Data Privacy Trouble Spots - Tech Learning

Data Privacy Trouble Spots

Concerned about FERPA and HIPAA? Start by closing the gap on some commonly overlooked vulnerabilities.
Author:
Publish date:

Even though most districts have statements addressing the critical topic of privacy, when it comes to practice many unwittingly fall short. For today’s CIOs that could translate into serious legal, ethical, and social implications. Below are my “favorite” commonly missed vulnerabilities, along with tips for tightening up both your policy and procedures.

LET’S GET PHYSICAL

The Gap: Without good physical security, all of your staff’s efforts in protecting the network are pointless. In some districts, for example, servers are placed in multi-use closets that are easily accessible to multiple parties. Another physical security issue is the administrator-calledout- of-their-office-without-locking-thedoor scenario. In this case, enterprising students who know staff members routinely leave their offices unlocked could easily create a situation ensuring they’re out of the office for 30 minutes or more—enough time to access grades, finances, and other personal data.

The Solution: For starters, servers and network equipment should be locked in dedicated network closets or server rooms. In administrative offices, set workstations to auto-lock after a short interval, preferably less than 5 minutes, but not so short administrators will curse you every time they must log back in. The issue of unlocked offices is trickier and will require some creativity on your part. One solution is to get your facilities department to put a decent “closer” on doors and then require they remain locked. Administrators can use a doorstop to keep the door open while they’re there; when they leave they simply kick out the stop and the door will securely lock behind them.

THROUGH THE SWITCHBOARD

The Gap: One of the easiest methods of gaining access to private information is via social engineering—what I call the “I want to know Jane Smith’s home address” scenario. Let’s assume I’m new in town and want the address of a student attending the town’s main high school. First, I search the school’s Web site for names (names frequently appear on school sports rosters and newspapers posted online). If I find Jane Smith, I call up the school, connect with an administrative assistant in the office, and indicate that I’m Jane’s father. Then I explain the family recently moved and ask the assistant to verify the school has our correct address by reading back to me what’s recorded in the database. You may not want to believe this works. However, in a test that played out almost exactly like this, a reporter I know stopped the staff member from giving out the address just as she began disclosing it.

The Solution: If you believe it can’t happen in your district, get permission to run this type of test and check for yourself. If you find this is a problem area, it’s time for some training for staff taking calls.

ONLINE DISCLOSURES

The Gap: Historically, most schools have sent out parent/student directories and newsletters using regular postal mail. Today, most schools will not publish a parent/student directory online; however, they will post the school’s newsletter. The problem here is that schools sometimes include directory updates in the print version of the newsletter, which are then inadvertently released to the general public when placed on the Web. Unintentional disclosures via standard e-mail are also a real possibility. Most e-mail is unencrypted and passes across various public servers before landing at the recipient’s server. If your district routinely transfers private information across the Net, you’re potentially sharing that information with various unknown parties.

The Solution: While there’s no silver bullet to preventing sensitive information being posted on your Web site, one approach is to have a designated “privacy advocate” on staff review changes to your site before they go live. On the issue of e-mail security, possible solutions include not using e-mail, a politically difficult move; implementing a private internal e-mail system; or developing e-mail policies that maximize privacy—for example, stipulating confidential e-mail may only be sent to internal e-mail addresses and that no user may auto-forward sensitive data to outside accounts.

NEXT STEPS

Keeping data private means continuously monitoring the activity of the staff you support and creating new policies, new training, and new solutions. As a starting point, I challenge you to close the loopholes I’ve noted above. Next, sit down for fifteen minutes and imagine other ways someone could acquire private information from your organization and close those holes as well. Every three months select a creative person on your staff to perform the same fifteen minute exercise. You’ll never close every gap, but you’ll improve your situation dramatically.

Eric Svetcov, CISSP, is president of Palint Technology, Inc. and former director of technology for St. Ignatius College Preparatory in San Francisco.

Wipe Out

Three ways to erase your district’s private data before donating PCs or sending them to their final resting place.

  • For Windows and Intel/AMD Linux users, Darik’s Boot and Nuke (dban.sourceforge.net) is a free program that cleans the hard disks of computers booting from a floppy. If most of your systems don’t have floppy drives, your IT staff can build a DBAN kiosk (any Intel/AMD PC with a floppy drive and free IDE and power cables) and run all drives through the one system.
  • Mac users through OS X v10.3 can take advantage of low-cost programs like Shred-it (www.shredit.com). With Mac OS X v10.3, it’s possible to erase the drive using utilities from the 10.3 CD. However, be prepared for it to take a while.
  • Write terms into your hardware purchase RFP that hold the vendor responsible for proper disposal of the machines, which includes wiping the hard drives clean.

Featured

Related

Protecting Your Digital Privacy

Listen to this podcast From banks to school districts to the Veterans Administration, every other week, we hear about some other individual who has jeopardized confidential information for millions of people. This article is about how YOU can maintain your digital privacy on your computer. Consider these

SECURITY: Step by Step

It's time to begin planning for summer upgrades, and if information security isn't at the top of your list, it should be. Your students continue to learn more about the tools and technology that could be used to circumvent your current security infrastructure. What you need is a security architecture and approach that

Needed: National Data Privacy Legislation

from Educators' eZine A multitude of technology-related laws already govern schools. Do school administrators—and the country—really need more regulation in this area? When it comes to data privacy, the answer is yes. The wave of data loss in businesses, government agencies and educational institutions

Metadata and Privacy

Question: Is there cause for concern about the invisible data that is contained in every Microsoft Word file we create? The IT Guy says: It is probably valuable for everyone to know about the information that Microsoft Word automatically creates with every file. Whether people are worried about this or not will

Image placeholder title

eMail Trouble

Managing the online communications structure for a school district is hard. Managing your own personal email inbox? Probably harder. There are ways to deal besides handing it off to an assistant.

Beyond Firewalls(2)

Twenty years ago, when I was in high school, computers had just made their way onto the desks of staff and administrators. I couldn't play football or slam dunk, but I could wrestle a computer program to its knees, and nothing gave me more pleasure than beating the administration at their own game. Before I

Beyond Firewalls

Twenty years ago, when I was in high school, computers had just made their way onto the desks of staff and administrators. I couldn't play football or slam dunk, but I could wrestle a computer program to its knees, and nothing gave me more pleasure than beating the administration at their own game. Before I

Image placeholder title

SchoolCIO: eMail Trouble

Managing the online communications structure for a school district is hard. Managing your own personal email inbox?