Information Security Framework for Education
Birth-12
Drafted by the Education Information Security Committee, Information Security Framework
Workgroup
Workgroup Members: Rick Wahlstrom (NWRESD, chair), Amy McLaughlin (ODE), Nick Lapp
(IMESD), Benjamin Tate (Salem-Keizer SD), John Goucher (Hillsboro SD), Lance Queen (Crook
County SD)
Security Components
I. Risk Management
Risk Management is the process of identifying, assessing, and taking steps to reduce risk to an
acceptable level for information systems and data. Risk management is critical for <district
name> to successfully implement and maintain a secure environment. Risk assessments
identify, quantify, and prioritize risks against criteria established by the district for risk
acceptance and objectives. Assessment results guide and determine appropriate district action
and priorities for managing information security risks and for implementing controls needed to
protect information assets.
Risk assessments (RAs) can be conducted on any entity within district or any outside entity
that has signed a third party agreement with an outside company. RAs can be conducted on
any information system including applications, servers, and networks, and any process or
procedure by which these systems are administered and/or maintained.
The role of Information Security Officer (ISO) can be designated or his or her responsibilities
assigned to an existing individual. The ISO is responsible for leading and or facilitating the
Information Security Risk Assessment Team.
The identification of information security risks and notification of the ISO is the responsibility of
all district personnel. The execution, development, and implementation of remediation
programs are the joint responsibility of the ISO and the department responsible for the process
or systems with the identified risk. District staff are expected to cooperate fully with any RA
being conducted on systems for which they are held accountable. Staff are further expected to
work with the Information Security Risk Assessment Team in the development of a remediation
plan.
Risk management can include the following steps as part of a risk assessment:
1. Identify the risks
a. Identify agency assets and the associated information
owners
Release date: August 15, 2012
1
b. Identify the threats to those assets
c. Identify the vulnerabilities that might be exploited by the threats
d. Identify the impacts that losses of confidentiality, integrity and availability may
have on the assets
2. Analyze and evaluate the risks
a. Assess the business impacts on the district that might result from security
failures, taking into account the consequences of a loss of confidentiality,
integrity or availability of those assets
b. Assess the realistic likelihood of security failures occurring in the light of
prevailing threats and vulnerabilities, and impacts associated with these
assets, and the controls currently implemented
c. Estimate the level of risks
d. Determine whether the risks are acceptable
3. Identify and evaluate options for the treatment of risk
a. Apply appropriate controls
b. Accept the risks
c. Avoid the risks
d. Transfer the associated business risks to other parties (students, personnel, etc.)
4. Select control objectives and controls for the treatment of risks
II. Security Policy
The objective of an information security policy is to provide management direction and support
for information security in accordance with <district name> business requirements and
governing laws and regulations. Information security administrative rules supporting the
overarching information security policy will be approved by the district, published and
communicated to all employees, students, and external parties as appropriate. These rules will
set <district name>’s approach to managing information security and will align with relevant
federal and state regulations and laws.
Information security rules will be reviewed at planned intervals annually or if significant changes
occur to ensure their continuing suitability, adequacy, and effectiveness. Reviews will include
assessing opportunities for improvement of <district name>’s information security policies and
approach to managing information security in response to changes to <district name>’s
environment, new threats and risks, business circumstances, legal and policy implications, and
technical environment.
III. Organization of Information Security and Privacy
Information security is proactively managed at <district name> Management approves
information security procedures, assigns security roles, and coordinates and reviews
the implementation of security across the (school/district/ESD).
Release date: August 15, 2012
2
Information security requires coordination and communication throughout the district. This
includes ensuring staff and teachers fully understand their roles and responsibilities in
maintaining information security and privacy standards. Information security
responsibilities must be clearly defined and communicated to staff through easy to locate
<procedures/training/administrative rules>.
