Working within a school requires handling paperwork, electronic records, and a wide variety of data. The data owners and school administration expect that sensitive data, including confidential, personal, health, and financial information will be managed safely and securely. Here are five tips for keeping electronic and printed school information safe.
Frequently a data classification policy is in place to provide categories for classifying and labeling of sensitive data and documents to ensure they are protected properly dependent on the classification. For example, financial information could require encryption and limited access, while a newsletter regarding upcoming school activities may be public information and published on social media. Data classification can be based on legal requirements, value of the data to the school, criticality and sensitivity of the data, or determined to be public information. Data classifications can change over the lifetime of the data. Let’s assume you are in a school that is researching adding another school campus. Originally any information regarding opening another school could be classified as highly confidential to provide time for administrative research. Later the data may become less stringently classified to provide information to those affected. Once the new campus has been approved, the data will become public and appropriate to release to the media for publication.
A clean desk is another non-techy way to protect data. Throughout the work day you may work on paperwork or view materials on your electronic device that should not be shared with others due to the sensitivity of the data and its data classification. When you leave your desk area, you need to think about how the paperwork and electronic device are protected to keep others from accessing sensitive information. Should you be clearing your desk of all sensitive materials and electronic devices? Can you lock the paperwork and electronic device up safely? If it is locked up, who else would still have access to the locked area? Would it be feasible to keep the paperwork and electronic device physically with you and under your protection? Being able to answer these questions about your work area will assist in protecting sensitive information.
The use of printers and shredders need to be considered if policies allow for printing of documents containing sensitive information. Prior to printing any sensitive information, consider if you’re required to print the document or if you’re doing so for convenience. A printed report provides opportunity for sensitive data to be viewed or taken by someone who does not have the privileges to see the data. If you determine it is required to print the document, immediately retrieve the data from the printer to limit the opportunity of anyone viewing the document while it is sitting at the printer and always store the printed document securely. Once the printed document is no longer necessary, dispose of the document in a manner that does not allow it to be reconstructed. Frequently, shredders or locked shred bins are available in the school to provide a secure disposal method. Remember to check your policies to ensure whether you can print sensitive documents and know your responsibilities for protecting the printed material.
Awareness and training of all faculty and staff on an annual basis on data classification, protection mechanisms, and staff requirements will provide the best data protection. Remember to provide new staff training, since they may not be aware of the policies and what is considered sensitive information. If new staff is not informed, they will not be able to adequately protect sensitive data. If policies are in place, ensure all staff annually review the policies and understand their duties to protect data. Awareness can be reinforced throughout the year during staff meetings and internal communications.
Of course, there are multiple controls provided by information technology to assist in the transmission, processing, and storage of sensitive data. A few examples of the controls in place could include providing limited access to data, encrypting sensitive data during transmission and storage, physically and logically restricting access to devices and media containing sensitive data, monitoring and alerting of access or transmission of sensitive data, and automatic secure deletion of data that has passed its retention period.
If you have questions about your school’s specific policies, be sure to contact your IT staff/department for details.
1: Data Classification article
Security through Education provides advice on data protection for schools: https://www.social-engineer.org/newsletter/information-security-protect-children-at-school/
Educause provides guidance for data classification: https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/resources/information-security-guide/toolkits/data-classification-toolkit