You are on page 1of 97

Instituto Nacional

de Tecnologías
de la Comunicación

Study on educational platform


safety measures

INFORMATION SECURITY OBSERVATORY


Instituto Nacional
de Tecnologías
de la Comunicación

Edition: June 2008

INTECO would especially like to thank the following for their assistance in
preparing this study:

This publication is the property of the Instituto Nacional de Tecnologías de la Comunicación (INTECO), and is licensed by
Creative Commons under a recognized non-commercial 2.5 Spanish license. It is therefore permitted to copy, distribute and
publicly communicate this work under the following conditions:
• Acknowledgement: The contents of this report many be reproduced either partially or in their entirety by third parties, as
long as they cite its origin and make express reference to both INTECO and its web site: www.inteco.es. This recognition
many not in any way imply that INTECO provides support to these third parties or supports the use they make of their
work.
• Non-commercial use: The original material and derivative works many be distributed, copied and exhibited as long as they
are not used for commercial purposes.
When reusing or distributing this work, the terms of its license must be made perfectly clear. Some of these conditions may not
apply if permission is obtained from INTECO, as the owner of the copyright. No part of this license reduces or restricts
INTECO’s moral rights.
Full license text:
http://creativecommons.org/licenses/by-nc/2.5/es/

Study on educational platform safety measures Page 2 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

TABLE OF CONTENTS

TABLE OF CONTENTS.......................................................................................................3

KEY POINTS .......................................................................................................................8

I What is an educational platform?..............................................................................8

II Why must an educational platform be made secure? ...............................................8

III Risk analysis .............................................................................................................8

IV Detected needs .....................................................................................................9

V Recommendations and proposals ............................................................................9

1 INTRODUTION AND OBJECTIVES...........................................................................10

1.1 Introduction..........................................................................................................10

1.1.1 National Institute of Communication Technologies ......................................10

1.1.2 Information Security Observatory.................................................................10

1.2 Study objectives ..................................................................................................11

1.3 Design methodology............................................................................................12

2 WHAT IS AN EDUCATIONAL PLATFORM? .............................................................15

2.1 Information and communication technologies in education .................................15

2.2 Categorisation problems .....................................................................................16

2.2.1 General structure and operation of an educational platform ........................17

2.2.2 Functions served by these platforms ...........................................................18

2.2.3 Types of platforms found..............................................................................19

2.2.4 The ideal platform: Academic and administrative management, digital


contents and communication ......................................................................................21

2.3 User profiles ........................................................................................................21

2.3.1 Students .......................................................................................................22

Study on educational platform safety measures Page 3 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

2.3.2 Teachers ......................................................................................................23

2.3.3 Parents .........................................................................................................24

2.3.4 Departments of education and educational inspection ................................24

2.4 Service provider profiles ......................................................................................25

2.4.1 Public administrations ..................................................................................25

2.4.2 Private companies........................................................................................25

2.5 Benefits associated with the use of educational platforms ..................................27

2.5.1 Developing a new instructional model ..........................................................27

2.5.2 Optimization of the academic and administrative management processes .29

2.5.3 Computer literacy in society, motivated by increasing use ..........................29

3 WHY MUST AN EDUCATIONAL PLATFORM BE MADE SECURE? ........................31

3.1 User expectations................................................................................................31

3.1.1 Students .......................................................................................................32

3.1.2 Teachers ......................................................................................................32

3.1.3 Parents .........................................................................................................33

3.1.4 School administration ...................................................................................33

3.1.5 Public institutions that play a role in education ............................................34

3.1.6 Publishing companies ..................................................................................35

3.1.7 Development advisors..................................................................................36

3.2 Security concepts: confidentiality, integrity and availability .................................36

3.2.1 Security controls...........................................................................................37

3.3 Relevant Spanish legislation ...............................................................................40

3.3.1 Organic Law 15/1999, 13 December, regarding the Protection of Personal


Information (LOPD) ....................................................................................................40

Study on educational platform safety measures Page 4 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

3.3.2 Law 32/2003, 3 November, regarding General Telecommunications ..........40

3.3.3 Law 34/2002, 11 July, regarding Information Society and Electronic


Commerce Services ...................................................................................................41

3.3.4 Law 59/2003, 19 December, regarding Electronic Signatures .....................41

3.3.5 Royal Legislative Decree 1/1996, 12 April, regarding the Intellectual Property
Law 41

3.3.6 Organic Law 1/1996, 15 January, regarding the Legal Protection of Minors42

3.4 Applicable regulations and best practices ...........................................................42

3.4.1 The ISO 27000 series of standards .............................................................42

3.4.2 Cobit .............................................................................................................43

3.4.3 National Institute of Standards and Technology (NIST) ...............................44

3.4.4 Bundesamt für Sicherheit in der Informationstechnik (BSI, German


Information Security Agency) .....................................................................................45

3.5 Security development and auditing methodologies .............................................45

4 RISK ANALYSIS.........................................................................................................47

4.1 Strong points found .............................................................................................47

4.1.1 Logical security ............................................................................................47

4.1.2 Access control ..............................................................................................48

4.1.3 Purchase and development .........................................................................49

4.1.4 Incidents .......................................................................................................50

4.1.5 Awareness ...................................................................................................50

4.1.6 Legislative compliance .................................................................................50

4.2 Vulnerabilities and other detected weaknesses and their impact ........................50

4.2.1 Training and awareness ...............................................................................51

4.2.2 Logical security ............................................................................................53

Study on educational platform safety measures Page 5 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

4.2.3 Access control ..............................................................................................53

4.2.4 Purchasing, development and maintenance ................................................54

4.2.5 Incidents .......................................................................................................55

4.2.6 Compliance with legislation and regulations ................................................55

4.3 Risk map .............................................................................................................56

4.4 Potential threats ..................................................................................................65

5 DETECTED NEEDS ...................................................................................................67

6 RECOMMENDATIONS AND PROPOSALS ..............................................................71

6.1 Sensitisation, training and information ................................................................71

6.2 Regulations .........................................................................................................72

6.3 Certification and standardisation .........................................................................72

6.4 Functionality ........................................................................................................73

6.5 Content security ..................................................................................................75

APPENDIX I: ORGANISATIONS INTERVIEWED.............................................................79

I Public administrations .............................................................................................79

II Departments of education .......................................................................................79

III Platform developers ................................................................................................79

IV Computer security companies .............................................................................80

V Associations ............................................................................................................80

VI Teachers, parents and students ..........................................................................80

VII Others..................................................................................................................80

APPENDIX II: RELEVANT LEGISLATION ........................................................................82

I Organic Law 15/1999, 13 December, regarding the Protection of Personal


Information (LOPD) ........................................................................................................82

Study on educational platform safety measures Page 6 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

II Law 32/2003, 3 November, regarding General Telecommunications .....................83

III Law 34/2002, 11 July, regarding Information Society and Electronic Commerce
Services .........................................................................................................................84

IV Law 59/2003, 19 December, regarding Electronic Signatures ............................84

V Royal Legislative Decree 1/1996, 12 April, regarding the Intellectual Property Law
85

VI Law 17/2001, 7 December, regarding Industrial Property ...................................86

VII Law 20/2003, 7 July, regarding the Legal Protection of Industrial Designs .........87

VIII Law 30/2007, 30 October, regarding Contracts in the Public Sector ..................87

IX Organic Law 1/1996, 15 January, regarding the Legal Protection of Minors ......88

APPENDIX III: BIBLIOGRAPHY ...................................................................................90

I Public administration ...............................................................................................90

II Associations ............................................................................................................92

III Academic studies ....................................................................................................92

IV Legislation and standards ...................................................................................93

V Security providers ...................................................................................................94

VI Qualitative methodology ......................................................................................95

LIST OF TABLES ..............................................................................................................96

Study on educational platform safety measures Page 7 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

KEY POINTS

I What is an educational platform?

In spite of the fact that there is an overall consensus when considering an educational
platform as an ideal tool for providing a learning space, the information, communication
and participation of different members of the educational community is not easy to define.

Furthermore, we are also faced with the difficulty of categorisation. Due to the many uses
and functions that these platforms have, platforms developed with freeware and
proprietary software coexist at the same time and in the same educational environment.

What also sets them apart is their internal development and structure, focused on the use
that different users want to make of them. As a result, we may distinguish among user
profiles (students, instructors, parents, departments of education and educational
inspectors) and service provider profiles.

Independently of these problems, what seems logical, as expressed by those experts we


interviewed, is that the development of these platforms depends on guaranteeing at least
four basic pillars: connectivity, the availability of technological resources and instructional
content, and teacher training.

II Why must an educational platform be made secure?

The main peculiarity of an educational platform lies in the massive use that minors make
of it.

The opinion of experts regarding the future of educational platform security is divided
between those that believe that the increase in its use is directly proportional to security
problems, and those that believe that we must be alert and adopt a proactive position.

Different guidelines exist regarding information security, from both a legislative point of
view and those related to good practices.

III Risk analysis

Faced with the diversity of threats that platforms experience or may experience, it is
necessary to estimate the probability of such threats coming to fruition and take into
consideration the damage that they would cause. Such an analysis allows us to contrast
the strong points (logical security, access control, purchasing and development, the lack
of incidents, awareness and compliance with legislation) and the vulnerabilities that are
characteristic of the platforms.

Study on educational platform safety measures Page 8 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

IV Detected needs

As a step prior to identifying the recommendations, INTECO proceeded to identify the


needs for each of the platform profiles, based on their development being intended to lead
to the development and/or restructuring of a useful, safe platform.

The needs have been developed from different scopes of action that will affect the
platforms, depending on the degree to which they evolve, and with awareness, training
and information, regulations, certification and standardisation, functionality and content
security in mind.

V Recommendations and proposals

At the root of the aforementioned needs, INTECO proposes a series of recommendations


aimed at the different stakeholders and users of educational platforms, as well as those
services that are inherent to them. These recommendations must be kept in mind when
establishing the criteria for designing platforms, developing and controlling their contents
and utilities, and ultimately using them, so that the currently existing levels of security may
be improved.

Study on educational platform safety measures Page 9 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

1 INTRODUTION AND OBJECTIVES

1.1 Introduction

1.1.1 National Institute of Communication Technologies


The National Institute of Communication Technologies (INTECO), a state corporation
promoted by the Ministry of Industry, Tourism and Commerce, is a platform for the
development of a Knowledge Society through projects in the fields of innovation and
technology.

They have a two-part objective: on one hand, to contribute to Spain’s convergence with
Europe in the Information Society, and on the other hand, to promote regional
development, through a project with global implications, which is taking root in Leon.

INTECO’s mission is to promote and develop innovation projects related to the


Information and Communication Technologies (ICT) sector, which improve Spain’s
position and contribute to its competitiveness, extending its capacities in both European
and the Latin American environments. In this manner, the Institute has the vocation of
being a innovative, public interest center of development on a national scale, which
constitutes an enriching initiative to disseminate new technologies throughout Spain, in
perfect tune with what is happening in Europe.

The corporate purpose of INTECO is the management, advisement, promotion and


dissemination of technological projects within the framework of the Information Society. In
doing so, INTECO acts within the strategic lines of Technological Security, Accessibility,
ICT solution innovations for small businesses, e-Health, and e-Democracy, among others.

1.1.2 Information Security Observatory


The Information Security Observatory forms part of INTECO’s strategic lines of operation
in the area of technological security. Its original objective is to describe in a detailed,
systematic manner the level of security and confidence that exists in the information
society and to generate specialised knowledge in this area. In this manner, it is at the
service of Spanish citizens, businesses and public administrations to describe, analyse,
advise and disseminate a culture of information security and e-confidence.

The Observatory has designed a plan of activities and studies with the goal of producing
specialised, useful knowledge in the area of security on behalf of INTECO, as well as
creating recommendations and proposals that define valid trends for future decision-
making by public leaders.

Study on educational platform safety measures Page 10 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

Within this plan of action, work is being performed in the areas of research, analysis,
study, advisement and dissemination, which involve the following strategies (among
others):

• The creation of our own studies and reports on the topic of the security of
information and communication technologies, with special emphasis on Internet
security.

• The tracking of the main indicators and public policies related to information
security and confidence at both a national and international level.

• The generation of a database which permits analysing and evaluating the security
and confidence over time.

• To promote research projects in the area of ICT security.

• The dissemination of studies and reports published by other national and


international bodies and organisations, as well as information about the current
national and European status in the field of security and confidence in the
information society.

• Advisement to public administrations in the area of information security and


confidence, as well as support in the creation, tracking and evaluation of public
policies in this field.

1.2 Study objectives

This report is set within the process of technological change in which society is currently
immersed, and into which the field of education is gradually being incorporated.

Concretely, it is the importance of educational platforms as tools for incorporating these


technologies in education that make it necessary to conduct studies that analyse security
in these new virtual work environments.

Faced with this emerging reality, INTECO has considered the need to conduct research
which would allow us to:

• Understand the point of view of the developers, providers and users of these on-
line educational platforms for children, focusing the study on the identification of
hazards and security solutions.

• To generate strategic lines for action and improvement with regards to the quality
of these services.

Study on educational platform safety measures Page 11 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

• To serve as a base for guiding and supporting decision-making by the


Administration in the area of e-confidence and information security.

In this sense, the study has a wide set of objectives that are specified by general,
operational objectives, the details of which are provided below.

General objectives

1) To achieve a global understanding about security on educational platforms.

2) To use a flexible, holistic, and contextualised process, from the perspectives of


different experts, companies developing solutions and other parties involved, to
identify the incidences and needs of the users with regards to on-line
educational platforms.

3) To define certain general recommendations concerning regulations, best


practices and safety guidelines related to the use and development of these
platforms.

Operational objectives

1) To obtain general information about educational platforms: their


conceptualisation, functionalities, users, etc.

2) To establish a typology for those educational platforms currently in existence,


and to define some of their characteristics.

3) To determine the level of security with which they are operated from the various
providers and platform developers, and compare this to that which is considered
to be optimal.

4) To detect the main risks in the area of security, as well as possible solutions to
be implemented.

1.3 Design methodology

The methodological process used to design the study is described below.

Research phase

The methodology used in this phase consists of three stages:

• Documentary search and analysis, where numerous studies and articles on a


national and international level have been considered.

Study on educational platform safety measures Page 12 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

• The administration of 29 detailed semi-structured interviews 1 and 20 self-


administered questionnaires to experts and key agents with successful
experience in on-line educational platform security, and with vast knowledge in the
sector. These interviews have been distributed among the following profiles 2 :

o The Spanish Public Administration (The Ministry of Education and Science;


the Ministry of Industry, Tourism and Commerce, and the departments of
education in the autonomic communities).

o Businesses specialised in the technological development of educational


platforms and/or security solutions for these platforms on a national and
international basis.

o Experts in computer security.

o National Security Forces and Administrations specialised in telematic


crimes.

o Associations dedicated to protecting minors from hazardous situations on


the Internet.

o Educational platform users.

• The holding of a discussion group with students from Secondary and Upper
Secondary School, of different ages, sexes and levels of technological
competence.

Analysis phase and the debate over the conclusions

Parallel to this, meetings were held with the goal of consolidating the information we
obtained during the previous phase, trying to perform a preliminary analysis and
classification of both the documentary sources and the information obtained from the
interviews.

For this purpose, and prior to writing the report, several team meetings were held, during
which the table of contents was developed, and a consensus reached regarding its final
validation and focus.

1
This consists of a dynamic communications process between two people, the interviewer and the interviewee, under the
control of the first party. The objective sought after is to obtain information that is as significant as possible about the subject
of our proposed analysis
2
Appendix I contains a list of all the organisations and professionals who were interviewed during the research phase.

Study on educational platform safety measures Page 13 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

Action recommendation phase

Based on the data from this last report, the recommendations and guidelines for action
were identified which were expressed by those experts interviewed, in order to establish
the potential scope and responsibilities that are necessary in the areas of self-regulation,
legislation, certification and standardisation for the creation and/or development of these
platforms; the sensitisation, training and information required by the users, and in a
general sense, other measures that public organisations must develop.

Study on educational platform safety measures Page 14 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

2 WHAT IS AN EDUCATIONAL PLATFORM?

The evolution of educational platforms is closely linked to the development of an


information and knowledge society, and more specifically, to that of the educational
systems, which tend to progressively adapt to the real needs of the working world.

Literacy is now recognised as a concept that changes over time, where the mastery of
cognitive processes and strategies takes on a greater relevance than the assimilation of
contents, and where there are no longer any space-time barriers to limit learning.

Within this innovative and changing framework, the option of generating virtual learning
environments based on Information and Communication Technologies (ICT) means being
able to respond comprehensively to the requirements imposed by a Knowledge Society
and the new needs of the educational environment. It is within this context of innovation
that the educational platforms are emerging.

2.1 Information and communication technologies in education

The incorporation of ICT in education has traditionally been influenced more by


technology than by pedagogy or instruction. In school, as in other environments, the
growing use of technology has been dictated by its evolution and development, and while
it has been applied to education for some time now, it has only been since the 1980s
when its use has become generalised.

The appearance of personal computers at the beginning of the 1980s and access to
specialised telecommunications networks, thanks to the Internet, have made possible the
worldwide exchange and access to sources of information, generating important changes
in the educational environment along with it.

Since the 1990s and continuing in the present, new technological resources have been
gradually incorporated, which makes the need to reconceptualise the traditional processes
and models of teaching and learning quite evident.

Presently, it would seem unthinkable to throw our youth into a global communications
culture without providing them with some training about when, how and why to use the
emerging technologies. The development of concepts such as “life-long learning,”
“learning how to learn,” etc., have meant that schools, as institutions, have had to modify
the traditional roles of teachers and students, and in many cases, begin to specify both
standardised and general criteria.

Study on educational platform safety measures Page 15 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

In Spain, the Organic Education Law (LOE) and royal decrees establishing minimum
learning competencies 3 have highlighted technological literacy as one of the basic
competencies that students must acquire. On a similar note, UNESCO has just published
the ICT competency standards for instructors 4 , with the goal that each country use these
guidelines in order to maximise teacher training in technology-related subjects.

The public business organisation Red.es, which is under the Ministry of Industry, Tourism
and Commerce, along with the Ministry of Education and Science and the different
departments of education in the autonomic communities, has launched different programs
intended to promote the incorporation and use of technology in non-university Spanish
public schools.

Specifically, they have promoted the programs Internet in the Schools (2002-2006),
Internet in the Classroom 5 (2005-2008), and Teach 6 (2007-2008), which are designed to
reinforce and complement the policies that support the non-discriminatory development of
the information society in educational environments, striving for territorial cohesion and
the sharing of initiatives among all the participating autonomic communities.

2.2 Categorisation problems

In spite of the fact that there is an overall consensus when considering an educational
platform as an ideal tool for providing a learning space, the information, communication
and participation of different members of the educational community is not easy to define.

Several recurring points stand out from the different explanations gathered during the
interviews 7 , allowing the formation of different definitions:

• Some, based on their origin and evolution, declare that its beginnings go back to
the start of e-learning platforms, and over time came to offer more services, in
such a way that these platforms may be considered as a concentration of efforts
made over the last few years by the educational community to find formulas to
renew the teaching-learning process.

