purposes. b) How this information will be amended or added to over time. c) Who has access to the data and why. d) How information is retained and disposed of.
Information Assets will include the personal data of learners and staff; such as assessment records, medical information and special educational needs data. Information assets also include non-personal data that could be considered sensitive if lost or corrupted, such as financial data, commercial data, research data, organisational and operational data, and correspondence. The value of an asset is determined by considering the consequences likely to occur if it is lost or compromised in anyway, such as identity theft, adverse publicity or breaches of statutory/legal obligations. An information asset is regarded as the collection of data or an entire data set. It is important to distinguish between an information asset and the information (usually a subset of the asset) that needs protecting. For example, reports run from a core information asset, such as a management information system (SIMS) are not information assets themselves. Organisations should identify an Information Asset Owner (IAO) for each asset or group of assets as appropriate. For example, the organisation s management information system should be identified as an asset and should have an IAO. The IAO should able to manage and address risks to the information and make sure that information handling complies with legal requirements. Typically, there may be several IAOs within an institution, whose roles may currently be those of e- safety co-ordinator, ICT manager or management information systems manager. 3. Network Manager oversees the network and monitors its performance, security, error detection, and also implements access controls. Some critical elements of e-security procedures are also the responsibility of the Network Manager or other Technical Support Staff (for example access control to the Network and Technical Security). Although this policy explicitly identifies these roles, the handling of secured data is everyone s responsibility whether they are an employee, consultant, student, parent, governor, software provider or a managed service provider. It must be understood by everyone that failing to apply appropriate controls to secure data could amount to gross misconduct or even legal action. 2. Data Classification Following recent breaches of information confidentiality in UK educational establishments, current government guidance for schools is to align school information with one of the government information classification levels defined below and safeguard it accordingly. All Information assets are usually regarded as falling into one of five markings, which in descending order of sensitivity are: Top Secret, Secret, Confidential, Restricted and Protect. Most learner or staff personal data that is used within educational institutions will come under the Restricted classification with much other general school data being marked as Protect. These classification levels are derived from the potential impact that unauthorised disclosure of information may have on the individuals concerned. Non-compliance with this guidance and any subsequent loss of sensitive or personal data could potentially lead to prosecution under the data protection act. i) Restricted: Information which can only be accessed by named individuals or groups. Printed restricted information shall be labelled to identify it as confidential. Where possible, restricted information displayed on screen should be labelled as such. ii) Protect: General school information which it is not expected to be released to the public.
iii) Public: Information freely available to anyone. Kingsmead will adopt an Information Classification table (example below), which should be expanded to contain a list of all data types (both paper and electronic) currently held within the school. This will then allow an information risk assessment to be carried out. RESTRICTED PROTECT PUBLIC Personal information related to pupils or staff (usually contained in the Management Information System). School routines, schedules and management information. Website and promotional materials. Display material around school Information risk assessment Kingsmead School conducts thorough risk assessments on the assets it holds. This helps to plan security measures that are practical and proportionate to the assets specific size and risk profile. Conducting information risk assessments Criteria for assessing risks take into account: the assets involved legal requirements (such as the Data Protection Act 1998) the practicalities of running the school day to day the impact of incidents on reputation in the community Identifying, describing and prioritising risks against these criteria: Information Asset Owners list information assets that contain personal data or data valuable to the organisation and then identify: the asset details (and the marking to be applied to them) perceived threats any existing controls potential vulnerabilities possible consequences Once the school has identified risks their size can be estimated, that is the combination of consequence and likelihood of the assets being compromised, and what can be done to mitigate these risks. These actions together with the Information Classification Table can then be included in the Information Risk Assessment Policy. 3.Data storage and transfer It is a legal requirement of the Data Protection Act 1998 to protect and secure personal data. The Information Commissioner s Office (ICO) recommends that portable and mobile devices (including media) used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using approved encryption software which is designed to guard against the compromise of information. Any personal or sensitive data that is removed or accessed from outside an approved secure space should be encrypted. Examples of approved secure
