Commonly Asked Questions Q. If an organization maintains physical, software, and user access security, isn't information security addressed by default?
Q. Isn't there software that can protect my information? Q. Doesn't it make sense to just go ahead and encrypt all
information?
Guidelines for security policy development can be found in Chapter 3. Policy Issues Perhaps more than any other aspect of system security, protecting information requires specific procedural and behavioral activities. Information security requires that data files be properly created, labeled, stored, and backed up. If you consider the number of files that each employee uses, these tasks clearly constitute a significant undertaking. Policy-makers can positively affect this effort by conducting an accurate risk assessment (including properly identifying sensitive information maintained in the system). They should also provide organizational support to the security manager as he or she implements and monitors security regulations. The security manager must be given the authority and budget necessary for training staff appropriately and subsequently enforcing information security procedures at all levels of the organizational hierarchy. A final consideration for policy-makers is information retention and disposal. All information has a finite life cycle, and policy-makers should make sure that mechanisms are in place to ensure that information that is no longer of use is disposed of properly. As discussed more completely in Chapter 2, a threat is any action, actor, or event that contributes to risk. Information Threats (Examples) As discussed more completely in Chapter 2, a threat is any action, actor, or event that contributes to risk. Examples of information threats include:
A countermeasure is a step planned and taken in opposition to another act or potential act. Information Security Countermeasures The following countermeasures address information security concerns that could affect your site(s). These strategies are recommended when risk assessment identifies or confirms the need to counter potential breaches in your system's information security.
Countermeasures come in a variety of sizes, shapes, and levels of complexity. This document endeavors to describe a range of strategies that are potentially applicable to life in education organizations. In an effort to maintain this focus, those countermeasures that are unlikely to be applied in education organizations are not included here. If after your risk assessment, for example, your security team determines that your organization requires high-end
countermeasures like retinal scanners or voice analyzers, you will need to refer to other security references and perhaps hire a reliable technical consultant. Transmit Information Securely (including e-mail):
Select only those countermeasures that meet perceived needs as identified during risk assessment and support security policy. Countermeasures like biometrics are probably beyond the realm of possibility (and necessity) in most, if not all, education organizations.
Present Information for Use in a Secure and Protected Way:
Back up Information Appropriately (see Chapter 4):
Many organizations prefer that users back up only their own data files-leaving software and operating system backups in the responsible hands of the security manager or system administrator. Store Information Properly (see Chapter 5):
It Really Happens! As Principal Brown's secretary, Marsha didn't have time for all the difficulties she was having with her computer--well, it wasn't really her computer that was having problems, but her most important files (and that was worse). Fed up with having to retype so many lost files, she finally called in the vendor who had sold the school all of its equipment. The vendor appeared at her office promptly and asked her to describe the problem. "Well," Marsha explained, "I keep a copy of all of my important files on a 3 1/2 inch disk, but when I go to use them, the files seem to have disappeared. I know that I'm copying them correctly, so I just can't understand it. I don't know if it's the word processing software or what, but I'm tired of losing all of my important files." The vendor asked whether it was possible that Marsha was using a bad disk. "I thought about that," she replied as if prepared for the question, "but it has happened with three different disks. It just has to be something else." Marsha reached for a disk that was held to the metal filing cabinet next to her desk by a colorful magnet. "You try it." "That's a very attractive magnet," the vendor said as Marsha handed over the disk. "Do you always use it to hold up your disks?" "Yes, it was a souvenir from Dr. Brown's last conference. I just think it's beautiful. Thanks for noticing." "It is beautiful," the vendor replied, "but you know that it's also the root of all your problems. Every time you expose a disk to that magnet, it erases the files. That's just the way magnets and computer disks get along-like oil and water. Try storing the disk away from the magnet and your troubles, not your files, will soon disappear." Dispose of Information in a Timely and Thorough Manner:
It Really Happens! Trent couldn't believe his eyes. Displayed before him on a monitor in the high school computer lab were the grades of every student in Mr. Russo's sophomore English classes:
All Trent had done was hit the "undelete" function in the word processing software to correct a saving mistake he had made, and suddenly a hard drive full of Mr. Russo's files were there for the taking. Luckily for Mr. Russo, his sophomores, and the school, Trent realized that something was very wrong. He asked the lab supervisor, Ms. Jackson, where the computers had come from. "Most of them have been recycled," she admitted. "Teachers and administrators were given upgrades this year, so their old machines were put to good use in the labs. They should still be powerful enough to handle your word processing. Why?" Trent showed Ms. Jackson what he had uncovered about the sophomore English students. She gasped, "Oh my goodness, they gave us all these computers without clearing the hard drives properly. I bet it's that way across the district. Trent, you may have just saved us from a potentially disastrous situation. That information is private and certainly shouldn't be sitting here for anyone in the computer lab to see. I've got some phone calls to make!"
Retaining data beyond its useful life exposes the organization to unnecessary risk.21 Even if a vendor replaces a hard drive, require that the old one be returned so that you can verify that it has been cleaned and disposed of properly.
While it may be tempting to refer to the following checklist as your security plan, to do so would limit the effectiveness of the recommendations. They are most useful when initiated as part of a larger plan to develop and implement security policy throughout an organization. Other chapters in this document also address ways to
customize policy to your organization's specific needs-a concept that should not be ignored if you want to maximize the effectiveness of any given guideline. The brevity of a checklist can be helpful, but it in no way makes up for the detail of the text.
Which task is the act of classifying and arranging records so that they will be preserved safely?Business Operating Systems. What component of a computer enables it to store temporary data and programs?RAM. RAM -- or dynamic RAM -- is temporary memory storage that makes information immediately accessible to programs; RAM is volatile memory, so stored data is cleared when the computer powers off.
What is not considered an expendable item?non-expendable equipment means property which has a continuing use, is not consumed in use, is of a durable nature with an expected service life of one or more years, and does not become a fixture or lose its identity as a component of other equipment.
What should be considered about a patient with an emergency?CALL YOUR LOCAL EMERGENCY NUMBER (SUCH AS 911) IF: The person's condition is life threatening (for example, the person is having a heart attack or severe allergic reaction) The person's condition could become life threatening on the way to the hospital.
|