• In their definitions, others highlight the value that they have as information systems
within educational centres, and more specifically, as services managing centres so
that they may relate to the educational community over the Internet.

3
Royal Decree 1631/2006, 29 December, which establishes the minimum instruction corresponding to Compulsory
Secondary Education, BOE, 5 January, 2007.
4
United Nations Organization for Education, Science and Culture (UNESCO) (2008): ICT Competency Standards for
teachers. On-line. Available at: http://cst.unesco-ci.org/sites/projects/cst/default.aspx
5
[Homepage]. Viewed 3 April, 2008 on the World Wide Web: http://www.red.es/actividades/Internet_aula.html
6
[Homepage]. Viewed 3 April, 2008 on the World Wide Web: http://www.red.es/actividades/ensena.html
7
It proved impossible to classify those interviewed who participated in the field work phase by their professional profile.

Study on educational platform safety measures Page 16 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

• From the point of view of their functionalities, they are conceptualised as


applications that allow the management of teaching-learning processes or virtual
or semi-distance learning courses, as well as performing all the academic and
administrative management functions.

• One last definition of the term, much more general in nature, would consider an
educational platform to be any portal belonging to the educational administration or
school: with on-line contents, used for academic management, educational
services (videoconferencing, on-line libraries, etc.), educational web pages and
blogs, etc.

In any case, the common denominator seems to define them as a tool whose design
and purpose is to respond in a comprehensive manner to the multiple needs that
are inherent in the life of an educational centre. It may even be considered that this is
a question of school organisation, in which technology may play a role.

2.2.1 General structure and operation of an educational platform


Educational platforms normally have a modular structure that makes it possible to adapt
them to the current status of the different educational centres.

Structurally, they have different modules that allow them to meet the management needs
that centres have at three broad levels: administrative and academic management,
communications management and the management of the teaching-learning process.

To accomplish this, these technological systems provide users with shared workspaces
designated for the exchange of contents and information, and they include communication
tools (chat rooms, e-mail, debate forums, videoconferences, blogs, etc.) and, in many
cases, they include a large repository of digital items for learning that have been
developed by third parties, as well as tools designed for generating the resources
themselves.

The operation of the platforms is intended to provide services to four profiles of users:
centre administrators, parents, students and teachers. Each of these profiles is identified
by means of a user name and a password, through which the users may access the
platform. This operating structure represents the creation of a workspace with closed,
controlled interactions, in which any hazardous situations the users might experience are
less severe than outside these spaces.

Study on educational platform safety measures Page 17 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

2.2.2 Functions served by these platforms


A learning platform has a set of hardware 8 , software 9 and support services that permit the
most effective work modes, both inside and outside the classroom.

Although these may vary considerably in their design and development, they must always
provide a series of functionalities (such as, for example, collaborative tools that stimulate
the idea of cooperation and interaction) and means for developing new work methods and
educational models that go beyond the simple use of technology as a tool.

If we analyse the main functionalities that are defined by its design, we find that there are
two fundamental applications:

1) Distance learning, when the educational process is not on-site.

2) Support and as a complement to classroom education.

Recently, educational platforms have also been used to generate spaces for discussion
and the construction of knowledge by research groups, or for implementing virtual
communities and learning networks by groups of people who are joined by a common
topic of interest.

With regards to its support functions in the teaching-learning process, some of the most
important are related to:

• Digital literacy in students, as well as teachers and families.

• Access to information, communications and data management and processing.

• The centre’s academic-administrative management: the secretary’s office, the


library, etc.

• Its instructional use to facilitate the teaching-learning processes.

• Communication with families and the community.

• Relations among instructors over networks and through virtual communities:


resource sharing, experiences, etc.

A more general analysis allows educational platforms to also be conceived and


conceptualised as:

8
Hardware: any physical component used to operate the platform (servers, hard drives, uninterrupted power supplies, load
balancers, firewalls, etc.)
9
Software: a set of programming code that makes it possible to perform a specific task.

Study on educational platform safety measures Page 18 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

• A means of expression and multimedia creation to write, draw, make multimedia


presentations, create web pages, etc.

• A space which generates and supports new instructional spaces.

• A channel of communication that facilitates interpersonal communications and the


exchange of ideas and materials within a collaborative environment.

• An open source of information and resources.

• A cognitive instrument that supports knowledge-building processes.

• An instrument for administrative and tutorial management.

• A tool for advising, diagnosing and tracking students.

• An instrument for instruction and evaluation that provides quick correction and
immediate feedback, reducing time and costs, while providing the possibility of
tracking students, etc.

2.2.3 Types of platforms found


There are currently a large number of educational platforms available. Some are
commercial products with an associated cost, while others are free tools that are usually
developed using open code, which permits modifying or adapting the different modules
they include by means of programming.

Based on the period of time in which these platforms have gained importance, it is to be
expected that their proliferation and improvement will increase at a considerable rate, and
over a short period of time. This is true for both platforms that are the results of initiatives
from the various departments of education as it is for those that have been created based
on initiatives from private businesses.

Platforms-portals belonging to departments of education

Over the last few years, each of the autonomic communities has made significant
investments in order to equip their educational centres with technological resources and
tools. Simultaneously with this effort, emphasis is being placed on digital literacy for all
members of the educational community.

All the departments of education are working with the objective of providing broad band
connectivity to educational centres and to extend both intra- and intercentre educational
networks, as well as equipping and incorporating them with new technological resources
and common spaces on the Internet, through the development of these educational
platforms.

Study on educational platform safety measures Page 19 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

In spite of the unquestionable importance of equipping centres with the necessary


technological means, the opinions collected in the interviews conducted with key
participants show that it is the teachers who are ultimately responsible for their
instructional used in the classroom. This is corroborated by the results of a study
conducted by Red.es and the National Centre for Educational Information and
Communication (CNICE) 10 . Based on a sample of approximately 20,000 teachers, the
data reveal that the main barriers identified to greater use are related, in one way or
another, with the figure of the teacher. They include: i) the lack of ICT and platform
training, ii) the lack of time to learn, iii) the lack of support from within the centre and iv)
the lack of tools.

This reality has been understood by the different departments, which are carrying out
significant and varied teacher training initiatives, as well as different projects and contests
that encourage instructors to create resources that may then be shared in common
repositories.

In addition, a careful revision of the existing educational platforms on a national scope,


which has been promoted by the educational administrations, shows us that there is a
certain tendency to use free software in their development. The access logic and functions
is similar for all platforms, and generally speaking, the opinions of the developers reflect
that security is adequate, considering the degree to which they are used.

Private initiatives

There are also several platforms on the market that have been developed by private
businesses. Their functions are intended to support the required curriculum, trying to
innovate and improve the teaching-learning processes. In addition, they provide the
centres with efficient tools for academia and administrative management, and constitute
powerful channels that aid communication and the exchange of information among the
different agents in the educational field. In this case, the applications have normally been
developed using proprietary software.

For a short time now, we have observed a great proliferation of solutions intended to
facilitate communications between the family and the school. However, it is much more
difficult to find platforms that integrate digital contents that are adapted to the student
curriculum.

10
Red.es and the Centro Nacional de Información y Comunicación Educativa (CNICE) (2007): Informe sobre la
implantación y uso de las TIC en los centros docentes de Educación Primaria y Secundaria (curso 2005-2006). [Report on
the implementation and use of ICTs in Primary and Secondary schools (2005-2006 school year).] Madrid. On-line. Available
at http://www.oei.es/TIC/DocumentoBasico.pdf

Study on educational platform safety measures Page 20 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

2.2.4 The ideal platform: Academic and administrative management, digital


contents and communication
When defining what may be understood by a complete educational platform, there is a
general consensus that the ideal platform must permit the joint management of all an
educational centre’s needs related to administrative and academic tasks, communication
among the different members of the educational community and instructional support.

It has been demonstrated that there are very few platforms that implement all three
functions. At this time, the communications module is the one in highest demand by the
centres, while the least developed is that corresponding to content. In one form or
another, all the centres have some sort of tool that facilitates administrative and academic
management.

It should also be noted that the majority of those interviewed have stated that, in order to
take maximum advantage of these platforms, it is necessary to pay attention to and
guarantee four basic pillars: connectivity, the availability of technological resources and
instructional content, and teacher training.

While without a doubt, there is an enormous potential to be derived from having platforms
that manage all the abovementioned actions in an integrated manner, we must not forget
that, along with the development of new functions, we may also see increased security
risks (given that they will contain more and more sensitive information).

With regards to this point, expert opinions are once again divided among those who do
not anticipate greater security problems in the future and those that believe that we must
be alert and take a proactive stance, not waiting for incidents to make us aware of the
need to generate more secure systems. What both groups do agree on is that a serious
security breach would damage the credibility of these tools and would halt development in
the sector.

2.3 User profiles

Until a short time ago, the use of educational platforms was normally seen in centres with
a long history in ICT, teachers that used them for their own training and university
environments. This is changing, however. Presently, it has been recognised that they are
a powerful tool which can benefit all members of the educational community.

The incorporation and use of these platforms in the field of education has not occurred in
all sectors equally. Based on general statistics regarding ICT use 11 , we can see that they
are used more in the public sector than in the private, and more in Secondary school than
in Primary school. These data are also repeated in countries like the United Kingdom,
11
Red.es and the National Centre for Educational Information and Communication (CNICE): óp. cit.,10.

Study on educational platform safety measures Page 21 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

where the data also reflect a certain resistance among teachers to integrate technological
advances in classroom activities. Specifically, it has been calculated that approximately
20% of teachers habitually use these platforms and 40% use them sporadically 12 .

In any case, what is commonly accepted is that a learning platform that is incorporated
into the working practices of a school may offer a wide range of benefits to teachers,
students and parents, and at the same time, support the processes of organisation and
management within the centre.

2.3.1 Students
Today’s students form part of a generation that was born with technology. The majority
have in common their taste for ICT and are active users of educational platforms in both
the school environment and at home, in their free time.

The main use they make of these resources is playing, communications (instantanea mail,
chat rooms, forums, e-mail, etc.) and, more recently, as a work tool. They still strongly link
the concept of technology with playing, perhaps because this was its purpose in the
beginning. Currently, they are starting to become aware of its value in supporting their
learning, something contributed to by the incorporation of these platforms in the teaching-
learning processes.

On the other hand, both the opinions collected from experts on the use that children and
young people make of technology and the studies we have reviewed demonstrate that
differences exist in the manner in which Internet is used, depending on gender: boys
primarily prefer on-line games, while girls tend to prefer communications pages, those
involving interaction 13 , etc.

The impressions we gathered show that students, in many cases, are self-taught with
regards to technologies, one step ahead of their teachers and parents, who due to
generational differences, have not had these experiences or training. The result of this is
that in the area of security, the information they receive comes primarily from the
experiences of their friends and their own common sense.

A study 14 conducted by the Association Prótegeles [Protect them], demonstrates that


minors of both sexes are equally misinformed about the basic safety rules for surfing the
Internet: 55%, in the case of girls, and 53%, in the case of boys.

12
[Homepage]. Viewed 3 April, 2008 on the World Wide Web: www.becta.org.uk/research
13
APCI and Protégeles (2002): Seguridad infantil y costumbres de los menores en Internet. [Childhood safety and the
habits of minors on the Internet.] On-line. Madrid: The Child Advocate in the Community of Madrid. Available at:
http://www.protegeles.com/costumbres.asp
14
APCI y PROTÉGELES, op. cit.,13.

Study on educational platform safety measures Page 22 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

2.3.2 Teachers
The most customary profile for a teacher is that of a professional who has been trained
within a context where ICT did not exist or was integrated into classroom activities as an
element of support to the teacher's explanation. For the youngest teachers, computer
science was part of the official curriculum, taught as a separate subject.

This personal experience, together with the fact that most of the teachers have not
received specific training in how to integrate ICT in the classroom during their university
studies, fundamentally results in this professional group generally having little theoretical
knowledge and practical experience in how to implement them efficiently into their daily
tasks 15 .

The opinions reveal that, as platform users, they use them mainly as an educational
resource for working with their students in class, and on an individual level, for their own
personal training.

Over the last few years, however, the increased need to incorporate technology into the
teaching-learning processes is such that most departments of education have created the
position of the ICT coordinator. The instructor who takes on this responsibility in each
centre is freed from a certain percentage of his teaching load in order to invigorate and
lead these processes among his colleagues. Some of his main functions are:

• Coordinating and energising the curricular integration of information and


communication technologies.

• Creating proposals for the organisation and management of technological means


and resources, as well as overseeing their fulfilment.

• Advising the teaching staff regarding curricular materials in multimedia formats,


about their use and strategies for incorporating them into instructional planning.

• Analysing the centre’s needs in the area of ICT.

• Collaborating with the coordination structures in the ICT field that have been
established, in order to guarantee coherent actions at the centre, and in order to
incorporate and disseminate successful initiatives.

• Supervising the installation, configuration and uninstallation of curricular software.

15
Sigales, C. (2004): Formación universitaria y TIC: nuevos usos y nuevos roles. [University training and ICT: new uses and
new roles.] On-line. Available at: http://www.uoc.edu/rusc/dt/esp/sigales0704.pdf

Study on educational platform safety measures Page 23 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

• Managing the network: registering and removing users, managing permissions,


solving minor incidents, etc.

From all perspectives, it is an undeniable fact that a key element for incorporating
platforms and for methodological change is, without a doubt, the teacher. Currently, a
clear commitment is being made in this area, with regards to the provision of resources
and training, from the different educational administrations.

2.3.3 Parents
When analysing the profile of parents as technology users in general, and more
specifically as educational platform users, there are several points that stand out.

First, almost all of the opinions gathered from associations, security experts and
educational administrations describe them as not being knowledgeable about ICTs, which
means that in most cases, they cannot control what their children are doing in front of the
computer. In spite of the fact that they play a fundamental role when warning their children
about hazardous situations, in all reality, their actions are usually limited to prohibiting
them from viewing sexual or violent content on television, without being aware of what
they see or are exposed to while surfing the Internet.

Furthermore, as platform users, most affirm that they use them as a means of
communication that allow them to participate in their children’s teaching-learning process.
However, they recognize that the degree of their implication and use is still far from being
optimal and adequate.

All these aspects demonstrate the need for parents to receive training aimed at sensitising
them about security problems, since in this area, a key task is increasing awareness on
the part of families. Along these lines, it has been observed that parents are asking for
environments where their children may play and learn in an autonomous, safe manner,
without being exposed to the immensity of the Internet. Educational platforms are
beginning to be these virtual spaces for learning and interaction that are being demanded.

2.3.4 Departments of education and educational inspection


Another possible user profile that may reveal multiple functionalities in educational
platforms are those public administrations that have jurisdiction over educational topics,
and more specifically, educational inspection units, in so far as they need real academic
data about the students registered at a particular centre. They frequently have to request
information from the centres in order to find out about the real situation and make
decisions in matters like registration processes, school attendance, the awarding of
scholarships, results statistics, etc. All these requests for information tend to complicate
the normal dynamics of the way these centres operate, and require extra administrative
effort.

Study on educational platform safety measures Page 24 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

The use of educational platforms that manage all the administrative and academic
information for students in a comprehensive manner, establishing standards for
exchanging data result in a decreased work load for the centres themselves, and would
make decision making and the internal management processes for the educational
authorities much more streamlined.

2.4 Service provider profiles

2.4.1 Public administrations


Over the last few years, the Public Administration has made a clear commitment to
achieving the integration of ICTs in the educational sector. Along these lines, different
initiatives and actions are being undertaken, such as equipping centres and/or improving
infrastructures, developing educational portals-platforms, creating different organisations
that work to promote the incorporation of these resources in education, organising training
courses for educators and developing digital multimedia content, etc.

The intent is for the Internet to be used as a means of intercommunication among the
members of the school community, as an access point to a large bank of specific
resources for an area or subject, as an door to collaborative workspaces that, in some
cases, extend the classroom beyond the physical space defined by the educational centre
itself.

The fruit of all this effort is that platforms have been designed that meet the needs of the
members of the educational community. Currently, there are vastly different conditions on
the Spanish scene. There are many differences in the areas of the functions and services
that they offer, the development technologies and the degree of interdependence of the
modules they consist of.

Generally speaking, the topic of security on these platforms is not a question that
generates concern, as the level of incidents is practically zero. Furthermore, this is a
responsibility that, in most cases, has been guaranteed by contracting specialised
external personnel. They believe that the initiatives that are being created meet the needs
of the developments that are currently in place, and that in any case, they are
guaranteeing work environments with a very low level of risk.

2.4.2 Private companies


Over the last few years in the private sector, a number of companies have appeared that
propose technological solutions for the needs of the educational sector. The main
companies interested in ICT integration, as well as furnishings and installations are the
following:

Study on educational platform safety measures Page 25 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

• General use hardware distributors (network systems, computers, tablet PCs,


printers, PDAs, etc.).

• Distributors of hardware designed for training-communication environments


(video projectors, fixed and portable interactive digital boards, etc.).

• Telephone service providers.

• Internet service providers. Different companies that provide Internet access


services: hosting 16 , housing 17 , etc.

• General use software designers (operating systems, application software, etc.)


At this time, there is a strong struggle between developments made with
proprietary software 18 and freeware 19 .

• Educational software developers. In addition to specialised companies, many


textbook publishing companies have created a development and digital content
department. They create programs for managing centres, e-centre platforms,
multimedia instructional materials and, in some cases, content platforms on a
network.

Presently, a trend has been observed towards grouping different companies together in
order to provide educational institutions with comprehensive solutions to their needs. This
has resulted in the first platform developments on the market that meet the three great
needs of educational centres (academic and administrative management,
communications and support for the teaching-learning processes 20 ).

With regards to security issues, once again, the idea commonly recorded is that it is
necessary to pay closer attention to this aspect as the functions of these platforms
increase and as they manage more sensitive information: scholarship applications, bank
information, psycho-pedagogical reports, etc.

16
Hosting: This is a service that provides Internet users a system to store information, images, video or any other content
that is accessible over the web.
17
Housing: This is a service that consists of renting a physical space in a data centre where the client may place his own
computer. The company provides him with an Internet connection, but the server is chosen by the client, as is the hardware.
This is a mode of web hosting designed mainly for large companies and web service companies
18
Proprietary software: The ownership of this type of software remains in the hands of the person who has its rights, and not
in the hands of the user, who may only use it under certain conditions.
19
Free software (freeware): This type of software has an open-source code, which permits the user to run it for any
purpose, study how it works and adapt it to his needs, as well as distribute copies, improve upon it and release these
improvements to the public.
20
More information is avaliable in Section 2.2.1: General structure and operation of an educational platform.

Study on educational platform safety measures Page 26 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

2.5 Benefits associated with the use of educational platforms

In spite of the undeniable social impact of ICTs, we still do not have any definitive
guidelines for integrating them at each educational level 21 . In general, it is true that their
use in educational centres has been on the increase, as indicated by numerous
quantitative indicators 22 (there are more computers in the classrooms and more Internet
connections, and the students use this technology in class) during longer periods of time,
however the educational results associated with the use of technology has yet to be
quantified.

Most research conducted on the impact of ICTs in education points out, as a first step, the
need for theoretical models to guide their use.