spaces include physically secure areas in the school, and the premises of support contractors. This applies to both communication links (for example VLE or 24hour school remote access) and to files held on electronic storage media (e.g. hard drives, CDs, DVDs, USB sticks and memory cards). In particular: When sensitive or personal data is required by an authorised user from outside the school s premises for example, by a member of staff to work from their home, they should preferably make use of secure remote access to the management information system or the learning platform (VLE, Firefly ). If secure remote access is not possible, users must only remove or copy personal or sensitive data from the school or authorised premises if the storage media, portable or mobile device is encrypted and is transported securely for storage in a secure location. Kingsmead School and all users must securely delete personal or sensitive data when it is no longer required. 4. Data security measures to enable business continuity As a priority Kingsmead will install sufficient server UPS (Uninterrrupted Power Supply) capacity to ensure that data corruption would not occur in the event of a power outage and ensure that a backup is regularly made and stored off site. Currently there is no UPS system in place for the school server infrastructure leaving it vulnerable to data loss in the event of a power outage. There is also no offsite backup. This means that in the event of a catastrophic incident (e.g. fire) which destroyed the server infrastructure and any backups which are currently stored on-site, business recovery would be impossible. 5. Secure email system Kingsmead School has an MS Exchange based email solution in place for staff. In order to be compliant with best practice, incoming email must be subjected to virus checking before it arrives within the school network. E-mail systems must also comply with the data protection act s requirement to store any personal (Restricted) information within the EU or within a safe harbour country. For these reasons, use of e-mail systems such as Google mail by staff and students many of which are hosted within the cloud is to be discontinued as these systems do not provide the level of audit transparency or access to archived material likely to be required in the investigation of any potential criminal proceedings involving the use of school ICT systems. Going forward, a secure e- mail solution (such as a local MS Exchange system) should be provided for all users including students. 6. Password Security The Network Manager will implement a strong password policy to protect data with regular enforced password changes for users accessing data types with a restricted classification (e.g. SIMS passwords). Students will continue to be able to access their user accounts using soft passwords. 7. External access to school based information resources. Single factor authentication (Username + Password) is required for external access via the web to resources on the school network. Access to SIMS, potentially allowing unauthorised access to Restricted student data, must require 2nd Factor authentication (e.g. by One time password key generation devices)
for those users requiring external access to Restricted resources. Kingsmead will develop auditable change logs and reconciliation with the school MIS system for data held in other systems. Kingsmead will develop systems to ensure that all ICT resources taken out of school are subject to the highest level of security protection and any ICT resources which do not have this security applied have no access to the core network when they return. 8. Access Controls A central record of sensitive usernames/passwords is stored in the school safe with access controlled by the SIRO and Bursar. The data classification table is updated annually and reported to the governing body. The audit of access rights to Restricted data ensures that access is only provided to staff who require it to carry out their role in school. 9. Published protocols and procedures The Network Manager will develop, publish and annually review manuals, procedures and policies which cover all aspects of the day to day use of ICT systems by all users, including information which could be used in extremis by a third party to successfully manage the current school ICT systems in the absence of the Network Manager. This last item is stored in the school safe along with the central record of sensitive usernames/passwords. 10. Data Security working Group Kingsmead will establish a data security working group to meet periodically whose remit includes the review of all ICT policies and procedures including the updating of the Acceptable Usage Policy (AUP). Aspects of e-safety fall within the remit of this group. The group will also consider the provision of appropriate training for all sectors of the school community including: School Workforce training in understanding the rationale for all data security procedures and the consequences of inappropriate practice. School Workforce training in responsible approaches to data use on mobile devices, communicating online and procedures when using multimedia digital content such as photographs, videos and podcasts in terms of permission seeking, taking, storage and retention. Regular re-visiting of the AUP with staff and pupils. 11. Incident Reporting An important element of data security is the ability to identify and deal with incidents related to the confidentiality of information. All staff and students have a responsibility to report data security incidents so that they may be dealt with effectively and in a timely manner in order to minimise any impact on the school. The incident reporting procedure requires incidents to be reported in the Incident Log held by the SIRO. The log captures the following information: Incident Date: When the occurrence took place Description of the Occurrence: What happened inc. classification of any information compromised Immediate Corrective Action: What was done to minimise the impact of the incident Further Action: Tasks to be undertaken to prevent reoccurrence Legal Implications: Any legal ramifications e.g. Data Protection Act
Closed Date: Date by which the incident is closed by the Head/SIRO The Incident Log is formally reviewed, and any outstanding actions delegated via the Senior Leadership Team at a minimum frequency of once per term. Through this review process, where deemed appropriate, the leadership team shall update the risk assessment in light of new incidents. The Log and accompanying action plans should be reviewed annually by the Governing Body. Examples of common incidents which occur in schools which would be expected to be logged include: Circumventing the network security system Accessing inappropriate material (definition in AUP) Installing unapproved software Using other people s email addresses or passwords Breaching copyright Uploading Restricted or Protect school material onto a social network or chat room Leaving school mobile devices unattended Failure to log off when leaving a device 12. Starters and Leavers The formal system for recording starters and leavers, ensuring that access to all school ICT systems (including any VLE in use) is removed in a timely fashion for all leavers is the responsibility of the Network Manager. All staff are required to sign the Acceptable Usage Policy and teaching staff sign an acceptance of responsibility for the security of all ICT equipment issued