Key responsibilities in information security and privacy are identified and assigned to specific
personnel. In most cases, these responsibilities are a part of an individual’s position, not a
separate position. Key responsibilities include:
● Primary point of contact for Information Security (Information Security Officer)
● Primary point of contact for FERPA Privacy Compliance
● Primary point of contact for Information Security Incident Response
● Primary point of contact for security administration
IV. Asset Management
Asset Management is the process of tracking and reporting the value and ownership of
information assets. Information asset management is essential in order to provide reliable and
secure services. Information assets include:
Information - the data itself whether stored on paper or electronically
Databases
Paper filing systems
Information technology systems used to store and process valued information
Districts have an obligation to maximize the security and efficiency of asset tracking and
utilization. An accurate inventory of information and information systems allows districts to
better define and control the components of the infrastructure and services provided. Asset
tracking also enables districts to leverage configuration management tools and practices, as
well as plan for future asset needs by determining availability of equipment. Accuracy is a key
goal in all aspects of Asset Management.
Districts should establish a baseline effort to establish an asset management database. All
assets, as defined below, should be tracked in an asset management database, processes
should be put in place to maintain the validity and accuracy of the data and annual reviews
should be conducted
to verify the data.
Once the baseline has been established, districts should undertake process development as part
of their next steps. Processes can cover a variety of areas, but should at least establish steps for
the following areas:
1. Asset Ordering
2. Asset Receiving and Check-in
3. Asset Requests
Release date: August 15, 2012
3
4. Asset QA
5. Asset Decommission
6. Asset Surplus/Trade-In
Additionally, standards should be developed for the following areas:
1.
2.
3.
4.
5.
Asset Shipping and Receiving
Asset Storage
Asset Tagging
Asset Tracking
Asset Reporting
V. Human Resources Security
All employees, volunteers, contractors, and third party users of <district name> information and
information assets will understand their responsibilities and will be deemed suitable for the roles
they are considered for to reduce the risk of theft, fraud, or misuse of information. Security
responsibilities will be addressed prior to employment in position descriptions and any
associated terms and conditions of employment. Where appropriate, all candidates for
employment, volunteer work, contractors, and third party users will be adequately screened,
especially for roles that require access to sensitive information. Management is responsible for
ensuring security is considered during hiring and throughout the individual’s employment with
the district.
The district intends to ensure that persons employed by or contracting with the district have
not engaged in any criminal behavior that is incompatible with their duties and responsibilities
with regard to access and handling of protected information, and the mission of the agency. To
achieve this goal, the district includes notice in hiring announcements that a background check
will be conducted on potential candidates. As a condition of employment, applicants applying
for positions must sign an authorization form allowing the district to conduct a criminal
background check. The district conducts criminal background checks on all prospective
employees, direct hire temporary appointments, and external transfer employees. The Human
Resources department will ensure that external contractors have completed criminal
background checks on all contractors assigned to work at the district. Information security
requirements are included in the position descriptions of the Information Security Officer.
All new employees and temporary employees receive training on the district’s Information
Security program and are covered and required to sign relevant security documents. All
employees and contractors participate in security awareness training annually, at which time
they also sign all applicable security policies.
Security training, includes, but is not limited to, training on security policies and procedures,
FERPA and HIPAA, individual preventative security steps, as well as information on IT security
that educates the user to the dangers at work and at home.
Release date: August 15, 2012
4
Procedures will be implemented to ensure that an employee, volunteer, contractor, or
third party’s exit from the district is managed, and the return of all equipment and
removal of all access rights are completed.
VI. Physical and Environmental Security
The purpose of physical and environment security is to prevent unauthorized physical access,
damage, theft, compromise, and interference to <district name> information and facilities.
Locations housing critical or sensitive information or information assets will be secured with
appropriate security barriers and entry controls. They will be physically protected from
unauthorized access, damage, and interference. Secure areas will be protected by appropriate
security entry controls to ensure that only authorized personnel are allowed access.
All equipment containing storage media will be checked to ensure that any sensitive data
and licensed software has been removed or securely overwritten prior to disposal.