2.5.1 Developing a new instructional model


As part of the process of working computers into the classroom, ICTs may help teachers
by reinforcing or transforming their teaching and educational practise. Synthesising, we
may distinguish between two alternative models or conceptions of teaching: the
transmissive model and the constructivist model.

• Transmissive model. The objective of education is for the student to learn


certain pre-established contents, for which he will be responsible on an evaluation
exam. In this model, ICTs serve as an aid in the process, contributing as the
student adds to the information, does exercises or establishes some sort of
interactive relationship 23 .

• Constructivist model. Based on the constructivist conception of learning, whose


roots lie with such authors as Dewey, Bruner, Piaget and Vigotsky. It places the
main emphasis on constructive mental activity on the part of the student in his
discovery processes (Marchesi and Martín, 2003). From this focus, the objective is
to learn with technology, not about technology. The programs used strive to match
the student's cognitive function, in addition to facilitating his autonomous activity 24 .

Full incorporation of technology would mean developing new educational models,


requiring a modification of the teacher-student roles. Some of the main characteristics
include:

21
Newhouse, P. (2002): Literature review. The impact of ICT on learning and teaching. Western Australia, Specialist
Educational Services.
22
Red.es and Centro Nacional de Información y Comunicación Educativa (CNICE), op. cit.,10.
23
Marchesi and Martín (2003): Tecnología y aprendizaje. Investigación sobre el impacto del ordenador en el aula.
[Technology and learning. Research on the impact of computers in the classroom.] SM Group.
24
Lajoie (2002): Computers as cognitive tools. Hillsdale, Erbaulm.

Study on educational platform safety measures Page 27 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

• Student centred. The teacher would cease to be an instructor who has mastered
a certain set of knowledge in order to become a facilitator and a mediator in the
teaching-learning process, in such a way that students are capable of attaining
knowledge on their own. In other words, an evolution occurs from an educational
scheme based on merely transmitting knowledge to a new scheme in which the
student studies the information provided by the instructor in greater depth through
individual or group work.

Furthermore, today’s society will demand that the student be an intelligent and
critical user of the multitude of information that he will need to manage. To reach
this goal, he will need to acquire new skills, which nowadays are referred to as
“competencies”.

• Competency development. In line with the proposals made by the European


Union, the publication of the Royal Decrees for the Development of Minimum
Instruction as part of the Organic Law of Education has meant the inclusion of
basic competencies in the official curriculum.

This inclusion has several intents: i) to integrate learning, both formal (that forming
part of the curricular areas and subjects) and informal and not formal; ii) to
promote contexts in which students may integrate their learning, relating them to
different contents and using them effectively to solve problems in different
situations and contexts, and iii) to guide instruction and inspire decisions related to
the teaching and learning processes.

One of these competencies whose acquisition must be achieved by the time a


student finishes Compulsory Secondary Education is information processing and
digital skills. This implies that the student has achieved becoming an autonomous
person, who is effective, responsible, critical and reflective when selecting,
processing and using information and formats, as well as having achieved a
critical, reflective attitude when evaluating the available information.

• The individualisation of the teaching process. With the incorporation of the


ICTs, one of the main purposes that was sought was to provide a real solution to
diversity and heterogeneity in the classroom. Its use allows us to adapt instruction
to the learning rate for each student, as well as perform a personalised tracking of
his evolution.

The professional profile of the instructor includes, even today, competencies for
knowing the capacities of his students, designing interventions focused on their
activities and participation, evaluating resources and materials, and if possible,

Study on educational platform safety measures Page 28 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

creating his own instructional media, or at least adapting existing media in


response to the real diversity of his students.

• Learning how to learn, life-long learning 25 . There is a general consensus


regarding the importance of using technology as a tool that allows a change to
occur in the very conception of education, where the key strategy for learning is
“learning how to learn.”

“An educated person will not be considered so based on fixed knowledge he


possesses in his mind, rather based on his capacities for knowing what he needs
at any given moment…an illiterate person will be anyone who does not know
where to turn to in order to find the information he needs at any given time, in order
to solve a specific problem” (Colom).

• Greater implication of families in the teaching-learning processes. Another


great advantage of educational platforms is that, thanks to communications
modules, they enable families to track their children’s learning processes.

2.5.2 Optimization of the academic and administrative management processes


In addition to all the instructional improvements described in the previous section, the
implementation of a comprehensive educational platform must mean a clear optimisation
of the many processes associated with the operation of an educational center.

The improvements must be focused on the inner workings of the centre itself: more
efficient management of the administrative workload and educational resources;
improvements in internal communications, etc., as well as externally: greater parent
involvement in life at the centre and in the learning processes; the simplification of routine
administrative tasks involving families, such as authorisations or information requests; the
standardisation of language and the flow of information, etc. For these latter
improvements to occur, it is necessary to establish standards, especially with regards to
the exchange of information.

2.5.3 Computer literacy in society, motivated by increasing use


Due to the large number of citizens who are potential users of educational platforms,
another great benefit that they may have (if their use is expanded) is the contribution they
make to computer literacy in society.

The possibilities presented by ICTs make the undeniable relationship between innovation
and computer literacy in the population at large patently obvious. Its expansion into all

25
Marchesi y Martín (2003): óp. cit.,23.

Study on educational platform safety measures Page 29 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

areas and levels of society has occurred very quickly, and is an ongoing process, as new
elements of technology are constantly appearing.

The progressive reduction in costs for the majority of technological products, the result of
increases in production volumes and the optimisation of manufacturing processes, is seen
in prices and allows us to receive more features for the same money. This facilitates the
inclusion of these powerful technologies in all human activities and in all socioeconomic
environments 26 .

Along this line of growth, development and the rapid diffusion of educational platforms
seems to contribute to the process of enriching and educating society about the use of
new technologies. It is an unquestionable fact that scientific and technological advances
have been converted into true social advances when they have become popularised.

26
Marqués, P. (2005): Las TIC y sus aportaciones a la sociedad. UAB

Study on educational platform safety measures Page 30 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

3 WHY MUST AN EDUCATIONAL PLATFORM BE


MADE SECURE?

Educational platforms, like any other software application, must meet certain minimum
security standards that ensure their correct operation so that they are available when
needed, there are guarantees that all information is processed adequately and that only
authorised people can access them.

The main peculiarity of an educational platform lies in the massive use that minors make
of it. For any other application, there is a group of users that may be further divided into
groups according to their needs and attributes. However, in this case, a very significant
part of this group are minors, and therefore we must be very careful with the information to
which they have access and which is collected from them, in order to comply with the
letter of the law and reduce risks and prevent potential incidents.

3.1 User expectations

As we have seen, the potential users of these platforms include all the participants in the
educational community: school administrators, students, teachers, parents, the public
administration, etc. In addition to these end users, both developers and personnel
providing support to these tools are very interested in them having an adequate security
level.

In general, all these users have a very concrete vision of what to expect from platforms in
the area of security. In broad terms and with different nuances, all agree that:

• Information and personal data must not fall into the hands of unauthorised users,
or even into the hands of those that the information does not concern. For
example, one student's grades should not be visible to another's parents.
Independently of the legal importance that this bears, information handled in an
educational environment is very sensitive for its users, which is why preserving
confidentiality is fundamental.

• Access control must be reliable. Inappropriate information must not be able to be


accessed, only that related to the work and activities that are performed on a
regular basis, in order to prevent someone from fraudulently using the information
we store.

• Platforms must be available whenever they are needed, due to the many problems
that arise when this is not the case: cancelled classes, work not handed in,
delayed administrative tasks, etc. Given that they are used for the daily work of
many people, it is fundamental that the applications be free of malfunctions related

Study on educational platform safety measures Page 31 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

to availability. If a teacher who has prepared a class cannot access this


information when it comes time to deliver it, or when it comes time to prepare a
project, he cannot access the tools, this may noticeably reduce degree to which
these platforms are used.

• Platforms must be reliable and easy to use, so that any of the users, no matter
how low their level of computer knowledge is, may effectively and efficiently use
the resources available. In addition, due to the fact that users give a lot of
credibility to what appears on computer systems in educational environments, it is
important that the information stored on them be correct, complete and reliable.

However, when we go into greater detail, we observe that each group of users has
different uses and interests, which also results in different expectations.

3.1.1 Students
The use of platforms by students is closely linked to the use their teachers make of them
in the classroom, and to the technological and instructional resources that their school
has. They are normally limited to being receivers of materials suggested to them by their
teachers, which makes their role very limited. However, they are a sector of the population
that uses the computer at home in high percentages (92.4% of homes have a computer 27 ,
from which they connect to the Internet for different purposes, in many cases, on a daily
basis 28 ), and they are quite familiar with the Internet and communications tools, which it is
to be hoped that platforms may be used in the same manner.

Their main security expectations are:

• Confidentiality in communications.

• Correct, reliable information.

• Available applications.

• Secure and easy access.

3.1.2 Teachers
Teachers are the main motors behind the use of platforms. They expect them to provide
the tools that facilitate their class preparation and the transmission of knowledge to the
students. They use them to prepare content material and design new ways of delivering
27
INTECO: Estudio sobre la seguridad de la información y e-confianza de los hogares españoles. [Study on information
security and e-confidence in Spanish homes.] Primera oleada (diciembre de 2006-enero de 2007). On-line. Available at:
http://www.observatorio.inteco.es
28
European Commission: Directorate-General Information Society and Media: Safer Internet For Children Qualitative Study
In 29 European Countries - National Analysis: Spain. April 2007.

Study on educational platform safety measures Page 32 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

instruction, in addition to solving issues related to academic management easily and


effectively. In meeting these expectations, the tools must be easy to use and not have
problems related to availability. As teachers perceive the different uses that these
resources may have, they increase their use 29 .

Their main security expectations are:

• The confidentiality of data and information.

• Application availability.

• The reliability of information.

• The confidentiality of communications.

• Secure access control.

3.1.3 Parents
Parents, in general, have a lower level of knowledge about ICTs, and therefore they do
not have too many initial expectations for platforms. However, when a centre provides
them services through digital means, this improves their perception of the centre’s quality
and increases the demand for new features.

They take it for granted that the platforms must be “secure,” understanding this to mean
that no situations can occur where their children have access to contents that are
inappropriate for their age or an unauthorised person can access their personal or family
information.

Their main security expectations are:

• The confidentiality of family information.

• Compliance with applicable laws.

• Secure access control.

• Application availability.

3.1.4 School administration


School administrations see the platforms as a first order tool for the administration of
schools and high schools (registrations, students who leave, academic records, etc.) Their

29
Centros de Uso Avanzado de las Tecnologías Educativas. [Centres with Advanced Use of Educational Technologies.]
IES Doña Jimena: Informe de evaluación III: curso 2006-2007. [Evaluation report III: 2006-2007 school year.]

Study on educational platform safety measures Page 33 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

main concerns are availability, in other words, that the tool works correctly at times with
the greatest work load, and that it complies with the Organic Law for the Protection of
Personal Information 30 (LOPD), since there are increasing incidents and complaints filed
as the result of infractions of this law.

At the same time, the development of communications tools on these platforms has
caused their use to become common among the members of the educational community,
which raises certain questions about the confidentiality of communications (that student
marks or absences are sent to only authorised recipients).

Their main security expectations are:

• Compliance with applicable laws.

• The confidentiality of communications.

• The confidentiality of data and information.

• A low level of security incidents.

• Equipment availability.

• Application availability.

• Secure access control.

3.1.5 Public institutions that play a role in education


The public administration has great interest in the use of educational platforms spreading
and becoming more common. It has several different tools and methods to support this,

The use of information and communication technologies in education has been


encouraged by the Ministry of Education and Science, particularly by the creation of the
National Centre for Educational Information and Communication, whose objectives are
intended to support the production of curricular and extracurricular hypermedia contents,
to participate in European Union educational programs and projects and to coordinate
new technology initiatives in the autonomic communities.

Educational platforms are a powerful tool that the departments may use to quickly access
information related to the educational community, centralising it and permitting it to be
managed better. In addition, platforms may be effective chains for transmitting new

30
Organic Law 15/1999, 13 December, regarding the Protection of Personal Information (LOPD). A summary is included in
Section 3.3.1 of this document.

Study on educational platform safety measures Page 34 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

educational policies related to innovation: new methodologies, attention to diversity,


developing capacities, etc.

The effort that many autonomic communities have made through their departments of
education clearly expresses the Administration's desire to promote the use if ICTs in
schools. Platforms are expected to help with this task; in fact, they are the fundamental
tool to accomplish this, given that significant efforts and investments are being made
along these lines.

The main security expectations for this group are:

• Compliance with applicable laws.

• The confidentiality of communications.

• The confidentiality of data and information.

• Secure access control.

• A low level of security incidents.

• Equipment availability.

• Application availability.

3.1.6 Publishing companies


Publishing companies have perceived that ICTs may be a productive business line, and
they have begun to work on them from the point of view of their experience over a long
history as educational material providers.

Emphasis has been placed on the platform contents, as this forms their knowledge base,
and in all reality, they are conceived of as complements to instructional material in paper
form. The other aspects of academic and administrative management and
communications are gradually being incorporated.

As product manufacturers, they are more conscious than other user groups of what
platforms can and cannot (or should not) do, and their products often exceed the users’
expectations and create needs. Their own expectations are primarily directed towards
disseminating the benefits of their platforms and expanding their use, in order to
strengthen or improve their market position as providers of educational materials.

Their main security expectations are:

• The perimeter security of the applications.

Study on educational platform safety measures Page 35 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

• The logical security of the applications.

• The security of communications.

• Compliance with applicable legislation.

• Information integrity.

• Equipment availability.

• Application availability.

3.1.7 Development advisors


This group has a profile that is quite similar to that of the publishing companies, but
without the advantages or the disadvantages that the latter have as suppliers of traditional
educational material to educational centres. Their expectations about the generalisation of
the use of platforms match those of the publishing companies in many aspects.

Their main security expectations are:

• The perimeter security of the applications.

• The logical security of the applications.

• The security of communications.

• Compliance with applicable legislation.

• Information integrity.

• Equipment availability.

• Application availability.

3.2 Security concepts: confidentiality, integrity and availability

When thinking about information security, the first thing that normally comes to mind is
keeping our information safe from indiscretions. However, when users are in daily contact
with ICTs, and in this case, with educational platforms, they realise that there are other
points that are also of utmost importance. This is the case, for example, of the information
itself, which must be displaced accurately and in the correct form; the same thing occurs
with the correct operation of the information systems, which must be guaranteed against
technical or supply problems. These are also security aspects that must be taken into
consideration.

Study on educational platform safety measures Page 36 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

According to the UNE/ISO-IEC 27001 standards 31 , information security is defined as the


preservation of its confidentiality, integrity and availability, possibly involving other
properties such as authenticity, responsibility, the lack of repudiation and reliability.

Confidentiality is understood as the property of information by which it is not made


available or revealed to unauthorised individuals, organisations or processes. Integrity is
the property of safeguarding the accuracy and completeness of the information.
Availability is the property of being accessible and usable at the demand of an authorised
body.

3.2.1 Security controls


Confidentiality is the first concept that comes up when speaking about information
security. It is even sometimes used as an interchangeable term, which obviously, it is not,
but it offers the idea of the importance that users give to this aspect. The fact that
legislation recognises confidentiality of certain information as a fundamental right only
adds emphasis to the importance that is given to this aspect of security.

Inaccurate or incomplete information is not very useful, and it may even present a serious
problem if it is used inadvertently as correct information in any process. For this reason, it
is fundamental to use the means necessary so that incidents that compromise this aspect
of security do not occur.

Availability is the most technical aspect, and the one that is not always considered as a
topic related to security. This has the advantage that, in many cases, there are measures
aimed at ensuring availability as a routine procedure, and for this reason, it is an aspect
that is sufficiently covered.

The most common control objectives (taken from the list Control objectives and controls in
the UNE/ISO-IEC 27001 standards) used to guarantee information security are the
following:

• Information security policies. It is fundamental to have guidelines, no matter


how general, so that everyone is conscious of the relevance of the topic of security
and to have minimum action criteria. Aspects covered include: confidentiality,
integrity and availability.

• Organisation of information security. Security is a process, and as such, it must


have the resources to be carried out and managed. The controls for this point are
very relevant, given that the existence of a person responsible for security
guarantees that a minimum level exists. Another noteworthy aspect is that in
31
UNE-ISO/IEC 27001 (2007): Sistemas de gestión de la seguridad de la información (SGSI). Requisitos. [Information
security management systems (SGSI), Requirements.]

Study on educational platform safety measures Page 37 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

systems as complex as platforms, there are many persons involved who may
access the information, and therefore, it is critical that any third parties
(subcontractors, maintenance personnel, suppliers, etc.) have the same
obligations and responsibilities as an internal user, especially with regards to such
a sensitive topic as confidentiality. Aspects covered include: confidentiality and
integrity.

• Asset management. Classifying information and assigning people responsible for


its management and security prevent damaging incidents from occurring as the
result of errors or negligence, besides facilitating the distribution of security
measures according to the degree to which the information is critical. In addition,
having a person responsible for assets permits preserving their integrity better,
and in the event that a problem arises, it may be detected and solved more
quickly. Aspects covered include: confidentiality and integrity.

• Security. It is a well-known fact that all the technological measures applied with
the most rigourous criteria may still be useless if the users are not concerned with
following reasonable security practices. For this reason, it is crucial for all
personnel to be informed and trained according to their needs and responsibilities,
so that they are active users in the protection of the information they handle,
instead of being the weakest link in the chain. Another crucial point to guarantee
confidentiality is the elimination of all access modes to information that a person
might have when he ends his relationship with the organisation. He must be
required to return any assets that are in his possession and his access privileges
must be cancelled. Aspects covered include: confidentiality and integrity.

• Physical security and the environment. Any security measure related to access
control is basic in order to guarantee the confidentiality and the integrity of
information, given that what we intent to prevent is precisely that no unauthorised
person access them. Any damage suffered by the equipment may mean a loss or
filtration of information, which means that systems must be located in
environments that are physically safe, in order to prevent damage that would
compromise their security. Aspects covered include: confidentiality, integrity and
availability.

• Communications and operations management. It is indispensable for programs


and applications to work as expected, since if they do not, conflicts and errors may
occur in the processing of information, which could affect confidentiality. This
applies in an equal measure to services contracted with third parties, so that no
discrepancies arise among the different services and so that the information being
exchanged is adequately protected. Nowadays, communications are an essential
work tool, and for this reason, the networks and infrastructures that support them

Study on educational platform safety measures Page 38 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

must be protected. Any part of the information systems involved in information


processing must be protected in order to guarantee the security if the data.
Furthermore, it must be remembered that information is not only stored on
computer systems, rather it is processed in many formats (on paper, optical disks,
USB devices, etc.), and is vulnerable to being removed, copied or lost, which
jeopardises confidentiality. The technical aspects are very important in order to
guarantee the integrity of information. In particular, it is necessary to be very
careful with regards to change management, the separation of tasks,
environments and networks, and the management of services provided by third
parties. Regarding this point, there are several factors that have a powerful
influence over maintaining adequate system availability: planning and system
acceptance, malicious code control (Trojan viruses, worms, etc,) and backup
copies. Aspects covered include: confidentiality, integrity and availability.

