Encryption White Paper
Consequences of Data Loss
& Recommendations
You have either diasabled Javascript or you don't have Flash Player version 9.0 or greater
You will still be able to navigate to all of our pages using the above XHTML menu, but you will be unable to use the in page tabs or any of the interactive features of the website and you will not be able to use our Flash Menu which provides a more intuitive navigation method
please enable Javascript and/or install the latest version of Flash Player
Data Loss - Facing up to the consequences
Finding a common sense approach to protecting personal data in an Education Environment is currently one of the toughest challenges now faced by schools, who are still building accessible Virtual Learning Environments and integrated Schools Information Management Systems.
Last year brought into public focus as never before the widespread data loss from trusted organisations in the UK and elsewhere. Large fines have frequently followed data loss, and the government has responded to public concern over this issue by requiring that government organisations employ adequate security measures. Organisations are responding by stepping up data protection and deploying security measures throughout their IT systems. Schools are no exception in being vulnerable to litigation resulting from the loss of sensitive personal information.
No one in authority wants to be found lacking in diligence when a sensitive data loss occurs.
Assessment and issues to address
A full assessment is needed to identify what data is sensitive, what is unrestricted, and who has access to what. Other issues that need to be looked at include:
- Encryption which ensures that if a laptop is taken, data cannot be read by a third party
- Prevention of unauthorised access via media such as USB memory sticks, CD-ROMs and other USB devices
- Removal of the scope for user error, so that data encrypts/decrypts automatically without any intervention
- The ease and speed in which encryption can be deployed
- An encryption solution in an education establishment must exclude advanced students who have access to the network
- External threats to data can come from those who might be interested in acquiring University level research information
- Does the institution's security policy fully cover how personal information is stored, transmitted or processed?
- Is there a procedure to manage and protect data and a regular review of such systems?
Continued…
Recommendations from Becta & the ICO
Becta Guidance?
Becta have updated guidance on information security and are advising school management teams to take urgent steps to ensure data controllers in their institutions follow the new guidance.
These include:
- Do not remove sensitive or personal data from the school premises unless this is part of your school's security policy, for example where backups are being taken off site. In this case make sure that the media used has been encrypted and is transported securely for storage in a secure location
- Protect all desktop, portable and mobile devices, including media, used to store and transmit personal information using approved encryption software
The Information Commissioner's Office (ICO) recommends that portable and mobile devices, including magnetic media, used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using approved encryption software which is designed to guard against the compromise of information.
Becta's guidance includes a recommendation that data controllers ensure that any solution meets the current standard of FIPS 140-2 Level-3 approved encryption products. School leaders should ask their support providers or technical staff to ensure that their institutions are fully adopting and using these standards.
There are significant cost implications of Becta's recommendations, however saving money is no longer an option. For data controllers handling sensitive personal data, the cost of acquiring and implementing secure laptops can in some instances more than double that of normal computer users.
Continued…
Implementation
Ensuring that your data is secure
Data security requirements will vary according to the degree of sensitivity of the information being handled.
Software and firmware encryption can give only basic level security. Approved passwords must be sufficiently complex to make cracking them impossible within a lifetime.
For sensitive personal data, creating the right level of data protection requires a hardware-based security encryption and tamper evidence, enabling the data owner to identify attempts to get at data. This can take the form of a seal or coating.
At a higher level, now being recommended by the ICO, data controllers must ensure that a solution meets the current standard of FIPS 140-2 Level 3 approved encryption products. This level requires that the system is also to be able to detect and respond to attempts to tamper with the critical security parameters which can mean disabling or destroying data once a sufficient intrusion attack has been identified.
The challenge for schools is to find a solution that is effective whilst economical from suppliers who are product independent, experienced and competent. Suppliers exclusively specialising in IT services to schools are still on a learning curve, grappling with the complexities of building to the required data security standards.
Akhter Computers has been dealing in data-sensitive markets for decades, such as government and defence. Akhter can uniquely bring authoritative advice and cost effective security solutions that are specifically suited to the requirements of schools and colleges.