Information security of educational institutions
The educational process concerns the members of society least protected from propaganda - children and adolescents. Therefore, the information security system of an educational institution should not only ensure the safety of databases and the arrays of confidential information contained in them, but also guarantee the impossibility of access to the walls of the school and the institute of any propaganda, both illegal and harmless, but involving an impact on the consciousness of students in institutions secondary complete general and higher education.
The concept of information security of an educational institution includes a system of measures aimed at protecting the information space and personal data from accidental or deliberate penetration in order to steal any data or make changes to the system configuration. The second aspect of the concept will be the protection of the educational process from any information that has the nature of propaganda prohibited by law, or any type of advertising.
As part of the arrays of information protected by law at the disposal of an educational institution, three groups can be distinguished:
- personal information concerning students and teachers, digitized archives;
- know-how of the educational process, which are of the nature of intellectual property and protected by law;
- structured educational information supporting the educational process (libraries, databases, training programs).
All this information can not only become the object of theft. Deliberate penetration into them can disrupt the safety of digitized books, destroy knowledge stores, and make changes to the code of programs used for training.
The responsibilities of those responsible for the protection of information should be to keep the data intact and inviolable and ensure it:
- availability at any time for any authorized user;
- protection against any loss or unauthorized changes;
- confidentiality, inaccessibility to third parties.
Information security threats
A feature of threats is not only the possibility of stealing information or damaging arrays by any deliberately operating hacker groups, but also the very activity of adolescents, deliberately, with malice or mistakenly capable of damaging computer equipment or introducing a virus. There are four groups of objects that can be exposed to intentional or unintentional impact:
- computer equipment and other hardware that can be damaged as a result of mechanical stress, viruses, for other reasons;
- programs used to ensure the health of the system or in the educational process, which may be affected by viruses or hacker attacks;
- data stored both on hard drives and on separate media;
- the personnel themselves who are responsible for the operability of IT systems;
- children exposed to external aggressive informational influence and capable of creating a criminal situation at school. Recently, the list of such situations has expanded significantly, which indicates a possible targeted psychological attack on the consciousness of children and adolescents.
Threats aimed at damaging any of the system components can be either accidental or deliberately intentional. Threats that do not depend on the intention of staff, students or third parties include:
- any emergencies such as power outages or flooding;
- staff errors;
- software malfunctions;
- failure of equipment;
- problems in the operation of communication systems.
All these threats to information security are temporary, predictable and easily eliminated by the actions of employees and special services.
Intentional threats to information security are more dangerous and in most cases cannot be foreseen. The culprit can be students, employees, competitors, third parties with intent to commit a cyber crime. To undermine information security, such a person must be highly qualified with respect to the principles of operation of computer systems and programs. The greatest danger is exposed to computer networks, the components of which are located separately from each other in space. Disruption of communication between the components of the system can lead to a complete undermining of its performance. An important problem can be copyright infringement, deliberate theft of other people's developments. Computer networks are rarely subjected to external attacks in order to influence the minds of children, but this is not excluded. And the most serious danger will be the use of school equipment to involve a child in crime and terrorism.
From the point of view of penetration into the information security perimeter and to commit information theft or create a breach in the operation of systems, unauthorized access is required.
Unauthorized access methods
There are several types of unauthorized access:
- Human. Information can be stolen by copying to temporary media, forwarded by e-mail. In addition, if you have access to the server, changes to the databases can be made manually.
- Program. To steal information, special programs are used that provide copying of passwords, copying and intercepting information, redirecting traffic, decrypting, making changes to the work of other programs.
- Hardware. It is associated either with the use of special technical means, or with the interception of electromagnetic radiation through various channels, including telephone.
SearchInform SIEM helps to keep track of what is happening in the company's IT system. The program automatically collects and displays key security events in a single interface, including attempts at virus attacks and unauthorized access.
The fight against various types of attacks on information security should be carried out at five levels, and the work should be comprehensive. There are a number of methodological developments that will help build the protection of an educational institution at the required level.
Regulatory method of information security protection
Russia has adopted the National Strategy for Action in the Interests of Children, which determines the degree of threats and measures to protect their safety. Actions to limit the aggressive impact on the child's mind should be the main one. Database security should come second.
Information protection is based on the laws in force in this area, defining its individual arrays as subject to protection. They highlight the information that should be inaccessible to third parties for various reasons (confidential information, personal data, commercial, official or professional secrets). The procedure for the protection of personal data is determined, among other things, by the federal law "On Information" and the Labor Code. They and the Civil Code are helping to develop a methodology to ensure the protection of information related to trade secrets. In addition to laws, it is necessary to highlight the GOSTs in force in this area that determine the procedure for protecting data, and the methods and hardware used for this purpose.
Moral and ethical means of ensuring information security
In the educational sphere, the system of moral and ethical values plays an important role. A system of measures should be based on it to protect the teenager from traumatic, ethically incorrect, illegal information. In order to protect against propaganda, it is necessary to apply the norms of the Law "On the Protection of the Rights of the Child", which define his rights to protection from information that can cause moral injury. It is necessary to create lists of documents, programs and other sources that can traumatize the psyche of children in order to prevent them from entering the territory of the educational institution. This will become one of the foundations of information security.
Administrative and organizational measures
This set of measures is entirely based on the creation of internal rules and regulations that determine the procedure for working with information and its carriers. These are internal methods dedicated to information security, job descriptions, lists of information that cannot be transferred. Additionally, a regulation should be developed that defines the procedure for interaction with competent authorities upon requests for the provision of certain data and documents.
In addition, these methods should determine the order of children's access to the Internet in computer classes, the ability to protect some resources of an ambiguous nature from the child's access, and the prohibition of using their own media. The use of parental control over Internet resources should be provided.
The management of the educational institution and employees of IT departments should be responsible for this system of measures and its implementation. It is unacceptable to shift the organization of measures for the physical protection of a computer network and media onto employees of hired security units. Among the physical measures, there should be a security pass system to the premises containing information carriers, the organization of visitor access control, the establishment of various degrees of admission. In addition, the mandatory copying of important information to the disks of computers that do not have access to the Internet can be referred to measures of physical protection. It is imperative not only to establish passwords, but also to replace them regularly.
An integrated system of protection of the entire perimeter of a computer network should be provided by specialized software products, for example, DLP systems and SIEM systems that identify all possible security threats and apply measures to combat them. For those educational institutions whose budget does not allow the implementation of professional systems, it is necessary to use the permitted and recommended software protection measures, in particular antiviruses.
The use of SearchInform DLP in combination with SIEM solutions enhances the protection of the organization's information system and automates the work of the information security service.
Email that staff and students have access to must be monitored. It is also optimal to introduce a complete ban on copying any information from the hard drives of computers of an educational institution.
In addition, software must be provided to restrict the child's access to certain sites (content filters).
All measures should be applied in a complex, and it is necessary to identify one or more persons responsible for the implementation of all aspects of information security. It is desirable to involve pupils' parents in this problem; in some cases they will help to audit security measures and recommend modern solutions. In addition, it should be the responsibility of the parents to limit the information that the child can receive at home. It is necessary to view the pages visited by the child. Based on the analysis of its search, you can make changes to the list of sites, access to which is restricted from computers installed in the educational institution.