• Access control. The rules regarding privileges that each user may have must be
clearly defined and rigorously implemented in order to prevent errors. If accesses
are correctly controlled, guaranteeing that only authorised users can access
pertinent information, this will prevent incidents from occurring to a large degree
that might affect information integrity. In spite of the fact that user control can
prevent errors, it is fundamental for the users to behave in an appropriate manner,
so that undesirable events do not occur. A positive attitude on the part of an
adequately trained user may do more for security than many of the technical
measures that are implemented. Aspects covered include: confidentiality, integrity
and availability.

• Acquisition, development and maintenance of information systems. A clear


awareness must exist about what the security requirements are for the platforms,
from the beginning of their development by their suppliers and by the users who
will acquire them, so that they may correctly evaluate their adaptation to the use
that they will be given. The more sensitive the information being processed, the
stricter the security requirements must be. There must be mechanisms that permit
controlling the correct development of the application so that it cannot reach the
final tests without having completed the established requirements. Aspects
covered include: confidentiality, integrity and availability.

• Managing security incidents. Perfect security does not exist, and therefore
incidents will always occur. When this happens, it must be possible to have the
right tools to detect them as soon as possible and solve them effectively. In order
for the errors to affect no more than what is strictly unavoidable during the
operation, there must be effective incident management, putting in place the
measures that are necessary to solve the incident as soon as possible, and

Study on educational platform safety measures Page 39 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

minimising the damage. Aspects covered include: confidentiality, integrity and


availability.

• Business continuity management. It is necessary to have plans for recuperation


in the event of a disaster. The inconveniences if this occurs are enormous and
may be effectively mitigated if there is a clear plan of action that allows us to
resume normal activity within a reasonable period of time, protecting the
information at all times. The aspect covered includes: availability.

• Conformity. We must not ignore legal, contractual and internal requirements. In


order to guarantee compliance with them, systematic mechanisms must be
established that check for compliance. The aspect covered includes:
confidentiality.

3.3 Relevant Spanish legislation

The importance of information in our society and the preponderance of technology have
been the driving forces behind a certain level of awareness with regards to information
security. This new reality has resulted in numerous legislative developments being passed
over the last few years, which regulate situations that were a continual source of conflicts
and irregularities, and the violations of fundamental rights.

3.3.1 Organic Law 15/1999, 13 December, regarding the Protection of Personal


Information (LOPD)
This law is complemented by the regulation stipulated in Royal Decree 1720/2007.

The objective of this law is to guarantee and protect public freedoms and the fundamental
rights of individuals, and in particular, their honor and personal and family privacy, where
the processing of personal information is concerned (regardless of whether this is
automated or not).

This law is a fundamental pillar guaranteeing the confidentiality of personal information. In


our case, regarding digital platforms, we have the added complication that the information
belongs to minors, and any incident would have much greater repercussions in society
and in the mass media. Strict compliance with this law must be reflected in the
requirements for developing any platform, so that it facilitates the work of its users and
prevents any accidental infractions.

3.3.2 Law 32/2003, 3 November, regarding General Telecommunications


Along with the necessary regulatory development, this law is intended to regulate
telecommunications, which include the exploitation of networks and the provision of
electronic communication services and related resources, according to Article 149.1.21.ª
of the Spanish Constitution.

Study on educational platform safety measures Page 40 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

Many of those interviewed agree that communications are going to be the tools that are
the most used over the short to medium term on platforms. These communications will
link all members of the educational community to one another. This implies that it must be
clear what the tools are to protect communications and demand a minimum level of
services from providers in order to guarantee platform security.

3.3.3 Law 34/2002, 11 July, regarding Information Society and Electronic


Commerce Services
This law regulates the legal rules governing information society services and contracting
via electronic means.

Platforms have been present on the market for only a short time as compared to other
types of applications, and the services they offer are very heterogeneous, which is why
this law may not apply to all platforms. But the logical evolution would be to gradually add
services, and it is very possible that some of those considered by this law will end up
being provided by most platforms. This would mean that these legal requirements should
be included.

3.3.4 Law 59/2003, 19 December, regarding Electronic Signatures


This is a law that regulates electronic signatures, their legal validity and the provision of
certification services.

An electronic signature is one of the means of authentication that those interviewed


mentioned as possible substitutes to the traditional user-password. On the other hand,
given the previously mentioned increase in services and communications, using an
electronic signature in the transfer of information would be an effective method to
guarantee its security.

3.3.5 Royal Legislative Decree 1/1996, 12 April, regarding the Intellectual


Property Law
This law stipulates that the intellectual ownership of a literary, artistic or scientific work
belongs to the author, due to the mere act of its creation.

In the case of educational platforms, intellectual property is a topic that many of those
interviewed identified as problematic, but that since there have not been serious
consequences up until now, it is a topic that remains latent and, in many cases, ignored.
The ease of locating and copying information in digital formats and ignorance of the fact
that the information being used is subject to intellectual copyrights may sometimes lead to
violations in this regard.

Study on educational platform safety measures Page 41 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

One possible solution to this problem would be the use of Creative Commons 32 licences
on contents used by educational platforms.

3.3.6 Organic Law 1/1996, 15 January, regarding the Legal Protection of Minors
This law provides a vast legal framework for protecting minors, linking all public authorities
and institutions specifically related to minors, parents and other relatives, and citizens in
general.

The Minor Protection Law is an important source of requirements for digital platforms.
They must be designed, developed, implemented and managed in such a way that
guarantees the rights represented in this law. In addition, it is an opportunity for
developers, the Administration and school administrators to promote new uses of ICTs in
teaching, opening new doors to instructional modes that make it possible for a minor to
really exercise his rights in a secure environment.

3.4 Applicable regulations and best practices

As many of those interviewed were aware of only part of the legislation in effect which
may apply to digital platforms, it goes to show that knowledge about the international
regulations and best practices is quite limited, being confined to those professionals who
in some way have found themselves exposed to security problems.

Any of the regulations and best practices that are described below may be used as a
reference for developing security policies and measures for educational platforms, as they
are generally intended for information systems.

An educational platform is a fairly complex information system, due to its special


characteristics, with quite varied functions and a significant range of users, but it has the
same problems as any other system, with regards to defining security requirements and
internal control.

These regulations are, therefore, specifically for use in deciding what security measures to
implement, how to do this, and how to verify that they function adequately, measuring the
control performance.

3.4.1 The ISO 27000 series of standards


The ISO/IEC 27000 series of safety standards are published by the International
Organization for Standardization 33 (ISO) and the International Electrotechnical

32
Creative Commons is a non-profit organisation that has Developer a series of Standard legal documents – usage
licences– under which to distribute digital contents. In this way, the owner of the contents may establish whether he permits
third parties to use a part or whole of his contents to perform work with or without a commercial purpose. Creative
Commons licences permit reserving some rights and granting others. For more information, see http://creativecommons.org/
33
Available at: www.iso.org

Study on educational platform safety measures Page 42 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

Commission 34 (IEC). The series contains the best practices recommended in the area of
information security in order to develop, implement and maintain Information Security
Management Systems (ISMS). The range of numbers reserved by ISO run from 27000 to
27019 and from 27030 to 27044. The main standard in this series are:

• ISO 27001. This is the main standard in the series and it contains the
requirements for information security management systems. In its Appendix A, it
lists a summary of the control objectives and controls developed by ISO
27002:2005 for selection by organisations developing Information Security
Management Systems.

• ISO 27002. Since 1 July 2007, this is the new name for ISO 17799:2005, keeping
2005 as the year it was published. It is a guide of best practices that describes the
control objectives and controls recommended for information security. It is not
certifiable. It contains 39 control objectives and 133 controls, grouped into 11
domains.

3.4.2 Cobit
Cobit (Control Objectives for Information and related Technology) is a framework for the
governance of ICTs developed by the Information Systems Audit and Control Association
(ISACA) 35 and the IT Governance Institute 36 (ITGI). In addition to the framework, it
provides the support tools that allow administrators to establish relationships among the
control requirements, technical matters and business risks.

The first version of the Cobits was published in April 1996, developing the control
objectives derived from the analysis and study of international standards and directives,
as well as best practices. Directives were then developed for performing audits that
evaluate whether these control objectives have been adequately implemented.

The main contents of the Cobits (control objectives, management directives and maturity
models) are divided into 34 ICT processes, and each is broken down into four sections
that cover how to control, manage and measure the process.

The latest version, Cobit 4.0, emphasises regulatory compliance and assistance to
organisations in increasing the value obtained from ICTs; likewise, it allows for business
alignment and simplifies the implementation of the framework.

34
Available at: www.iec.ch
35
Available at: www.isaca.org
36
Available at: www.itgi.org

Study on educational platform safety measures Page 43 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

3.4.3 National Institute of Standards and Technology (NIST)


The National Institute of Standards and Technology 37 , which forms part of the Technology
Administration of the United States Commerce Department, was founded in 1901 in order
to promote innovation and industrial competitiveness in the United States through
advances in measurements, standards and technology, in order to improve economic
security and quality of life. To complete its mission, it sponsors four programs:

• NIST Laboratories, which perform research in order to improve the country’s


technological infrastructure and support product and service improvement within
the industry.

• Baldrige National Quality Program, which promotes excellence among


manufacturers, service companies, educational institutions and health service
providers.

• Hollings Manufacturing Extension Partnership, a national network of centres that


offer technical and business assistance to small manufacturers.

• The Technology Innovation Program, which honours the industry, universities or


consortiums for research in potentially revolutionary technologies that target critical
needs of the country and society.

Among the results of their many activities, they have issued several documents on best
safety practices, in particular, the NIST Handbook: An Introduction to Computer
Security 38 .

This manual, written in 2001, is intended for those in charge of the security of information
systems and all technicians who need assistance in understanding basic security
concepts and techniques.

The NIST also has other publications that are widely used within the computer security
field, such as the Contingency Planning Guide for Information Technology Systems 39 and
the Guide for Developing Performance Metrics for Information Security 40 .

37
Available at: www.nist.gov
38
National Institute of Standards and Technology (2001): NIST Handbook An Introduction to Computer Security. Special
Publication 800-12.
39
National Institute of Standards and Technology (2002): Contingency Planning Guide for Information Technology Systems,
SP 800-34 NIST. On-line. Available at: http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf
40
National Institute of Standards and Technology (2006): Guide for Developing Performance Metrics for Information
Security, SP 800-80 NIST’s Computer Security Division, 4 de mayo. On-line. Available at:
http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-80

Study on educational platform safety measures Page 44 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

3.4.4 Bundesamt für Sicherheit in der Informationstechnik (BSI, German


Information Security Agency)
The fundamental job of the Bundesamt für Sicherheit in der Informationstechnik (BSI) is to
be the main Information Technology (IT) security provider for the German government.

Its products and services are intended for IT product users and manufacturers, including
mainly the public Administration at the federal, regional and local levels, in addition to
companies and private users.

Like the National Security Agency, its objective is to promote IT security, so that everyone
may take advantage of the opportunities the information society has to offer.

The BSI has published The IT Baseline Protection Manual 41 , which contains standard
security measures, advice for implementation and assistance for the numerous ICT
configurations. The goal of the information in this manual is to provide a quick solution to
security problems, support efforts aimed at improving the levels of security for information
systems and to simplify the creation of ICT security policies.

3.5 Security development and auditing methodologies

The general opinion among those interviewed is that the better designed and developed a
platform is, the more secure it will be, which is why it is important to use working and
development methodologies that ensure the absence of vulnerabilities in the code that
might later be exploited by malicious attacks or simply generate errors. In this sense, it
should be pointed out that although there are opinions and arguments in favour of both
freeware and proprietary software, the implementation of one solution over the other is
more closely related to reasons such as economic criteria or the ease of development
than security arguments. Professionals believe that any of the options is secure, as long
as the application has included security requirements from the very beginning of its
development.

The main methodologies outlined were:

• Standards for E-learning Management Systems like those developed by


Instructional Management Systems (IMS) 42 , an non-profit association created in
1997, which leads the growth and development of the technology industry in the
field of education and learning through the creation of standards and best
practices or SCORM, an initiative from the United States government developed
by Advanced Distributed Learning (ADL) , whose objective is to product courses

41
Federal Office for Information Security (BSI) (2004): The IT Baseline Protection Manual. On-line. Available at:
http://www.bsi.bund.de/english/gshb/manual/download/pdfversion.zip
42
Available at: www.imsglobal.org

Study on educational platform safety measures Page 45 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

with reusable contents. The Institute of Electrical and Electronics Engineers


(IEEE) 43 , whose objective is to product courses with reusable contents. The
Institute of Electrical and Electronics Engineers (IEEE) 44 has a standard project,
Learning Objects and Metadata, among the objectives of which is facilitating the
search for, evaluation, acquisition and use of educational platforms for teachers
and students, as well as supporting the necessary security and authentication for
the distribution and use of the learning elements.

• OWASP. Best practices in secure web programming. OWASP stands for Open
Web Application Security Project, and it is an open community dedicated to finding
and combating the causes of insecurity in software, in an impartial and practical
manner.

• Open Source Security Testing Methodology Manual (OSSTMM), is one of the


most complete and commonly used professional standards in security auditing for
checking system security over the Internet. It includes a working framework that
describes the phases that must be performed during an audit.

43
Available at: www.adlnet.gov
44
Available at: www.ieee.org

Study on educational platform safety measures Page 46 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

4 RISK ANALYSIS

A risk analysis consists of evaluating a set of threats according to the probability of


which they will occur, and the impact they would cause. In this section, we intend to
examine the threats perceived by the different participants involved in the development
and use of educational platforms, estimate the probability that these threats will occur and
consider the damage that they would cause, keeping in mind the various opinions
gathered and references found in the professional literature.

For an in-depth study of the problems related to platforms, we first extracted from the
information obtained from the study those points in which security tasks are being
performed in accordance with the best practices established by the standards in the ISO
27000 family.

Secondly, the weak points that were able to be identified were examined. One weak point
in this context is any situation that a) does not follow the best practices established by the
standards in the ISO 27000 family, and b), that, in one way or another, might allow one or
more of the threats being considered to occur.

Finally, a risk map was developed, with two differentiated groups. On one hand, it includes
threats stemming from natural or industrial disasters, and on the other, those of a human
origin. These threats have been chosen from among those proposed by the Magerit
methodology 45 , due to their applicability to educational platforms. Once selected, the
parameters of probability of occurrence and impact if they do occur were evaluated,
justifying these evaluations based on the information collected.

4.1 Strong points found

The most obvious conclusion with the widest consensus among those interviewed is that
platforms, which have a public area and a private area that can only be accessed by a
user login name and password, are relatively secure for their users, as they do not
present the same dangers that, for example, may be found over the Internet. This explains
why neither frequent nor serious incidents have occurred. If this separation did not exist,
we would expect a much higher volume of incidents, especially considering the significant
number of platform users.

4.1.1 Logical security


• Perimeter security. All the platforms analysed, both public and private, have
(without entering into the specific configuration of rules) reasonable perimeter

45
Magerit (2006): Metodología de análisis y gestión de riesgos de los sistemas de información. [Information system risk
analysis and management methodology.] Public Administration Ministry, version 2.0. On-line. Available at:
http://www.csi.map.es/csi/pdf/magerit_v2/metodo_v11_final.pdf

Study on educational platform safety measures Page 47 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

security based on known devices (firewalls, load balancers, web content filters,
spam and phishing protection, antivirus 46 , etc.).

• Intrusion tests. Ethical hacking-type audits have been performed by computer


experts on most of the platforms found, although not with the recommended
frequency, considering the sensitivity of the information. Another positive aspect is
that these audits have failed to detect very important vulnerabilities or
malfunctions, and those detected were duly resolved by those in charge of the
platforms, following the recommendations issued by experts following the audit.

• Virus resistance. Since they are closed environments with little or no external
connection, platforms are less exposed to this type of incidents. Another argument
that was given to explain the low impact of viruses on them is that most platforms
use Unix/Linux, if not completely, at least in part. These are operating systems for
which malicious code has barely been written, although we should not fall into the
temptation of stating that no specific malware exists that affects Linux 47 .

• Task segregation. Platforms have multiple functions that use information with
different levels of sensitivity. Applications that manage sensitive information are
usually logically, and even physically, separate from instructional applications. In
some cases, management applications have more access controls or are more
rigorous.

• Good international positioning. There is a consensus among the participants


interviewed that the level of logical security for platforms in Spain is similar to that
of the rest of Europe, or even better. Compared to countries like France or
Germany, it is thought that Spain has an advantage, with regards to both the
presence of ICTs in educational centres and the use of freeware.

4.1.2 Access control


• Effective controls. Although there is great diversity in the type of controls and
their degree of effectiveness, several have been found that are used on all
platforms.

46
A firewall is hardware or software used on a network of computers to control communications, either permitting them or
prohibiting them.
Load balancers are devices that are used to manage the requests from a large number of users on the networks, redirecting
traffic to avoid bottlenecks.
Web filters are applications that permit filtering information that is downloaded to any of the computers on the network.
Antispam, antiphishing and antivirus software are programs that use various techniques to separate junk mail from wanted
mail, detecting fraudulent pages or those with malicious code.
47
INTECO: Estudio sobre la seguridad de la información y e-confianza de los hogares españoles. [Study on information
security and e-confidence in Spanish homes.] Tercera oleada (mayo-julio de 2007). On-line. Available at:
http://www.observatorio.inteco.es

Study on educational platform safety measures Page 48 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

o The platforms use passwords to register users.

o Password files and other very sensitive information are usually encrypted.

o There is a hierarchy of profiles (students, teachers, administrators, etc.)


with different privileges.

o Usage is recorded (in historical logs), although storage periods vary


greatly, in some cases not meeting the applicable regulations.

• Separate environments. On several platforms there is a physical and/or logical


separation between sensitive databases (containing student information, academic
marks, school incidents, etc.) and the rest of the instructional and/or educational
material. This separation prevents, for example, students from accessing
information that is not theirs.

• Lack of anonymity. The platforms are usually closed, and there is no anonymity,
which makes ciberbullying 48 practically nonexistent, since the ease of identifying
the guilty party is a powerful dissuading factor.

4.1.3 Purchase and development


• The incorporation of security controls in development. Platform developers
(professionals and companies that are dedicated to developing applications) are
usually aware of the security risks. The experts interviewed have confirmed that,
even when designing projects for public administrations, they have taken the
precaution of incorporating security topics, independently of whether these were
established in the specifications of the public tender that published. In this way, the
solutions delivered to the public administration-clients meet certain acceptable
security standards. In many cases, this is due to the knowledge itself that the
developers have about the topic or that they work for clients with different profiles
who do include security issues in their requirements.

• Contract Law 49 . This established the criteria that govern hiring in the public
sector, as well as other parameters, and the necessary expertise that
entrepreneurs or professionals must have and be able to accredit in order to enter
into contracts. In the area of platforms, this law requires potential content
developers to accredit their expertise, and grants the right to require that

48
Cyberbullying is understood to mean the harassment among peers by means of new technologies (Internet, mobile
telephones or on-line games). It is not confined only to the school environment, as occurs with bullying, nor does it refer to
stalking for sexual purposes performed by adults. The terms cyberabuse and cyberharassment are sometimes used, but
these words are often confusing, due to the sexual connotations that they have in other contexts.
49
Law 30/2007, 30 October, regarding Contracts in the Public Sector. On-line. Available at:
www.boe.es/boe/dias/2007/10/31/pdfs/A44336-44436.pdf

Study on educational platform safety measures Page 49 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

successful tenderers purchase products and/or services based on certain


standards that guarantee that the meet the security measures identified in this
study.