For more information on physical and environmental security please see the following
sample documents:
● Building Security Policy
● Visitor Policy
● Workstation Security Policy
(http://www.sans.org/securityresources/policies/200802_002.doc)
● MDF/IDF Security Policy
○ Authorized personnel only
○ Key lock at minimum, keypad with logging recommended
● Sustainable Acquisition and Disposal of Electronic Equipment – Statewide Policy 107009-0050 (http://www.oregon.gov/DAS/OP/docs/policy/state/107-009-0050.pdf?ga=t)
● MDF/IDF Environment Guidelines
○ Water/fire avoidance
○ Windowless rooms
○ Temperature controlled rooms
○ Steady power supply with UPS devices in place
● Data Backup Policy
○ Backup frequency
○ Offsite backups
VII. Communications and Operations Management
To ensure the correct and secure operation of information processing facilities, responsibilities
and procedures for the management and operation of all information processing facilities should
be established. This includes the development of appropriate operating procedures. Segregation
of duties should be implemented, where appropriate, to reduce the risk of negligent or
deliberate system misuse.
OPERATIONAL PROCEDURES AND RESPONSIBILITIES
Release date: August 15, 2012
5
Documented operating procedures
Change management
Segregation of duties
Separation of development, test, and operational facilities
THIRD PARTY SERVICE DELIVERY MANAGEMENT
Service delivery monitoring and review of third party services
Managing changes to third party services
SYSTEM PLANNING AND ACCEPTANCE
Capacity management
System acceptance
PROTECTION AGAINST MALICIOUS AND MOBILE CODE
Controls against malicious code
Controls against mobile code
BACK-UP
Information back-up
NETWORK SECURITY MANAGEMENT
Network controls
Security of network services
MEDIA HANDLING
Management of removable media
Disposal of media
Information handling procedures
Security of system documentation
EXCHANGE OF INFORMATION
Information exchange policies and procedures
Exchange agreements
Physical media in transit
Electronic messaging
Business information systems
ELECTRONIC COMMERCE SERVICES
Electronic commerce
On-Line Transactions
Publicly available information
MONITORING Audit
Release date: August 15, 2012
6
logging Monitoring
system use
Protection of log information
Administrator and operator
logs Fault logging
Clock synchronization
VIII. Access Control
Access to information, information systems, information processing facilities, and business
processes will be controlled on the basis of business and security requirements. Formal
procedures will be developed and implemented to control access rights to information,
information systems, and services to prevent unauthorized access. Users will be made aware of
their responsibilities for maintaining effective access controls, particularly regarding the use of
passwords. The district system access rules enforces the expectation that users have individually
assigned user names and users understand that they are held accountable for actions taken with
their user name and password. Users will be made aware of their responsibilities to ensure
unattended equipment has appropriate protection.
A clear desk rule for papers and removable storage devices and a clear screen rule is strongly
recommended especially in work areas accessible by students, parents, or the public. Steps
will be taken to restrict access to operating systems to authorized users. Protection will be
required commensurate with the risks when using mobile computing and teleworking
facilities. <district name> insures appropriate password policies, auto-locking of systems and
other PC security policies by use of the district’s Directory Group Policy and only the district’s
domain administrators have the ability to change group policy. The procedures for access to
systems vary depending on the type of access and how that access is facilitated.
Any users requiring local administrator access to server systems must fill out an <insert your
form name here>. All employees will receive training on the use of passwords, when systems
are to be locked or timed out, how the different levels of information security determines how
information assets are handled, and when and how information will be transported and
disposed of. All users requiring remote access to the district’s network to work remotely are
required to fill out and submit for management approval.
The district’s System Development Lifecycle (SDLC) and its End-User Development standards
define responsibilities for ensuring appropriate controls are programmed according to
business needs and information security requirements.
IX. Information System Acquisition, Development, and Maintenance
In order to ensure data and software integrity, confidentiality, and availability, all new systems
(off-the-shelf or custom built) must be designed with security in mind. This is most effective
when security is planned and implemented throughout the entire life cycle. Access to system
files and program source code will be controlled and information technology projects and
support activities conducted in a secure manner. Technical vulnerability management will be
Release date: August 15, 2012
7
implemented with measurements taken to confirm effectiveness.
Districts should undertake the following initiatives as a baseline to secure information
system acquisition, maintenance, and development.
Encryption - Encryption should be used, where appropriate, to protect sensitive
information at rest and in transit. All remote access should be encrypted and secured (i.e.
