Is your school's personal data at risk?
You have an obligation to protect your school's data from unauthorised eyes. Legal, ethical and pragmatic.
Your school's network contains a variety of data: student and staff records, emails, application services, memos, reports and more. Some of these data are private, some are somewhat sensitive and others are public. Classifying your data is an essential first step in protecting your students and staff from hackers, cyber-criminals and opportunists.
The moment that someone enters information – especially personal details - into your school's databases, you are responsible for ensuring that they remain private and confidential. Not only is this a responsible practice but it is the law under the Privacy Act. So if you get hacked and your data is compromised, you or your school could be liable for prosecution - not to mention your school's name in the papers for all the wrong reasons.
"Most tightly-regulated enterprises such as finance, healthcare and central governments have a pretty good handle on the types of data they hold and how sensitive they are," says Andrew Khan, Fortinet Senior Business Manager at Ingram Micro, New Zealand's largest distributor of Fortinet's security solutions. "But many schools don't really have a detailed plan to secure their private information.
"And it's not just personal information," he continues. "Any confidential reports, communications, strategic plans, reviews and the such, while not necessarily covered by privacy laws, should be kept away from prying eyes. And to complicate things, once you start storing data in the cloud or in third-party data centres, you start to lose control of your data stewardship authority. It can be unclear where your responsibilities start and stop.
Data classification
An important first step step you can take when securing your databases is to classify them. "Not all data carries the same level of sensitivity," notes Khan. "Some data, such as financial, student and staff records, need to be highly-protected.
Other files, such as internal communications, newsletters and announcements etc, are not nearly as sensitive. So there is no sense in treating all of your data the same. This data hierarchy can impact storage as well. Some data need to be stored for fast access 'in memory' while other data can be held in archives.
The key to all of this is metadata. "Metadata is information about information," explains Khan. "Well-designed and maintained metadata descriptors can have a huge positive impact on your data security strategy.
Metadata can contain fields for privacy and sensitivity (ie public, private, classified, highly-sensitive), date of capture, data lineage (ie what processing has been done to the data), levels of access (which roles can access and/or modify the data) and, importantly, when the data can be safely deleted.
Match the cost of data security / storage to their value
Storing and securing data is expensive. Best practices suggest matching your security/storage expenditures to the sensitivity of the data themselves. Metadata is the enabler for cost-effective and thorough data protection.
While the costs of storing and securing data are decreasing with new technologies, such as deduplication and security-as-a-service, they are still a major outlay. "Anything you can do to drive down your data protection overheads while ensuring highly-secure access for authorised staff is a smart move," concludes Khan.
"The tools are out there. It's just a case of knowing what to do and then making it happen. These issues will not go away, indeed they are becoming more critical. Securing you data is not an option, it is your paramount responsibility.
For further information, please contact:
Hugo Hutchinson, Business Development Manager at Ingram Micro
hugo.hutchinson@ingrammicro.com
P: 09-414-0261 | M: 021-245-8276