4.1.4 Incidents
• Low number of incidents. Those interviewed agreed in pointing out that
platforms do not generate a significant number of incidents, much less security
incidents. They believe that this is the result, on one hand, of the fact that the
security controls that have been implemented are working well, and on the other,
that platforms are not an attractive target for attacks, since they do not contain
information that is interesting to a potential attacker.

4.1.5 Awareness
• Security awareness. Although there is a notorious lack of training in security
issues and it is believed that there is little sensitivity towards the topic in
educational centres, a certain concern about the topic has been detected by those
interviewed, who are aware of the problems and conflictive situations that this
situation may cause if it continues over time.

4.1.6 Legislative compliance


• Compliance with the Personal Information Protection Law 50 . Most of those
interviewed believe that this law, while it does not specifically deal with the topic of
minors, adequately protects their rights to privacy, as it controls with certain rigour
the personal information that is kept and does not allow it to be distributed to third
parties without the express authorisation of the affected party, which in this case,
must be given by the parent or guardian. The law has also helped make the
general population, including teachers, more aware with regards to the privacy of
each individual. Finally, it is positively viewed that there have been directives
issued that have guided security efforts, although the experts believe that more
details are needed to implement the specific measures. This means that the
regulation must be even more precise about the steps to take in order to
implement these security measures.

4.2 Vulnerabilities and other detected weaknesses and their impact

In the context of security, a vulnerability is defined as a weakness in the system that


would permit an attacker to compromise the security of the system or its
information. There is another series of weaknesses that are not vulnerabilities (for

50
Op. cit., 30, and the details in section 3.3.1 of Organic Law 15/1999, 13 December, regarding the Protection of Personal
Information (LOPD). Also in Appendixo II

Study on educational platform safety measures Page 50 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

example, the lack of protection against natural incidents), but that may also compromise
platform security.

The vulnerabilities are usually related to information confidentiality, but an attacker may
also compromise the integrity of the information or affect system availability. Other
weaknesses usually affect availability to a greater degree, although they might also affect
information integrity and even (but less frequently) confidentiality.

It is very difficult to take action against each and every threat that exists for platforms,
given that security can never be perfect, due to the constant evolution of new threats and
that fact that the more restrictive the security is, the less operational the platform is for its
users. This makes it absolutely necessary to achieve a reasonable balance, which must
be defined in collaboration with security technicians from the development companies and
professionals who are knowledgeable about the dynamics of educational centres.

The ultimate question, therefore, is to determine the relative criticality of the risks
(measured in terms of their potential negative results and the probability that they will
occur) and invest in security measures according to this estimate. The question about
whether it is more important to protect ourselves mainly against vulnerabilities or against
weaknesses is important and depends, to a certain degree, on which of the three
concepts is the most important, among confidentiality, integrity and availability. In a bank,
the confidentiality of the clients' information, for example, is of great importance, but
system availability is probably even more important. In the case of educational platforms,
taking into account the possible risks associated with unauthorised access to sensitive
information about minors, information confidentiality is obviously a critical aspect that must
be considered when designing platform security measures.

It is true that among the sources of information and especially the different opinions
expressed by those interviewed, weaknesses related to confidentiality were given greater
importance. However, aspects related to information integrity and availability were also
commented on.

The sections below summarize the weaknesses found during the field work phase of this
project.

4.2.1 Training and awareness


• Lack of user training. Except for platform suppliers, who have direct exposure to
security issues due to their work, and whose work procedures incorporate the
necessary tools so that their applications meet certain security requirements, the
rest of the participants involved with educational platforms have a serious lack of
training in security; in many cases, they have no training whatsoever. This is the
source of certain habitual risky practices, such as sharing passwords, not updating

Study on educational platform safety measures Page 51 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

antivirus software, not considering intellectual property rights when creating


contents, etc.

Lack of awareness regarding security issues. Those participants most directly


involved in the daily use of platforms are not aware of the risks implied by its use.
This comment was almost unanimous among those interviewed, and it is currently
considered to be one of the most serious problems. This is an especially
worrisome situation in the case of students and teachers. The lack of awareness
implies the use of ICTs and platforms without the minimum precautions that in
other environments would probably exist.

As far as the students are concerned, there is no awareness of the risks that they
take if they share passwords or make them overly simple. Teachers are generally
not conscious of infractions of the Law for the Protection of Personal Information or
the Intellectual Property Law that they might commit when creating or sharing
contents. The administrative teams of these centres also suffer from the same lack
of awareness.

Platform developers and administrators for departments of education or private


companies are conscious of the risks these applications involve and have
established measures that they consider appropriate, in particular for controlling
access or policies for defining user profiles and privileges.

• Lack of technical security knowledge. This vulnerability mainly affects


instructors who are responsible for ICT coordination (ICT coordinators) in their
centres. These persons are the ones that keep the platforms working day to day
and who in many cases lack the adequate training to do so, not being prepared to
face the technological challenges that constantly occur. Lack of knowledge
becomes a critical issue when it is necessary to make purchases or updates and
they cannot define the security requirements they should request from their
suppliers.

• Information dispersion. There is not much communication among the centres in


the same autonomic community and even less among communities, which results
in each teacher generating his own content materials without taking into account
those that may have been generated by another colleague at another centre.
Synergy is lost, and resources are wasted by generating redundant information.

• Information disparity. As in the previous case, information is generated without


considering work that already exists in formats that, in any case, make it difficult to
share. This prevents collaboration and reusing already existing materials that
might be considered perfectly valid.

Study on educational platform safety measures Page 52 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

• Lack of quality control. In most of the cases, the materials are used by their own
creators without being subjected to any type of revision. This is a serious
impediment for improving the quality of content materials.

4.2.2 Logical security


• Potentially unsafe communications connections. When there is not a technical
team behind a platform that is technically prepared and knowledgeable about the
problems presented by communication and connection mechanisms, incidents
involving malicious code attacks or even intrusions may occur in systems.
Fortunately, this has not occurred up until now. The general opinion is that this
type of attack has not yet occurred, not because it is impossible, rather because
the attackers do not find the information they could access attractive. This may
change at any time, which is why greater control in the security measures related
to communications is necessary.

• Download and/or use of unauthorised software. It should be impossible to


download, in order to prevent problems with compatibility, malicious codes, the
violation of any applicable laws, etc.

• Inadequate network management. For the platforms to work adequately, it is


very important for the network on which they are installed to operate in an optimal
manner, so that problems with availability and addressing of the information flow
do not occur. When the centres do not have highly qualified personnel to take
charge of the network, it is very difficult to achieve good administration of it. In
these cases, the correct functioning usually depends on the appropriate Public
Administration.

• Heterogeneous practices with regards to back-up copies. In one centre, back-


up copies are made according to the criteria of those in charge of that particular
centre, but in general, there does not seem to be a back-up copy policy that would
prevent information loss in the case of serious incidents. During the interviews, the
serious consequences of the loss of students’ historical academic records were
frequently mentioned.

• Inappropriate use of software and hardware. If clearly defined security policies


do not exist at all levels and if these are not known by everyone involved, it is very
easy for cases of bad practices to occur. As an example, this might imply that
systems become unstable or unavailable.

4.2.3 Access control


• Overly simple identification and authentication mechanisms. The mechanism
that is used without exception in the educational community is the user name and

Study on educational platform safety measures Page 53 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

password51. In spite of this practically universal standard, nowadays there are


more effective practices. Without rigorous controls over the management and
quality of the identifiers, this system results in numerous incidents; specifically,
experts have cited forgotten passwords, using passwords that are obvious or too
easy, and errors in registering and removing users.

The gradual increase in the number of passwords that a user must use, the
different degrees of authentication that it must be subjected to, as well as the
frequency with which they must be changed 52 , make it increasingly more
complicated and difficult to maintain a rigorous access control using this system.

Numerous persons interviewed expressed their concern in this sense, and


suggested what the identification and authentication systems would be over the
medium to long term, substituting the existing systems: biometric devices, smart
cards, the electronic national identification card, etc.

• Inadequate controls for physical access to the installations. Centres have


scarcely any access controls. When new information systems are purchased and
installed, this is not accompanied by any change in access controls, in other
words, the equipment may be easily accessed, with the subsequent risk of theft,
damage or misuse.

4.2.4 Purchasing, development and maintenance


• Lack of security requirement definition for developers. The lack of technical
knowledge, and even the lack of experience in the use of computer tools in
general and specifically educational platforms, results in those responsible for
acquiring these applications not knowing why they can and should demand from
the suppliers. When they are not capable of specifying the requirements, both the
functions that they need and the necessary characteristics of usability and security
make it necessary for them to depend exclusively on the technical competence
and the security knowledge of the suppliers. The lack of development tracking
poses the risk that the code has security holes, which makes it vulnerable to errors
or attacks, or that it will not meet the needs of the educational community. In the
case of commercial products, the best product for the existing needs may not be
selected. For this reason, it is necessary to participate actively in the development
51
Spanish Information Protection Agency (2006): Plan sectorial de oficio a la enseñanza reglada no universitaria.
[Professional sector plan for the non-university required curriculum.] Madrid, AEPD.
Ídem (2008): Documento de trabajo 1/08 sobre la protección de datos personales de los niños (directrices generales y el
caso especial de los colegios). [Working document 1/08 on the protection of the personal information belonging to children
(general directives and the special case of schools).]. On-line. Available at:
https://www.agpd.es/upload/Canal_Documentacion/Internacional/wp_29/menores_es.pdf
52
INTECO Política de contraseñas y seguridad de la información. [Password policy and information security.] On-line.
Available at: http://www.observatorio.inteco.es

Study on educational platform safety measures Page 54 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

and purchase of applications, and to demand certain minimum requirement from


the suppliers.

• Management of known vulnerabilities in obsolete software. When there are no


established guidelines, nor qualified personnel in charge of managing ICTs in the
centres, the platforms are very exposed to security malfunctions, due to the lack of
software updating and necessary security patches.

Normally, the suppliers provide the software that is necessary to update the
platforms. But only happens when the platform is housed in their installations and
the centres access it remotely, can we be reasonably sure that it is correctly
updated.

• Inadequate system maintenance. The lack of personnel assigned to this task


implies that the systems are exposed to hard drive saturation, the lack of patches,
hidden malicious code (Trojan viruses), etc. This causes system malfunctions and
availability failures, As in the previous point, it is fundamental for there to be
sufficient human and technical resources to perform maintenance that is
appropriate for the size and complexity of the existing systems, in order to prevent
failures.

4.2.5 Incidents
• Service continuity. Continuity plans barely exist in the case of a disaster. Those
interviewed expressed that they were generally not worried about this problem.
Educational centres completely trust that, in the case of a disaster, the
Administration or the service providers would be able to give them support in order
to continue.

However, in some departments of education this aspect of security has been taken
into consideration, and they do have continuity plans for action, if necessary.

4.2.6 Compliance with legislation and regulations


• Lack of policies related to the correct, safe use of ICTs in general, and more
specifically, platforms. Some centres do have security policies, but it is not very
common; It depends on the judgement and the awareness of the centre’s
administrative team. The departments of education usually issue the centres in
their area some rules for using computer resources, but no follow-up is done to
see how well these rules are being followed.

• Incidents related to the Personal Information Protection Law (privacy of


personal information, right to honor, etc.). Deficits have been observed in some
cases, due to ignorance or a lack of awareness. These incidents go unnoticed in

Study on educational platform safety measures Page 55 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

many cases, and only come to light when one of the parties involved reports the
situation; for example, based on complaints from parents, requests for
authorisation to hang photos of their children on school web pages has become
commonplace.

4.3 Risk map

The threats and dimensions or aspects of security documented in the Magerit


methodology are used as a reference 53 . The threats chosen have either been mentioned
by those interviewed at some point during the field work, or have been judged to be the
most important for platforms among all those suggested by the methodology. The threats
have been divided into two large groups: those that occur accidentally or due to human
error, and those that have a different origin. The latter include those originating in natural
and industrial disasters (Table 1).

53
Óp. cit., 45.

Study on educational platform safety measures Page 56 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

Table 1. Risk map: natural and industrial disasters

Threat Description Dimensions


Availability.
Fires: possibility that the fire destroys the system
Service traceability.
resources.
Information traceability.
Fire
Observations: This risk was not considered by any of those interviewed, nor by the
literature, however, the impact in the event it occurs is very high and must not be
neglected.
Availability.
Floods: possibility that water destroys the system
Service traceability.
resources.
Information traceability.
Water damage
Observations: As in the previous case, there is little chance that this would occur,
but the effect can be devastating.
Other disasters resulting from human activity: Availability.
Industrial explosions, collapses, contamination, traffic Service traceability.
disasters accidents, etc. Information traceability.
Observations: Little chance of it occurring, but the effect could be very severe.
Availability.
Computer and/or program malfunctions. Service traceability.
Physical or
Information traceability.
logical
Observations: Malfunctions are relatively rare and are usually quick and easy to
malfunction
solve, which is why the impact is not generally relevant, with the exception of disk
damage, where the impact may be more severe due to the loss of information.
Availability.
The power supply is cut off. Service traceability.
Electrical power Information traceability.
loss
Observations: Except in the event that the power loss lasts a long time, its impact
would be less important.
Availability.
Inadequate Deficiencies in the acclimatization of the sites,
Service traceability.
temperature resulting in excessive heat, cold or humidity.
Information traceability.
and/or humidity
Observations: Important equipment and applications are usually found in safe areas,
conditions
under adequate conditions.
Loss of capacity to transmit data from one site to
another. Typically, this is due to the physical
destruction of the physical means of transport or
Availability.
stoppage at the switching centres, due to
Communication destruction, stoppage or a simple incapacity to
s service failure deal with the traffic being experienced.
Observations: The improvement in telecommunications and the demands imposed
upon the suppliers make this malfunction not very probable, but when it occurs, the
lack of availability gives a poor impression of the supplier or platform manager, and
dissuades the users from using it..
Other services or resources on which the
Interruption of
equipment operation depends; for example, paper Availability.
other services
for the printers, toner, coolant, etc.
and essential
Observations: The frequency with which this threat occurs varies according to the
supplies
resources available at each centre, but the impact is not serious.
Availability.
Degradation of As the result of the passing of time. Service traceability.
the information Information traceability.
storage media Observations: Depending on the sensitivity of the information contained on the
media, the impact may be more or less serious.
Source: INTECO

Study on educational platform safety measures Page 57 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

The other type of risk classification includes those that originate in human mistakes made
by the different users that access the educational platforms, either due to thier use or the
interest that the content or the systems that host them have for them (Table 2).

Table 2. Risk map: errors or human mistakes

Threat Description Dimensions


Mistakes people make when they use the Integrity.
services, data, etc. Availability.
User errors
Observations: The lack of training in ICT on the part of the platform users makes
errors of this type frequent, although they do not tend to be serious.
Availability.
Integrity.
Confidentiality.
Mistakes made by people with installation and
Service authenticity.
operating responsibilities.
Data authenticity.
Administrator Service traceability.
errors Information traceability.
Observations.: In general, administrators are sufficiently qualified to perform their
jobs correctly, but it has been observed that the number of administrators is low,
and the complexity of the requirements and the number of users makes it probable
that this will occur. Due to the privileges that this type of user has, the impact is
noticeable.

Inadequate activity records: missing,


Service traceability.
incomplete, incorrectly dated, incorrectly
Information traceability.
assigned, etc.
Monitoring
errors (log) Observations: It has been seen that sometimes the logs are not saved and that
monitoring is inadequate on occasion, which is why errors are not detected, which
may be serious if an incident occurs that must be investigated (for example,
attempts at an external attack).
Availability.
Integrity.
Entering incorrect configuration data.
Confidentiality.
Practically all assets depend on their
Service authenticity.
configuration, this being the responsibility of
Configuration Data authenticity.
the administrator.
errors Service traceability.
Information traceability.
Observations: Although the responsibility for the systems being correctly configured
so that undesirable events do not occur is well defined, there is a lack of criteria
about the parameters that must be followed.
When it is not clear who has to do exactly
what and when, including taking measures
with regards to assets or informing the Availability.
management hierarchy, errors of omission,
Organisational uncoordinated actions, etc.
deficiencies
Observations: Having persons responsible for security is not commonplace, nor is
access to support service communications channels, which results in the actions
depending on good will or the knowledge that the task is being performed at the
moment.

Study on educational platform safety measures Page 58 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

Threat Description Dimensions


Availability.
Integrity.
Confidentiality.
The innocent spreading of viruses, spyware,
Service authenticity.
worms, trojans, logical bombs, etc
Diffusion of Data authenticity.
harmful Service traceability.
software Information traceability.
Observations: Users do not generally have access to system utilities and, as these
are centralised, incidents of this type are not frequent. However, once a harmful
application of this type enters, it spreads rapidly and has potentially serious
consequences.
Information accidentally reaches persons who
should not have knowledge of it, without the Confidentiality.
information itself being altered.
Information Observations: This is the point in which the large majority of those interviewed
leaks coincide in identifying it as the most critical when dealing with educational platforms.
Information about minors is very sensitive, not only from a legal, but also a social
point of view, which makes any incident that jeopardises its confidentiality very
serious.
Accidental alteration of information. Integrity.

Observations: The environment the minors use is expected to contain correct


Altered information that is appropriate for them, for which reason, although it does not occur
information frequently, the impact of an event of this type may be significant. Furthermore,
platforms contain information regarding academic marks and records where integrity
is also an important factor.

Accidental entering of incorrect information. Integrity.


Entering Observations: As in the previous case, the accuracy of the information found on the
incorrect platform is a basic point that must be met. Given that many users can enter
information information on them, the frequency of this threat occurring is high, and the impact
may be significant.
Accidental deterioration of information. Integrity.
Information
deterioration Observaciones: Due to the lack of maintenance or other causes, the information
may become deteriorated, which causes a notable impact.

Accidental loss of information. Availability.


Destruction of
information Observations: Due to user errors or poor platform processing, information may be
destroyed that, depending on what it is and when it is discovered, may create a
considerable problem.

Revealed as the result of indiscretion or lack


Confidentiality.
of rigour.
Revealing of Observations: This is another manner of betraying the confidentiality of information
information that, in spite of it not being intentional, may create a serious problem. The lack of
sensitivity towards security issues makes this especially relevant in educational
centres.
Defects in the code that result in a defective
Integrity.
operation unintentionally by the user, and with
Availability.
Program consequences for the data integrity or the
Confidentiality.
(software) program's capacity to operate.
vulnerabilities Observations: Those interviewed with a more technical profile indicated that good
code development that results in a quality application that is free of defects is one of
the main factors that guarantee platform security.

Study on educational platform safety measures Page 59 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

Threat Description Dimensions


Absence from the workplace: illness, public
Availability
disturbances, bacteriological warfare, etc
Unavailability of
personnel Observations: It is not a common occurrence, but since not many people are in
charge of the platforms, if someone is missing, there may be a problem with
availability, perhaps for only a certain function.
Defects in the procedures or controls updating
the code that allows programs with known Integrity.
defects that have been repaired by the Availability.
Maintenance manufacturer to continue to be used.
and program
Observations: In spite of all the measures that are taken, programs usually have
(software)
errors that are discovered as they are used, or that occur when they are modified in
updating errors
order to improve their functions or performance. Platforms have numerous programs
and functions that must be adequately maintained in order to avoid expensive
incidents.