VPN tunnel). Remote access should only be granted when an established business need
exists.
Network and System Monitoring - Procedures should be in place to monitor and review
network and information technology systems. District Network and Security teams should
maintain and review various security and access reports regularly to ensure the security of
network and information technology systems. Some of the systems districts can employ to
verify and maintain IT security include SNORT, NESSUS, Tracking System Access (TSA), and
Nagios. These systems can be used to determine if an inappropriate access has been
attempted and to prevent unauthorized access to systems and data. Any controls
deployed should be based on a risk analysis.
Data Access Review - Access to data should also be reviewed. A system like TSA should be
used to capture employee access to sensitive data. The system provides processes that can
be used by multiple applications to store tracking activity data. Additionally, this system
provides a process to archive the data.
Information System Acquisition and Development - Where a district is involved in the
purchase of applications or the custom development or adoption of applications to support
their business processes it is strongly recommended that they adhere to the project
management procedures identified in the Project Management Body of Knowledge
(PEMBOK) and include information security throughout the development and/or
procurement cycle from requirements gathering through implementation. Each
information system has an identified owner and each information system acquisition or
development project has an identified sponsor. Each system that is developed should have
clearly defined access needs, user authorization needs, separation of duties, and
accountability controls,
Maintenance of Information Systems - Information systems require ongoing maintenance
to remain both operational and secure. Maintenance changes to applications, middleware,
and hardware should be reviewed and approved to ensure all risk and impact (both to the
application and all downstream resources) are fully understood.
Once the baseline concepts have been established into the software development life-cycle,
additional goals should be established. These goals should occur at each stage of the lifecycle. Specific goals for each stage should be:
Release date: August 15, 2012
8
Project Initiation
Define sensitivity of information involved
Define criticality of system
Define security risks
Define level of protection needed
Define regulatory/legal/privacy issues
Functional Design
Determine acceptable level of risk
Identify security requirements and controls
Design Specification
Design security controls
Review designs
Software Development
Document security issues and controls
Test code as it develops
Release and Maintain
Review tests
Certify system
Constantly assess security position
X. Information Security Incident Management
An information security or privacy incident is a single, or series of, unwanted or unexpected
information security events that result in harm, or pose a significant threat of harm to
information assets, protected student data, or the organization’s infrastructure. Examples of
information security or privacy incidents include:
● Any incident relevant to the Oregon Identity Theft Protection Act
● Any incident relevant to FERPA
● Any incident relevant to the Health Insurance Portability and Accountability Act
(HIPAA)
● Lost or stolen documents containing sensitive information
● Conversation containing sensitive information overheard by unauthorized person
who discloses the information to the public
● A virus or worm has become wide spread
● A keystroke logger has infected a workstation used to enter sensitive information
● Web site defaced
● Unauthorized access to information was gained
● Any kind of sabotage that effects information
● Denial of service attacks.
The district will identify and document capabilities to respond to information security and privacy
Release date: August 15, 2012
9
incidents involving information in any form whether electronic, data, paper or verbal. At a
minimum a basic incident response plan includes:
● Primary point of contact and backup for an information security incident.
● Identification of additional resources (district personnel, ESD personnel, ODE personnel)
● Process for reporting and responding to an information security incident
● Police department contact if the incident is criminal in nature
● Primary point of contact for information security and privacy incidents
● Backup point of contact for information security and privacy incidents
● Other information security and privacy incident resources
The following is a basic process for identifying and responding to an information security or
privacy incident:
1. Identify the event
2. Has protected data been lost, exposed, or disclosed? If yes, what type?
a. FERPA protected student data
b. Personally Identifiable Information as defined in the Oregon Identity Theft
Protection Act
3. Is the organization at risk of continuing to lose data?
4. Identify, document and execute steps to re-mediate the problem
5. Contact any of the following as necessary:
a. Oregon Department of Education
b. Police
c. Oregon Department of Consumer and Business Services (for losses involving data
protected under the Oregon Identity Theft Protection Act)
d. Other schools, districts, ESDs that may be experiencing the same issue
e. Others as necessary
6. Once the incident is resolved, conduct a lessons learned exercise to prevent repetition.
XI. Business Continuity Management
The purpose of business continuity management is to counteract interruptions to business
activities and to protect critical business processes from the effects of major failures of
information systems or disasters and to ensure their timely resumption. A business continuity
management process will be established to minimize the impact on the district and recover from
loss of information assets to an acceptable level through a combination of preventive and
recovery controls. A managed process will be developed and maintained for business continuity
throughout the agency that addresses the information security requirements needed for the
district’s business continuity.
