Designing a High School Information Security Policy
written by: William Springer•edited by: Rebecca Scudder•updated: 7/6/2011
In these days of electronic gradebooks and attendance records, privacy and security are growing concerns for schools. What do you need to do to keep the kids out of your computer?
slide 1 of 3
High School Information Security Needs
When it comes to high school students, there are two things that are universally true. They generally know more about computers than their teachers, and they're generally interested in poking their noses where they don't belong. As such, high school networks need to be secured against students accidentally or maliciously making changes to grades or accessing other private information. Additionally, federal privacy laws mean that schools and teachers could be legally liable if sufficient efforts are not made to protect students' private information.
Image from xkcd.com comic strip; used under Creative Commons license.
slide 2 of 3
It should be obvious to everyone that sensitive information should be protected behind passwords; unfortunately, many passwords are terrible. In particular, people using a commercial system that comes with a default password have a destructive tendency to leave that password alone, meaning anyone familiar with the system can break in without difficulty. It should be school policy that any default passwords must be changed immediately.
At the other extreme, many companies lean towards making users memorize a hideously complex password containing uppercase and lowercase letters, numbers, special characters, minimum length, etc. The natural result - people write their passwords down! Do require secure passwords (hint: "password" is a lousy password!) but don't make them so complicated that people can't remember them! For similar reasons, you should let people choose their own passwords; semi-random passwords that have special meaning to the user are a lot easier to remember than random passwords chosen by the system!
Require passwords to be changed regularly, but not frequently; twice per year seems a reasonable timeframe unless there's reason to suspect that a password may have been compromised. Like most things in information security, this is a trade off; more time between changes means a compromised password has more chances to be misused, but less time leads to people having trouble remembering their passwords (which can lead to security issues if they write them down!)
slide 3 of 3
Social Hacking and Other Non-Techie Exploits
Of course, most attacks require no specialized knowledge. All it takes is for a teacher to step away from her computer for a moment while logged in, and a quick student can jump on and take advantage of the opportunity. Teachers should be instructed to always log out or lock their systems when leaving the computer for even a minute (on a Windows system, typing Windows-L will lock it). It's a good idea to have the computers set to automatically lock after a period of inactivity as well.
Kevin Mitnick, one of the most famous computer criminals of all time, did his hacking using social engineering, which essentially means convincing people to give you the information or access you want, rather than gaining it by technical means. Teachers and administrators should be instructed to never give their passwords to anyone, especially when they cannot verify the person's identity. Someone claiming to be from the IT department should have their own passwords; they do not need yours!