Defects in procedures or controls for updating


the equipment that permit them to continue to Availability.
Maintenance be used beyond their rated usage time.
and equipment
(hardware) Observations: Preventing this threat is simpler when there is a central body that
updating errors controls the platform, such as in the case of departments of education, than if the
centres must do this themselves, given that sometimes they do not have specialised
personnel.
The lack of sufficient resources causes the
system to crash when the work load is very Availability.
Down systems high.
due to the
Observations: Platforms have a large number of users and the dynamics of the
depletion of
educational community implies critical dates when many of them come together to
resources
do the same tasks (registrations, evaluations, etc.), which makes this threat
particularly critical.
Integrity.
Confidentiality.
Practically all assets depend on their
Service authenticity.
configuration, this being the responsibility of
Data authenticity.
the administrator: access privileges, activity
Service traceability.
Manipulation of flows, activity records, addressing, etc.
Information traceability.
the
Availability.
configuration
Observations: The position of the administrator and his functions are critical for the
platform to operate correctly. When these functions are centralised, for example, in
the departments of education, there are more guarantees for the users with regards
to both security and functionality, since there will always be a qualified person
overseeing this aspect.
When an attacker is successful in posing as
an authorised user, he enjoys the privileges of Confidentiality.
this person for his own purposes. This threat Service authenticity.
may come from internal personnel, persons Data authenticity.
User identify outside the organisation or by personnel who Integrity.
theft have been temporarily hired.
Observations: This threat is a recurring example of an incident that desirable to
avoid at all costs on an educational platform. It does not occur very frequently, but
the impact may be very high, especially if a student is capable of obtaining teacher
or administrator privileges and can see exams or change grades, for example.

Study on educational platform safety measures Page 60 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

Threat Description Dimensions

Each user enjoys a level of privileges for a


certain purpose. When a user abuses his level Confidentiality.
Abuse of of privileges to perform tasks that do not fall Integrity.
access under his competence, problems occur.
privileges
Observations: In theory, users are clear about their privileges, but some advanced
users may cause this type of problems.
Use of system resources for unanticipated
purposes, typically for personal interests, such
as games, Internet searches, private Availability.
databases, personal programs, storing their
Unanticipated own information, etc.
use
Observations: Platforms have clear and defined functions; even so, a large number
of users make it possible for threats of this type to occur. Due to the restrictions that
exist, an irregularity will be detected right away, and the impact if it does occur will
be minimal.

Sending information to an incorrect recipient


Confidentiality.
and through a system or network that delivers
Integrity.
it where it should not, or through a place it
Service authenticity.
should not. These may be messages between
Redirecting Service traceability.
people, between processes or between both.
messages
Observations: A closed environment like platforms does not lend itself to errors,
intentional or not, of this type. However, if they do occur, they may have an
important impact, given that information confidentiality is jeopardised, which is the
most critical security aspect on platforms.
The attacker gains access to the system
Confidentiality.
resources without authorisation to do so,
Integrity.
typically taking advantage of a system failure
Unauthorised Service authenticity.
regarding identification and authorisation.
access
Observations: If the profile usurped is that of a teacher, the damage may be serious.
To prevent this, authentication systems may be used, such as fingerprints.
The attacker, without the need to enter and
analyse the content of the communications, is
able to draw conclusions based on the Confidentiality.
analysis of the origin, recipient, volume and
Traffic analysis exchange frequency.
Observations: This type of event does not seem to have been detected, either
because no one has looked for it, or because the information that can be intercepted
is not attractive enough. In any case, it is a threat that must be considered, given
that it affects confidentiality.
The attacker gains access to information not
Confidentiality.
Interception of intended for him, without altering it in any way.
information Observations: In an educational environment, there are many opportunities for
(eavesdropping intercepting information, where an interested party may wait for the right moment to
) access this information. As with all threats that affect confidentiality, it must be given
some consideration.

Study on educational platform safety measures Page 61 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

Threat Description Dimensions


Denying a posteriori actions or commitments
occurring in the past.
Related to origin: denying sending or being
the origin of a message or communication.
Service traceability.
Related to reception: denying having received
a message or communication.
Repudiation
Related to delivery: denying having received a
message for delivery to someone else.
Observations: Given that communications are still not a major part of platforms, this
threat is not a serious problem. However, those interviewed pointed out that the
functions related to communication will be those that experience the most growth
over the short to medium term, which makes this threat more important.
Intentional alteration of information with the
Integrity.
intention of obtaining benefit or causing harm.
Information Observations: The few incidents detected have barely had an impact. Many of those
modification interviewed have indicated that the information contained on the platforms does not
seem to be attractive to attackers. If this situation changes, this threat should be
reconsidered.
The entering of false information benefiting
one’s own interests with the intention of Integrity.
obtaining benefit or causing harm.
Entering false Observations: There is usually a strict observance of privileges for each level of
information user, which results in the users authorised to enter information being personnel that
are perfectly qualified to do so, and who may be easily identified, which, in theory, is
a strong deterrent. However, the impact, especially in the case of entering
inappropriate material, may be serious.

Intentional deterioration of information with the


Integrity.
intention of obtaining benefit or causing harm.
Corruption of
information
Observations: As in the previous case, this type of threats is easily detectable and
attributable within such a controlled environment, which is why it is not easy for this
to occur.

Intentional erasing of information with the


Availability.
Destruction of intention of obtaining benefit or causing harm.
information
Observations: An attack of this type may be very damaging, which is why measures
must be taken so that it does not occur.

Revealing information. Confidentiality


Revealing Observations: Since there are so many people involved with the platforms, this is an
information incident that may easily occur, and if the information is relevant or reaches a place it
should not, the damage may be significant.
Confidentiality.
Integrity.
Intentional alteration of program operation,
Service authenticity.
possibly in pursuit of an indirect benefit when
Data authenticity.
Program an authorised person uses it.
Service traceability.
manipulation
Information traceability.
Observations: This type of an attack has not yet been detected. In the event that it
occurs, it may generate significant damage, depending on the information that has
been fraudulently manipulated and what it was used for

Study on educational platform safety measures Page 62 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

Threat Description Dimensions


The lack of sufficient resources causes the
system to crash when the work load is very
Availability.
high. This situation may also be caused by
deliberate external attacks.
Service denial Observations: One characteristic of the platforms is the large number of users that
make use of them, in many cases concurrently, which is why it is important to keep
this threat in mind, since the unavailability of the application discourages the users
from using it. However, platforms are not usually deliberate targets of service denial
attacks.
Equipment theft indirectly causes the lack of
means for service provision, in order words, it
Availability.
creates unavailability. Theft may affect all
Confidentiality.
types of equipment, with computers and
information media being the most common.
Theft Observations: This is a threat that must be considered, given that not all centres
have adequate security and computer equipment continues to be interesting. In
theory, user equipment does not house information; this should be at the data
centre where the platform is housed, for which confidentiality is safeguarded, but
users would not have the means to use the platform for a period of time, with all the
inconveniences that this represents.
Vandalism, terrorism, military action, etc.
This threat may come from internal personnel,
Availability.
persons outside the organisation or by
Destructive
personnel who have been temporarily hired
attack
Observations: A threat of this type, with its high impact in the event that it occurs, is
what makes contingency plans imperatively necessary, so that if this does occur,
normal activity may be resumed within a reasonable period of time.
Confidentiality.
Integrity.
Pressure, by means of threats, placed upon
Service authenticity.
someone to force them to work in with a
Data authenticity.
specific intention in mind.
Service traceability.
Extortion
Information traceability.
Observations: When this threat occurs, we are really speaking of harassment. The
lack of anonymity provided by platforms makes it very difficult for cases of this type
to occur, in addition to the scarce use of communication tools, which are the main
means of performing this type of acts.
Confidentiality.
Abuse of the good faith of persons to perform Integrity.
activities or reveal information (for example, Service authenticity.
access codes) that is of interest to a third Data authenticity.
Social
party. Service traceability.
engineering
Information traceability.
Observations: The high level of knowledge on the part of users about each other
and their trusting relationships greatly favour this type of threat. Users must be very
well trained so that they can distinguish hazardous practices.
Source: INTECO

Each of the threats has been evaluated in terms of the likelihood that it will occur and the
impact it would have, based on a three-point scale (high, medium and low), with the sole
purpose of calculating the risk and identifying what those interviewed have stressed most.

The first classification refers to disasters caused by nature or by industrial errors beyond
the control of individuals. However, as can be seen in Table 3, Threat map for natural and
industrial disasters, although the probability is minimal in most cases, this is not reflected

Study on educational platform safety measures Page 63 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

in the impact that these actions may have on educational platforms. Table 4 shows the
threat map related to human errors. Unlike the data collected in the previous table, human
errors have a great probability of occurring, which means a more serious impact.

Table 3. Threat map for natural and industrial disasters, according to the probability that
they will occur and their impact

Probability Impact
Threat High Medium Baja High Medium Low
Fire X X
Water damage X X
Industrial disasters X X
Physical or logical malfunction X X
Electrical power loss X X
Inadequate temperature and/or
X X
humidity conditions
Communications service failure X X
Interruption of other services and
X X
essential supplies
Degradation of the information
X X
storage media
Source: INTECO

Table 4. Threat map for human errors or malfunctions, according to the probability that they
will occur and their impact

Probability Impact
Threat High Medium Baja High Medium Low
User errors X X
Administrator errors X X
Monitoring errors (log) X X
Configuration errors X X
Organisational deficiencies X X
Diffusion of harmful software X X
Information leaks X X
Altered information X X
Entering incorrect information X X
Information deterioration X X
Destruction of information X X
Revealing information X X
Program vulnerabilities X X
Program maintenance and
X X
updating errors
Maintenance and equipment
X X
(hardware) updating errors
System crashed due to depleted
X X
resources
Unavailability of personnel X X

Study on educational platform safety measures Page 64 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

Probability Impact
Threat High Medium Baja High Medium Low
Manipulation of the configuration X X
Indentity theft X X
Abuse of access privileges X X
Unanticipated use X X
Redirecting messages X X
Unauthorised access X X
Traffic analysis X X
Repudiation X X
Intercepted information X X
Information modification X X
Entering false information X X
Corruption of information X X
Destruction of information X X
Revealing of information X X
Program manipulation X X
Service denial X X
Theft X X
Destructive attack X X
Extortion X X
Social engineering X X
Source: INTECO

4.4 Potential threats

As pointed out in several sections of this report, educational platform safety is not
currently an important problem. However, some of those interviewed painted a picture of a
future that is different, in which security will be compromised to a greater extent. This
evolution will be linked to the generalisation of platform use and the increase in the
functions they support, especially those related to communication and processing more
sensitive information that is interesting to potential attackers.

The feeling of security that we currently experience is not supported by concrete


information, rather by the extremely low number of incidents. It is likely that the absence of
effective incident detection and management systems is hiding the existence of many that
are currently occurring. Furthermore, this sensation of security is also derived from a lack
of analysis of the risks that could make the critical points of this type of application
evident. None of the participants involved in the development and use of platforms has
performed a risk analysis of this type, which means that latent problems may exist that are
yet to be identified.

As previously mentioned in this study, many of those interviewed have commented that
the low number of incidents may increase if the information stored on the platforms
becomes attractive for some reason. The way we use technology changes constantly, and
the information that is stored also varies. Five years ago, no-one considered the possibility

Study on educational platform safety measures Page 65 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

that it was necessary to have to authorise the publication of a photo of their child, but
nowadays, this has become a legal requirement. Since it is not possible at the present
time to predict what type of information will begin to be included on the platforms over the
medium to long term, it is necessary to evaluate the risks to which information is regularly
exposed. In this way, we can begin to make informed decisions about the security
measures that need to be included as the needs change.

Another aspect that does not present serious problems at the moment is availability.
However, given that it is expected that the number of users will grow considerably over
the short to medium term, it will be necessary to conduct a study in order to anticipate the
capacity that systems should have in order to provide quality service at key times when it
is anticipated that important peaks of simultaneous activity will occur (registration,
evaluations, scholarship applications, attendance reporting), due to greater use of
resources or an improvement in the platforms themselves.

Communications were mentioned in several interviews as tools that present the best
possibilities for development over the short term. It is to be expected that within a short
time, users will be provided with powerful means of communication to exchange all types
of data and information. Parallel to this increase in functions, the control mechanisms
aimed at preventing the compromise of information security or users must also be
increased. On one hand, user authentication must be strict, making unequivocal
identification fundamental for all platform users. On the other, we must prevent
interceptions of these communications, sidetracking and delivery errors for potentially
confidential messages, and ensure that the recipients are only those intended.

Study on educational platform safety measures Page 66 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

5 DETECTED NEEDS

The analysis performed in the previous sections has given us an approximate idea of the
setting in which the design, construction, implementation and use of educational platforms
occurs in our country.

This analysis is in line with the study objectives, which as they identify each collective
involved and compare them to the real situation revealed by those interviewed and the
recommendations made by the existing standards, laws and best practices, allow us to
detect the needs that are being created with the emerging use of platforms.

It has been demonstrated throughout the study that it is necessary to continue to promote
security policies for educational platforms. This need is motivated by several factors; all
the same, developers do not believe that a specific security policy is necessary in this
area, since the contents are not subject to possible incidents. Furthermore, given that up
until now there have not been cases in which systems housing platforms have suffered
vulnerabilities, the topic of making them secure has not been considered. In the case of
administrators and users, the level of use and the performance that they may receive from
them is limited by their lack of training. Most experts who participated in the study agree in
pointing out that:

• In order to take maximum advantage of these platforms, it is necessary to consider


and guarantee four basic pillars: connectivity, the availability of technological
resources, the availability of instructional content, and teacher training.

• A serious security incident would damage the credibility of these tools and would
halt development in the sector, as well as the spread of their use.

• Strict compliance with the Personal Information Protection Law and the new
regulations developed from the LOPD (RDLOPD) must be included in the
development requirements for any platform, thereby facilitating the work of the
users and avoiding potential infractions.

• Considering the possible risks associated with access to information (about


families and minors), information confidentiality is obviously a critical aspect that
must be taken into account when designing platform security measures.

• The topic of intellectual property has been identified as a sensitive issue; however,
since so far there have not been any serious consequences, it is an issue that lies
dormant and, in many cases, is ignored. One possible solution to this problem
would be the use of open licenses, such as Creative Commons, for the contents
used by educational platforms.

Study on educational platform safety measures Page 67 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

• The feeling of security that we currently experience is not supported by concrete


information, rather by the extremely low number of incidents. Furthermore, this
sensation is also derived from a lack of analysis of the risks that could make the
critical points of this type of application evident.

Taking into consideration the opinions of experts and the real situation of these platforms,
INTECO has identified the needs that exist over the short, medium and long terms below,
for the following scopes of action:

• Sensitisation, training and information. Users and service providers must be


aware of the need to establish security criteria that cover the aspects of privacy
that may be vulnerable, as well as the educational contents included on the
platforms 54 .

For secure platform development, it is necessary to have trained users 55 at all


levels 56 (students, instructional and non-instructional staff, system administrators,
publishing companies, etc.) in order to guarantee they are used correctly and to
prevent errors from occurring and the possibility of tasks being performed
incorrectly. For this reason, mechanisms for validation must be introduced, about
which the users have been previously trained.

Likewise, dissemination is necessary with regards to this aspect, in order to cover


the issues previously pointed out in both the area of information security and other
areas related to responsible Internet use 57 .

• Regulations. It is necessary to ensure that the regulations already in existence


are being complied with, and guarantee the correct use of information susceptible
to being used for purposes other than those for which they were created.

54
In order to facilitate the development of these criteria, programmes have been initiated in the European Union, such as
Safer Internet Plus, which promote the development of activities along four lines of action

55
Junge, Kerstin, y Hadjivassiliou, Kari (2007): What are the EU and member states doing to address digital literacy? E-
learning Papers, núm. 6. ISSN 1887-1542.
56
In Europe, these efforts consist of initiatives intended to improve digital competence through, for example, including
competences in the curriculum with a wider scope regarding the topics of security and safe Internet navigation (such as the
programme “Ligar Portugal”) and the creation of a network for teachers where they may also receive training on e-learning
tools and develop material in conjunction with others that may be made available to the entire school community (such as
the Opinpolku project). On-line. Available at: http://www.ligarportugal.pt/ y en http://www.opinpolku.com/www/
57
As part of the effort to reach this objective, in the United Kingdom, the British Government’s Educational Communications
and Technology Agency, BECTA, has developed a strategic tool as the result of collaboration among 38 local authorities, 5
regional broadband consortiums and representatives from Scotland, Wales and the European Union. It has been developed
with the idea of facilitating the sharing of best practices and offering support and guidance so that local authorities may
guarantee the on-line security of children and students. It includes numerous recommendations in several areas, among
them, how to develop a secure infrastructure, how to project a security training strategy and the monitoring and
communication of incidents. For more information, see BECTA (2008): Safeguarding children in a digital world. Developing
an LSCB e-safety strategy.

Study on educational platform safety measures Page 68 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

• Cetification and standardisation. The improvements platforms provide must


occur within the centre itself, based on more efficient management of the
administrative workload and instructional resources and/or improvements in
internal communications and those directed towards the outside, through greater
parent involvement in life at the centre and in the learning processes, the
simplification of routine administrative tasks involving the families, such as
authorisations and the standardisation of language and the flow of information 58 .
For this reason, it is necessary to establish standard or to certify the existing best
practices, especially with regards to exchanging information.

Parallel to this increase in functions, the control mechanisms aimed at preventing


the compromise of information security or users must also be increased.

• Function. The spread of educational platform use is a reality and also an


opportunity for developers, the Public Administration and centre administrators to
promote the use of ICTs in teaching, opening up new methods of instruction that
make it possible for students, regardless of whether they are minors or not, to
learn in a safe environment.

The growing use of platforms and the increase in the functions they support,
especially those related to communication and managing more sensitive
information that is interesting to potential attackers, makes it necessary to
establish mechanisms that guarantee their continuity 59 . Since it is not possible to
anticipate at this time what type of information will be incorporated onto the
platforms over the medium to long term, it is necessary to evaluate the risks to
which the information is regularly exposed; in this way, decisions can be made
regarding the security measures that must be incorporated as the needs change.

Another aspect that currently does not present serious problems is availability,
although, since the number of users is expected to grow considerably over the
short to medium term, a study should be conducted concerning the capacity that
the systems must have in order to offer the quality of service that is expected,
independently of whether there are key moments when significant peaks of
concurrent activity may occur (registration, evaluations, scholarship applications,
attendance reporting, etc.).

58
One example of the use of standards adapted to the diversity that exists in platforms, devices and languages that are
used is Intel’s Skoool initiative, based on Skoool™ technology. On-line. Available at: http://www.skoool.com,
http://www.skoool.co.uk y http://www.skoool.es
59
Anticipating the complexity of the issue, in the United Kingdom, BECTA has developed a guide on ICT use security for
educational centres. For more information, see BECTA, ICT (2004): Essential guides for school governors, Safety and
security with ICT.