Templates and examples of how to develop a district business continuity plan are available
at http://www.oregon.gov/DAS/EISPD/BCP/Forms_Examples.shtml
For more information about the district’s business continuity plan (BCP) please contact the
district superintendent’s office.
Release date: August 15, 2012
10
XII. Compliance
The design, operation, use, and management of information and information assets are subject
to statutory, regulatory, and contractual security requirements. Compliance with legal
requirements is necessary to avoid breaches of law, statutory, regulatory or contractual
obligations, and of any security requirements. Legal requirements include, but are not limited
to: state statutes, federal statutes and regulations, contractual agreements, intellectual property
rights, copyrights, and protection and privacy of personal information.
The following federal and state statutes and regulations apply:
Federal Regulations
● FERPA
● CIPA
● COPPA
● HIPPA
Oregon Revised Statutes (ORS) References
● ORS 326.565 Standards for student records; rules
● ORS 326.575 Records when student transfers or is placed elsewhere; notice
to parents; amendments to records; rules
● ORS 336.187 When school authorized to disclose information about student;
immunity of recipient
● ORS 343.045 Criteria for development and operation of special programs; rules
● ORS 343.155 Procedures to protect rights of child with disability; rules; content of
rules
Oregon Administrative Rules (OAR) References
●
●
●
●
●
●
●
●
●
●
581-021-0250 An Educational Agency or Institution's Policy Regarding Student
Education Records
581-021-0265 Confidentiality of Student Education Records
581-021-0270 Rights of Inspection and Review of Education Records
581-021-0330 Prior Consent to Disclose Information
581-021-0340 Exceptions to Prior Consent
581-021-0360 Conditions for the Disclosure of Information to Other Educational
Agencies or Institutions
581-021-0370 Conditions for the Disclosure of Information for Federal or State
Program Purposes
581-021-0371 Conditions for Disclosure of Information to Comply with Judicial Order
or Subpoena
581-021-0372 Conditions for the Disclosure of Information When Legal Action
Initiated
581-021-0380 Conditions for the Disclosure of Information in Health and Safety
Emergencies
Release date: August 15, 2012
11
581-021-0390 Conditions for the Disclosure of Directory Information
581-021-0391 Conditions for the Disclosure of Information to Juvenile Justice
Agencies
● 581-021-0400 Recordkeeping Requirements
● 581-021-0430 The Distribution of Rules Relating to Student Records
●
●
Reference (links to web pages)
Communications and Operations Management ISO_IEC_27002-2005.pdf
Workstation Security Policy
(http://www.sans.org/securityresources/policies/200802_002.doc)
Sustainable Acquisition and Disposal of Electronic Equipment – Statewide Policy 107009-0050 (http://www.oregon.gov/DAS/OP/docs/policy/state/107-009-0050.pdf?ga=t)
Business Continuity Plans,
http://www.oregon.gov/DAS/EISPD/BCP/Forms_Examples.shtml
District Policies – to be developed in separate document
District Administrative Rules – to be developed in separate document
Definitions
Asset - Any resource that could contribute to the delivery of a service that is racked
via an asset tag and reported on annually for value.
Entity - Any business unit, department, group, or third party, internal or external to
the district, responsible for maintaining district assets.
Risk - Those factors that could affect confidentiality, availability, and integrity of the
district's key information assets and systems. InfoSec is responsible for ensuring the
integrity, confidentiality, and availability of critical information and computing assets,
while minimizing the impact of security procedures and policies upon business
productivity.
Roles and Responsibilities (to be developed)
Release date: August 15, 2012
12
Download

Information Security Framework - Oregon Department of Education