Study on educational platform safety measures Page 69 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

• Content security. It is important to avoid any possible interception of


communications and message delivery, as these may be confidential. For this
reason, we must ensure the authentication of recipients using information
encryption systems or digital signatures.

However, it is important for procedure to exist in order to manage platforms


correctly for all users, prioritising the management of programme capacity,
updating and patch installation. In addition, the existence of threats makes it
necessary to provide adequate technical and human resources for platform
operation and maintenance tasks so that their operation is optimal at all times and
we avoid the risks that result from poor maintenance.

Study on educational platform safety measures Page 70 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

6 RECOMMENDATIONS AND PROPOSALS

In light of the needs identified in the previous section, we can identify some proposals and
recommendations that the different participants and users of the educational platforms
studied, namely, those from primary and secondary school settings and related services,
should consider with regards to information security. These recommendations should be
kept in mind when:

• Establishing the criteria for platform design.

• Developing and controlling contents and utilities.

• Using the platforms.

In this manner, the security levels currently found within the framework of educational
platforms can be improved.

The recommendations and proposals for improvement that INTECO suggests are:

6.1 Sensitisation, training and information

• Developing sensitisation, training and information programmes for all


educational platform users about topics related to security. Efforts must focus
on training in the areas of diffusion, dissemination and communication. Given the
diversity of the participants, the option of providing the courses remotely might be
considered. Work with students’ parents may be lead from their children’s own
school, which in collaboration with the Public Administration, may organise talks,
workshops or informational campaigns in the schools; distribute documentation in
the form of guides that consider practical aspects of security management;
administer surveys that keep a watch over user satisfaction and also serve to
evaluate their level of knowledge and/or security tools for access not only to
platforms, but also guaranteeing responsible Internet use.

In the case of training based on regulations or even on existing legislation, for


example, the ISO/IEC 27000 family of standards, best practices or the Personal
Information Protection Law, it may be necessary for some official orgnisation to
facilitate this effort through the creation of guides from which aspects relevant to
the school setting and educational platforms may be extracted.

• Training students from within the curriculum in security matters in order to


guarantee the correct use of resources available to them, and so that they become
transmitters of this information within the environment closest to them. The use of

Study on educational platform safety measures Page 71 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

• Using the media to disseminate information. These may become great allies in
any strategy to make the public aware of and sensitive to security issues.

6.2 Regulations

• Focus legislation on the uses that may be made of the information,


demanding that people be held accountable for illicitly accessing information or
who use it in fraudulent or unethical manners, as well as those who compromise
its security though serious negligence in their duties to safeguard or manage it.
Penalising these acts would serve as a strong deterrent.

• Generalise the use of confidentiality agreements in order to protect


information. Those persons who, due to their work or position in the organisation,
will have access to sensitive information, even when the Personal Information
Protection Law and the new regulations developed from the LOPD (RDLOPD) do
not consider it to be high-level sensitive information, should sign a confidentiality
agreement that prevents or at least makes it difficult for hazardous situations to
occur. Another measure that may be taken in this sense it to formalise the return of
assets that have been given to users when their relationship with the organisation
ends, as well as the cancelling of access rights, in order to prevent unauthorised
and potentially hazardous accesses in the event that the individual's exit from the
organisation was not mutually agreed upon.

6.3 Certification and standardisation

Generate functional and technical specifications for the platforms that


include security requirements. In this manner, the standards serve as guides not
only to the purchasers, who know what to require, but also to the developers, who
have a clear idea of what the clients are looking for and expect. Minimum security
requirements should be specified for a correct installation, optimal use and
adequate maintenance of the platforms, resulting in them being managed
efficiently throughout their entire life cycle.

In a similar manner, it would be useful to have international quality and best


practice standards for platform use adapted to what has been identified in this
study, for example, the ISO 27000 series of standards.

• Certify the criteria previously established by the Public Administration or an


entity with recognised prestige. Likewise, the developers must certify the quality of
their work methodologies and the criteria that they use in order to guarantee the

Study on educational platform safety measures Page 72 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

security of their developments. Finally, educational and school administrations


should certify information security management.

6.4 Functionality

• Make platform operation more flexible and operational, which would lead to
their possible self-regulation 60 with the idea that they would internally assume the
standards that must control their activity. This is even more necessary on those
platforms that have been created by mans of different developments, freeware or
proprietary software, which makes it impossible to commonly manage them.

• Improve the physical security for the areas where platforms may be used,
since in many cases it is very easy to physically access them, which makes them
vulnerable to possibly hazardous situations. Equipment that stores sensitive
information or that which might be used to access this type of information should
be located in places that are reasonably protected from unauthorised access. If
this is not possible, for example, in common area in educational centres that are
open to the public, more restrictive logical controls must be established that
prevent access to the applications. Of course, this does not apply to platform
developers, who in any case, should have access controls of their own to ensure
that only authorised personnel may enter the installations and data processing
centres belonging to the departments of education; for this reason, they must be
very restrictive with regards to their access privileges. Besides access control, fire-
proofing measures covered under current legislation must be considered, as well
as other measures intended to prevent damage in the event of natural disasters,
such as floods or wind, which may cause serious problems.

• Manage capacity. Various sections of this study have commented on the concern
raised among those interviewed with a more technical profile regarding the
possibility that the increase of users may cause malfunctions in the system,
causing them to crash due to lack of capacity. This is especially critical in the case
of work peaks within the educational community, such as during registration or
marking periods. For this reason, a significant advance would be for capacity
management to be gradually incorporated within the management of information
systems that are involved in platform use. It is necessary to perform a detailed
tracking of user additions, traffic levels, the periods of greatest use, and in general,
any parameter that might indicate system capacity requirements, in order to be
able to plan for the needs ahead of time. In this manner, the necessary actions
can be established to anticipate the capacity that the users will need and ensure

60
Self-regulation is defined as the voluntary internal control and monitoring process that an organisation has, with the
capacity to perform real analyses of situations.

Study on educational platform safety measures Page 73 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

that the systems remain constantly adjusted to the real use that is being made of
them.

• Give more importance to platform design, in the sense that they must be
designed so that it is more difficult for the users to make mistakes. For example:

o As much as possible, they should not be able to enter incorrect or


inconsistent information.

o There should be logical and even physical separations between the


different user groups with different privilege levels, so that users cannot
access information or applications that they should not, depending on their
profiles.

o Platforms should be intuitive, so that users can familiarise themselves


quickly with them and have no difficulties when using them. They should
also not cause them to make mistakes.

o They must be resistant to user mistakes.

o They must be equipped with help mechanisms that act as the first level of
user support.

o Connection times should be limited, and after a certain period of inactivity,


the user session should be terminated..

• Improve Internet connections, so that they are consistent and secure,


preventing availability failures and hazardous situations, since during malfunctions
or emergencies, the normal procedures are not followed and some security control
may be ignored in favour of a quick solution to the incident.

• Include business continuity management in the normal platform activity


procedures. It has become fundamental for both the educational centres and
technological service companies to have contingency plans in case of network
crashes, violent acts or natural disasters that could prevent normal use of
information and systems. These contingency plans should be designed according
to the platform characteristics and the infrastructure supporting it. In any case,
each organisation's available resources should be considered when designing
them, so that it is feasible to carry them out when necessary. This means that they
should not be especially complex or expensive, rather we should evaluate the
available options in each case. For example, schools might establish agreements
among themselves, in such a way that if one is affected by an incident that

Study on educational platform safety measures Page 74 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

jeopardises their continuity, they can use the installations at another school that
has not been affected.

• Manage incidents. These are so few and far between that the actions taken to
solve them are not recorded. It is important for the Public Administration remain
technologically vigilant by keeping a record of incidents that may identify
vulnerabilities, as well as mechanisms and agreements that this may create with
the Security Forces and Administrations to alert and pursue those causing such
incidents. This does not free the platforms from the responsibility of keeping a
record of vulnerabilities. To accomplish this in a coherent manner, the educational
centres should have mechanisms so that students, instructional staff and
administrators may report potentially harmful incidents. This may uncover many
incidents that are currently undetected. In addition, system administrators must
also have their own mechanisms for informing someone qualified to solve these
incidents, and formal procedures for detecting and managing incidents related to
security and information system malfunctions. There must be formal procedures
that permit finding a solution to the problems that occur, studying the causes
behind them, in order to eliminate them effectively.

6.5 Content security

• Promote the implementation of the necessary solutions to guarantee


computer security, through loans or tax exemptions. Given the enormous
costs related to implementation, maintenance and certification, content security
must be given priority over their costs for platform developers.

• Have security policies and guidelines in the educational centres and the
organisations or businesses that provide infrastructure support to these
centres. In this way, we will unify and improve user practices, maintaining at least
a minimal acceptable level of security. These policies must specify the sanction
received in the case of infractions of this policy.

• Assign human resources to security tasks. This should be done in various


categories:

o In administration and supervision. There must be people who are capable


of coordinating the different tasks and ensuring that the established criteria
are met. The role of spokesperson among the different parties involved
should also be assigned; in other words, from the educational sector, it is
necessary for there to be someone who understands the educational
needs and their technological implications, and who is capable of
transmitting them to those who develop or maintain the platforms so that
they provide adequate service.

Study on educational platform safety measures Page 75 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

- From the developer or platform supplier side, it is necessary for


there to be someone who is capable of understanding not only the
functional requirements, but also the technical, organisational,
instructional, ease of use and security requirements that an application
has that will be used within such a special environment, in order to be
able to collaborate in the design of a platform that meets the
expectations of all the users.

- In the case of public organisations, it is fundamental to have a


person (much like the work performed by the ICT coordinators in the
educational centres) or an entity that may provide an answer to the
needs of the educational community, with coherent requirements and
programmes, in the context of the Information Society within which
minors must be educated.

o In execution. It is important to have sufficient resources to perform the


numerous tasks related to safe platform use: user training and information,
application maintenance, system administration, definition and updating of
security policies, etc.

• Perform risk analyses. These analyses must be performed first and foremost by
the platform suppliers, in order to incorporate security measures into their products
that are intended to reduce the detected risks. Those in charge of purchasing
these applications must also perform them in order to demand the corresponding
security controls and to make an informed decision from a global perspective
regarding the best product for their circumstances.

• Control malicious code attacks. In spite of the fact that platforms have very
closed operating and usage environments, they are not immune to possible
malicious code attacks in any format (viruses, worms, Trojans, etc.). Given that
viruses and other hazards spread very quickly, and often without the end users
even being aware of them, it is very important for the platforms to be equipped with
a quick warning alert system, or if this is not possible, to have professionals who
perform constant supervision, so that an incident of this type does not go
unnoticed. With regards to this point, it is fundamental to have sufficient human
and technical resources that are capable of regularly performing the following
actions:

o Installing and updating the programs that detect and elimine malicious
codes.

o Periodic software revision.

Study on educational platform safety measures Page 76 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

o Information updating.

o Filtering inappropriate contents or malicious code at the origin, preventing


the educational centres from having to perform this task.

If these guidelines are not met, an attack may be successful long enough to cause
irreparable damage to the systems and the information stored on them.

• Perform back-up copies rigorously and on a periodic basis, checking them


regularly to verify that they are correct. All the information necessary to continue to
provide service if it is lost must be saved in these copies. A reasonable frequency
must be determined so that the loss of information is minimal. A second location
should be established so that the copy is not affected in case something happens
in the installations where the equipment is located, in other words, it must be
physically separated from the equipment. When the data and applications are
centralised, it is relatively simple to keep all the information under control and
make back-up copies of the relevant information. On the contrary, when the
information is not centralised, it is necessary to have establish back-up copy
policies at different levels: administrator, operator, user, etc. This should be done
to guarantee that all relevant information has a copy.

• Manage network security. Platforms usually have a complex network


infrastructure, with numerous electronic transactions being performed on them
daily. It is fundamental to apply network controls that are sufficient to guarantee
the security of the information that is transmitted over them, for example: user
authentication methods, network connection control, cryptography, intrusion
detection and firewalls. Their correct use and a centralised network of services
provided by the Public Administration offers a level of security with guarantees,
which is the same for the entire educational community where it operates. This
type of system usually cannot be obtained through individual initiative, due to the
lack of technical means and qualified personnel.

• Perform and manage security audits. This type of audit generates a lot of
relevant information regarding the technical condition of the systems, and they
may detect latent problems that would otherwise not be discovered. Likewise, they
must be systematised in order to guarantee their continuance, regardless of who is
assigned to the task.

• Improve secure user authentication and identification, to eliminate problems


related to “loaning” or forgetting passwords. This would result in more reason to
trust the virtual identity of each user, enabling them to use more functions on a
regular basis. This may be achieved by changing the usual user and password

Study on educational platform safety measures Page 77 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

method, replacing it with other safer systems for accessing applications, such as
biometric devices, or by reinforcing it, for example, by using digital signatures.

Study on educational platform safety measures Page 78 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

APPENDIX I: ORGANISATIONS INTERVIEWED

I Public administrations

• Spanish Information Protection Agency: María José Blanco Antón (General


assistant director of the General Record for Information Protection).

• BECTA: Vanesa Pittard (director of E-strategy).

• National Centre for Educational Information and Communication (CNICE):


Juan José Blanco (head of the Technological Media Service) and Juan Pérez
(head of the Telematic and Development Service).

• INTECO: Marcos Gómez Hidalgo (assistant director of E-confianza at INTECO),


Pablo Pérez San-José (manager of Information Security Observatory) y Javier Rey
Perille (technical of of Information Security Observatory).

• Red.es: Juan Ramón González y María Dolores Gonzalo (coordinators of


Applications, Training and Contents).

II Departments of education

• Andalusia: Rafael García (director of the Advanced Management Centre).

• Castille and Leon: María José Martínez y Javier Fernández (responsible the CyL
Platform Contents).

• Catalonia: Jordi Vivancos (responsible for ICT Projects for Education), Laia Martui
(Legal Support), Jordi Orgue (responsible for ICT Area Systems), Dolores Jiménez
(responsible for Quality in the Area of ICT) and Assumpta Rocosa (director of ICT).

• Extremadura: Vicente Parejo (CT coordinator) and Jesús Francisco Morcillo


(responsible for Systems).

• Madrid: Felipe Retortillo (head of the New Technologies Development


Administration and responsible for the EducaMadrid Platform).

III Platform developers

• Anaya: Carlos San José (director of the Network Contents and Services
Department).

• Cospa-Agilmic: Ignasi Hosta (sales and marketing director) and Xavi Valls
(Systems manager).

Study on educational platform safety measures Page 79 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

• Divisa IT: David Rodríguez (Technology director).

• Grupo Gesfor: José Ruiz (assistant director of Security and Open-Source).

• Grupo SM: José Luis Pastor (Information Systems manager).

• Intel Skoool: Juan Pablo Ferrero (director of Information Society Development for
Intel Spain) and Enrique Celma (director of the Education Sector).

• Santillana: Juan Carlos Bermejo (Technology manager).

IV Computer security companies

• S21 SEC: Antonio Ramos (director of Standards and Best Practices) and Alfonso
del Castillo (director of the Security Technology Area and Managed Security).

V Associations

• Asociación Protégeles [Protect Them Association]: Guillermo Cánovas


(President).

• Confederación Española de Asociaciones de Padres de Alumnos [Spanish


Confederation of Parent and Student Associations] (CEAPA): Pedro Rascón
(Vice President).

• Escuelas Católicas [Catholic Schools]: Alberto Mayoral (ICT manager).

• ISACA: Fernando Hervada (President 2004-2006).

• ISMS Forum Spain: Gianluca d’Antonio (President).

VI Teachers, parents and students

• María Paz Arriaza (mother of primary school students).

• Javier Antonio Puente (ICT coodinator at Doña Jimena Secondary School in


Gijón).

• Group of students at Nuestra Señora de Lourdes School in Valladolid.

VII Others

• Brigada de Investigación Tecnológica de la Policía Nacional [The National


Police’s Technological Investigation Brigade]: Manuel Vázquez López
(Commissioner-head of the Technological Investigation Brigade).

Study on educational platform safety measures Page 80 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

• Grupo de Delitos Telemáticos de la Guardia Civil [The Civil Guard’s


Telematic Crime Group]: Juan Salom (Commander-in-chief).

• Universitat Oberta de Catalunya (UOC): Magí Almiral (director of Educational


Technology) and Françes Rubirosa (responsible for Technological Security).

Study on educational platform safety measures Page 81 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

APPENDIX II: RELEVANT LEGISLATION

I Organic Law 15/1999, 13 December, regarding the Protection of Personal


Information (LOPD)

This law is complemented by the regulation stipulated in Royal Decree 1720/2007.

The Personal Information Protection Law applies to personal information recorded on a


physical medium (including paper) that permits them to be processed and later used by
public and private sectors.

The objective of this law is to guarantee and protect public freedoms and the fundamental
rights of individuals, and in particular, their honour and personal and family privacy where
the processing of personal information is concerned (regardless of whether this is
automated or not).

Personnel who have access to this information are obliges to maintain professional
secrecy with regards to them, and therefore, they must not communicate this information
to third parties for any reason other than that for which they were collected.

Likewise, this personnel must keep in databases that information that is necessary for
them to perform their functions, in other words, the information must not be excessive in
relation to the scope and the determined purposes. Personal information must be precise
and up-to-date, so that they truthfully represent the affected party’s current situation.

Those from whom personal information is requested must be previously, expressly and
clearly informed about:

• The existence of a file or the processing of personal information, the reason the
information was collected and the recipients of this information.

• Whether their response to the questions asked is mandatory or optional.

• The consequences of obtaining this information or refusing to provide it.

• The possibility to exercise one’s rights to access, rectification, cancellation and


opposition.

• The identity and address of the person responsible for handling the information, or
if applicable, their representative.

In order to maintain the confidentiality, integrity and availability of the information, the
Personal Information Protection Law requires there to be a security document with the
regulations and procedures for compliance with the previous points.

Study on educational platform safety measures Page 82 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

The affected parties, persons whose personal information is saved, have a serious of
rights protected by this law.

• The right to information. When the affected party provides his information, he
must be informed about the previous points.

• The right to access, cancellation, rectification and opposition. The affected


party may see the information about himself, change this information so that it is
correct and precise, cancel the information that is saved about him and oppose it
being saved, in this case, with prejudice to the reason for which it was collected.

II Law 32/2003, 3 November, regarding General Telecommunications

This law incorporates the contents of community regulations into the Spanish legal
regulations, fully abiding by the principles contained therein, however, adapting them to
the peculiarities that form part of our law and the economic and social situation in our
country.

This law is intended to regulate telecommunications, which include the exploitation of


networks and the provision of electronic communication services and related resources,
according to Article 149.1.21.ª of the Spanish Constitution.

The objectives and principles of this law are, among others, the following.

• To encourage effective competition in the telecommunications markets.

• To guarantee compliance with the aforementioned conditions and public service


obligations in the exploitation of networks and the provision of electronic
communication services.

• To promote development in the telecommunications sector.

• To make possible the effective use of limited telecommunications resources.

• To defend the interests of users, ensuring their right to access electronic


communications services under adequate conditions of choice, price and quality,
and in the provision of these services, to safeguard the validity of constitutional
rights, in particular, those preventing discrimination; respect for the rights to
honour, privacy, the protection of personal information and secrecy in
communications; the protection of children and youth, and meeting the needs of
groups with special impairments, such as disabled persons. For these purposes,
obligations may be imposed on service providers, in order to guarantee these
rights.

Study on educational platform safety measures Page 83 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

• To support, as much as possible, technological neutrality in regulation.

• To promote the development of the telecommunications product and service


industry.

• To contribute to the domestic electronic communications service market within the


European Union.

III Law 34/2002, 11 July, regarding Information Society and Electronic


Commerce Services

This law regulates the legal control over information society services and their contracting
by electronic means, with regards to service provider obligations and those of parties who
act as intermediaries in the transmission of contents over telecommunication networks.
Likewise, it includes commercial communications by electronic means, the information
before and after the execution of electronic contracts, conditions related to their validity
and effectiveness, and the range of sanctions applicable to information society service
providers.

This law applies to information service providers established in Spain, as well as the
services they provide.

IV Law 59/2003, 19 December, regarding Electronic Signatures

This is a law that regulates electronic signatures, their legal validity and the provision of
certification services.

It shall apply to certification service providers established in Spain and the certification
services that the providers residing or with headquarters in another State offer through a
permanent establishment located in Spain. A certification service provider is considered to
be any individual or legal entity that issues electronic certificates or provides other
services related to electronic signatures.

An electronic signature is a set of information in electronic form, recorded along with or


associated with other data, which may be used as a means of identifications for the
signer.

An advanced electronic signature it that which permits identifying the signer and detecting
any ulterior change in the signed information, which is uniquely linked to the signer and
the information referring to him, and which has been created by means that the signer
may maintain under his exclusive control.

Study on educational platform safety measures Page 84 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

A recognised electronic signature is considered to be an advanced electronic signature


based on a recognised certificate that has been generated using a secure signature
creating device.

A recognised electronic signature shall have the same value with regards to information
recorded electronically as a handwritten signature does with regards to information
recorded on paper.

An electronic document is considered to be that written on an electronic medium which


includes information that is signed electronically.

An electronic signature is one of the means of authentication that those interviewed


mentioned as possible substitutes to the traditional user-password. In addition, given the
previously mentioned increase in services and communications, using an electronic
signature in the transfer of information would be an effective method to guarantee its
security.

V Royal Legislative Decree 1/1996, 12 April, regarding the Intellectual Property


Law

This law stipulates that the intellectual ownership of a literary, artistic or scientific work
belongs to the author, due to the mere act of its creation.

Intellectual property includes personal and property rights, which give the author the full
capacity and the exclusive right to exploit the work, with no more limitations that those
established by law.

Intellectual property rights concern all original literary, artistic and scientific creations
expressed by any medium or format, tangible or intangible, currently known or those that
will be invented in the future, including, among others, the following.

• Books, brochures, forms, letters, written documents and speeches.

• Conferences, forensic reports, academic explanations and any other works of the
same nature.

• Projects, diagrams, models and designs for architectural and engineering works.

• Graphs, maps and designs related to topography, geography and, in a general


sense, to science.

• Photographic works and those produced by a procedure that is similar to


photography.

• Computer programs.

Study on educational platform safety measures Page 85 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

The title of a work, when original, shall be protected as part of it.

Notwithstanding the author’s rights to the original work, the following are also subject to
intellectual property rights:

• Translations and adaptations.

• Revisions, updates and annotations.

• Compendiums, summaries and abstracts.

• Any transformations made to a literary, artistic or scientific work.

Also subject to intellectual property under the terms of Book I of this same law are
collections of the works of others, of information or other independent elements, such as
anthologies and databases that, by the selection or arrangement of their contents,
constitute intellectual creations, notwithstanding any rights that may pertain to these
contents, if any.

The protection recognised in this article for these collections refers only to their structure,
as far as the way in which the selection is expressed or the arrangement of its contents,
but not extending to the contents themselves.

For the purposes of this law, and notwithstanding what was stipulated in the previous
section, databases are considered to be collections of works, data or other independent
elements that are arranged systematically or methodically, and that are individually
accessible by electronic or other means.

The protection given to databases by virtue of this article does not apply to computer
programs used in the manufacture or operation of databases accessible by electronic
means.

This is a matter in which many of those involved recognise that a problem exists, which
since serious incidents have not occurred, remains latent, and in many cases, ignored.
The ease of locating and copying information in digital formats results in this law being
broken habitually and on a daily basis, sometimes involuntarily, by simply being unaware
that the information used is subject to intellectual property rights. This is particularly
serious in the case of teaching staffs, who are the largest consumers and producers of
contents.

VI Law 17/2001, 7 December, regarding Industrial Property

In accordance with this law, the following industrial property rights are granted for the
protection of corporate identities.

Study on educational platform safety measures Page 86 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

• Trademarks.

• Commercial names.

Requests, concessions and other acts or legal dealings that affect the rights indicated in
the previous section must be inscribed in the Trademark Registry, as stipulated by this law
and according to its regulations.

The Trademark Registry covers the entire national territory and is directed by the Spanish
Office of Patents and Trademarks, notwithstanding the jurisdiction in the area of executing
the industrial property legislation that corresponds to the autonomic communities, as
specified under this law.

Property rights to the trademark and the commercial name are acquired by means of a
valid registration performed according to the provisions of this law.

This law has problem that was previously commented on for intellectual property. Content
producers are unaware of the requirements of this law and wrongfully use trademarks and
commercial names, which could end up in a claim being filed by the affected company.

VII Law 20/2003, 7 July, regarding the Legal Protection of Industrial Designs

The objective of this law is to establish the legal framework for the protection of designs
that constitute industrial property.

All designs that meet the requirements established by this law may be protected as
registered designs by their valid inscription in the Design Registry.

Requests, concessions and other acts or legal dealings that affect the design right
requested or registered must be inscribed in the Design Registry, as stipulated by this law
and according to its regulations.

The Design Registry covers the entire national territory and is directed by the Spanish
Office of Patents and Trademarks, notwithstanding the jurisdiction in the area of executing
the industrial property legislation that corresponds to the autonomic communities, as
specified under this law.

VIII Law 30/2007, 30 October, regarding Contracts in the Public Sector

The objective of this law is to regulate contracting in the public sector, in order to
guarantee that it complies with the principles of free access to bidding, publicity and
transparency of proceedings, non-discrimination and equality in treatment among
candidates, and related to the objective of budgetary stability and cost control, to ensure
an efficient use of funds allocated for public works, the acquisition of goods and the
contracting of services through the requirement for prior definition of the needs to be met,

Study on educational platform safety measures Page 87 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

safeguarding free competition and the selection of the economically most advantageous
offer.

Also subject to this law is the regulation of the legal framework that applies to the effects,
compliance and termination of administrative contracts, with regards to the institutional
purposes of a public nature that they aim to achieve.

IX Organic Law 1/1996, 15 January, regarding the Legal Protection of Minors

This law provides a vast legal framework for protecting minors, linking all public authorities
and institutions specifically related to minors, parents and other relatives, and citizens in
general.

The rights of minors that are covered by this law are:

• Those recognised by the Constitution and international treaties to which Spain


forms part. The public authorities must guarantee that the rights of minors are
respected and adapt their actions to the current law and the aforementioned
international regulations.

• The right to honour, privacy and one's own image. This right also includes the
sanctity of the family home and correspondence, as well as the secret of
communications, the diffusion of information and the use of images or names of
minors in the media. Parents, guardians and the public authorities must respect
these rights and protect them from possible attacks by third parties.

• The right to information. Minors have the right to look for, receive and use
information appropriate to their development. Parents, guardians and public
authorities must ensure that the information that minors receive is adequate, and
the public administrations must provide incentives for the production and diffusion
of informational materials and facilitate access of minors to information services.

• Ideological freedom. The minor has the right to the freedom of ideology,
conscience and religion. Parents and guardians have the right and the duty to
cooperate so that the minor exercises this freedom in a way that contributes to his
comprehensive development.

• The right to participation, association and gathering. Minors have the right to
participate fully in the social, cultural, artistic and recreational life found in their
surroundings.

• The right to freedom of expression. Minors benefit from the right to freedom of
expression under the constitutionally stipulated terms, including the publication
and distribution of their opinions, the publication and production of means of

Study on educational platform safety measures Page 88 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

dissemination, and the access to aid established by the public administrations for
this purpose.

• The right to be heard. Minors have the right to be heard in both a family setting
and in any other administrative or judicial proceeding in which they are directly
involved and that leads to a decision that would affect their personal, family or
social surroundings.

The Minor Protection Law is an important source of requirements for digital platforms.
They must be designed, developed, implemented and managed in such a way that
guarantees the rights represented in this law. In addition, it is an opportunity for
developers, the Administration and school administrators to promote new uses of ICTs in
teaching, opening new doors to instructional modes that make it possible for a minor to
really exercise his rights in a secure environment.

Study on educational platform safety measures Page 89 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

APPENDIX III: BIBLIOGRAPHY

I Public administration

• Spanish Information Protection Agency (2006): Plan sectorial de oficio a la


enseñanza reglada no universitaria. [Professional sector plan for the non-
university required curriculum.] Madrid, AEPD.

• Spanish Information Protection Agency (2008): Documento de trabajo 1/08 sobre


la protección de datos personales de los niños (directrices generales y el caso
especial de los colegios). [Working document 1/08 on the protection of the
personal information belonging to children (general directives and the special case
of schools).]. On-line. Available at:
https://www.agpd.es/upload/Canal_Documentacion/Internacional/wp_29/menores_
es.pdf

• BECTA, ICT (2004): Essential guides for school governors safety and security with
ICT.

• BECTA: http://www.becta.org.uk/research

• BECTA (2006): Learning platform functional requirements. Versión 1.

• BECTA (2006): Learning platform technical specifications. Versión 1.

• BECTA (2008): Safeguarding children in a digital world. Developing an LSCB e-


safety strategy.

• EUROPEAN COMMISSION (1996): Informe: el multimedia educativo. [Report:


Educational multimedia.] Luxembourg: European Commission. On-line. Available
at: http://www.echo.lu

• EUROPEAN COMMISSION (2000): Informe: e-learning; concebir la educación del


futuro. [Report: E-learning; conceiving the education of the future.] Luxembourg:
European Commission.

• EUROPEAN COMMISSION: Proyecto Safer Internet Plus. On-line. Available at:


http://ec.europa.eu/information_society/activities/sip/index_en.htm

• EUROPEAN COMMISSIO: E-learning program. On-line. Available


at:http://ec.europa.eu/education/archive/elearning/index_en.html

• EUROPEAN COMMISSION: eTwinning. On-line. Available at:


http://www.etwinning.net/ww/en/pub/etwinning/

Study on educational platform safety measures Page 90 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

• EUROPEAN COMMISSION European Computer Driving License Programme. On-


line. Available at: http://www.ecdl.com/publisher/index.jsp

• EUROPEAN COMMISSION Directorate-General Information Society and Media


(2007): Safer Internet For Children Qualitative Study In 29 European Countries -
National Analysis: Spain. Abril.

• FEDERAL OFFICE FOR INFORMATION SECURITY (BSI) (2004): The IT


Baseline Protection Manual. On-line. Available at:
http://www.bsi.bund.de/english/gshb/manual/download/pdfversion.zip

• INTECO: “Estudio sobre la seguridad de la información y e-confianza de los


hogares españoles. Primera oleada (diciembre de 2006-enero de 2007)[Study on
information security and e-confidence in Spanish homes. First wave (December
2006-January 2007)]. On-line. Available at: http://www.observatorio.inteco.es

• INTECO Estudio sobre la seguridad de la información y e-confianza de los


hogares españoles. Tercera oleada (mayo-julio de 2007). [Study on information
security and e-confidence in Spanish homes. Third wave (May-July 2007)]. On-
line. Available at: http://www.observatorio.inteco.es

• INTECO Política de contraseñas y seguridad de la información. [Password policy


and information security.] On-line. Available at: http://www.observatorio.inteco.es

• Red.es: Informe sobre la implantación y uso de las TIC en los centros docentes de
Educación Primaria y Secundaria (curso 2005-2006). [Report on the
implementation and use of ICTs in Primary and Secondary schools (2005-2006
school year).]

• Red.es: Proyecto Internet en el Aula (2005-2008). [Classroom Internet Project


(2005-2008).] http://www.red.es/actividades/internet_aula.html

• Red.es: Proyecto Enseña (2007-2008). [Project Teach (2007-2008).]


http://www.red.es/actividades/ensena.html

• Red.es y Centro Nacional de Información y Comunicación Educativa (CNICE)


(2007): Informe sobre la implantación y uso de las TIC en los centros docentes de
Educación Primaria y Secundaria (curso 2005-2006). [Report on the
implementation and use of ICTs in Primary and Secondary schools (2005-2006
school year).] Madrid. On-line. Available at
http://www.oei.es/TIC/DocumentoBasico.pdf

Study on educational platform safety measures Page 91 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

• Organización de las Naciones Unidas para la Educación, la Ciencia y la Cultura


(UNESCO) (2008): Estándares de competencia en TIC para docentes. On-line.
Available at: http://cst.unesco-ci.org/sites/projects/cst/default.aspx

• Organización de las Naciones Unidas para la Educación, la Ciencia y la Cultura


(UNESCO) (2008): Policy Framework; Competency Standards Modules e
Implementation Guidelines. ICT Competency Standards for Teacher. On-line.
Available at: http://cst.unesco-
ci.org/sites/projects/cst/The%20Standards%20SP/Forms/AllItems.aspx

• Universitat Oberta de Catalunya (UOC) (2004): Formación universitaria y TIC:


nuevos usos y nuevos roles. [University training and ICT: new uses and new
roles.] On-line. Available at: http://www.uoc.edu/rusc

II Associations

• APCI Y PROTÉGELES (2002): Seguridad infantil y costumbres de los menores en


internet. [Childhood safety and the habits of minors on the Internet.] On-line.
Madrid, The Child Advocate in the Community of Madrid. Available at:
http://www.protegeles.com/costumbres.asp

• MAIL ABUSE PREVENTION SYSTEM (MAPS): Asociación internacional de lucha


contra el spam. [The international association for the fight against spam.] On-line.
Available at: http://www.mail-abuse.com/

III Academic studies

• CASEY, H.; HARRIS, J., Y RAKES, G. (2001): Why change? Addressing Teacher
Concerns toward Technology.

• CHIANN-RU, S. (2002): “Literature review for hypermedia study from an individual


learning differences perspective”, en British Journal of Educational Technology, 33
(4), 435-447.

• FERRÁNDEZ, ADALBERTO (1996): “El formador en el espacio educativo de las


redes”, [“The instructor in the educational spaces on the networks”], in Educar, 20,
43-67.

• GILL, T. (ed.) (1996): Electronic children. How children are responding to the
informations revolution. Londres, National Children Bureau.

• IES DOÑA JIMENA (2007): Informe de evaluación III: curso 2006-2007.


[Evaluation report III: 2006-2007 school year.] Member of the Advanced
Educational Technologies Use Centres project. Gijón, Asturias.

Study on educational platform safety measures Page 92 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

• JONES, A. (2004): A review of the research literature on barriers to the uptake of


ICT by teachers. British Educational Communications and Technology Agency
(BECTA).

• LAJOIE (2002): Computers as cognitive tools. Hillsdale, Erbaulm.

• LEE, C.; CHENG, Y.; RAI, S., Y DEPICKERE (2005): “What affect student
cognitive style in the development of hypermedia learning system?”, en Computers
& Education, 45, 1-19.

• MARCHESI Y MARTÍN (2003): Tecnología y aprendizaje. Investigación sobre el


impacto del ordenador en el aula. [Technology and learning. Research on the
impact of computers in the classroom.] SM Group.

• MARQUÉS, P. (2005): Las TIC y sus aportaciones a la sociedad. [ICTs and their
contributions to society.] UAB.

• NEGROPONTE, N. (1995): El mundo digital. [The digital world.] Barcelona,


Ediciones B.

• NEWHOUSE, P. (2002): Literature review. The impact of ICT on learning and


teaching. Western Australia, Specialist Educational Services.

• SIGALES, C. (2004): Formación Universitaria y TIC: nuevos usos y nuevos roles.


[University training and ICT: new uses and new roles.] On-line. Available at:
http://www.uoc.edu/rusc/dt/esp/sigales0704.pdf

IV Legislation and standards

• Law 17/2001, 7 December, regarding Industrial Property.

• Law 34/2002, 11 July, regarding Information Society and Electronic Commerce


Services

• Law 20/2003, 7 July, regarding the Legal Protection of Industrial Designs.

• Law 32/2003, 3 November, regarding General Telecommunications

• Law 59/2003, 19 December, regarding Electronic Signatures.

• Law 30/2007, 30 October, regarding Contracts in the Public Sector.

• Organic Law 1/1996, 15 January, regarding the Legal Protection of Minors.

Study on educational platform safety measures Page 93 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

• Organic Law 15/1999, 13 December, regarding the Protection of Personal


Information.

• Royal Decree 1631/2006, 29 December, which establishes the minimum


instruction corresponding to education.

• Royal Legislative Decree 1/1996, 12 April, regarding the Intellectual Property Law.

• MAGERIT (2006): Metodología de análisis y gestión de riesgos de los sistemas de


información. [Information system risk analysis and management methodology.]
Public Administration Ministry, version 2.0. On-line. Available at:
http://www.csi.map.es/csi/pdf/magerit_v2/metodo_v11_final.pdf

• NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (2001): NIST


Handbook An Introduction to Computer Security. Special Publication 800-12.

• NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (2002):


Contingency Planning Guide for Information Technology Systems, SP 800-34
NIST. On-line. Available at: http://csrc.nist.gov/publications/nistpubs/800-
34/sp800-34.pdf

• NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (2006): Guide for


Developing Performance Metrics for Information Security, SP 800-80 NIST’s
Computer Security Division, 4 may. On-line. Available at:
http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-80

• NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY: An Introduction to


Computer Security: The NIST Handbook, Special Publication 800-12.

V Security providers

• ÁLVAREZ, G., Y PÉREZ, P. (2004): Seguridad informática para empresas y


particulares. [Computer security for businesses and private individuals.] McGraw-
Hill.

• JUNGE, KERSTIN, Y HADJIVASSILIOU, KARI (2007): What are the EU and


member states doING To address digiTAL LITERACY? E-learning Papers, núm. 6.
ISSN 1887-1542.

• TELEFÓNICA DE ESPAÑA, GRUPO DE INVESTIGACIÓN CIVÉRTICE,


UNIVERSIDAD DE NAVARRA Y EDUCARED (2007): Generaciones interactivas
en Iberoamérica. Niños y adolescentes frente a las pantallas. Retos educativos y
sociales. [Interactive generations in Iberoamerica. Children and adolescents in
front of the screens. Educational and social challenges.]

Study on educational platform safety measures Page 94 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

VI Qualitative methodology

• ALONSO, L. E. (1998): La mirada cualitativa en sociología. [The qualitative


approach in sociology.] Madrid, Fundamentos.

• FAGES, J. B. (1990): Comunicación entre personas en grupo (trad.),


[Communication among people in groups] (trans.), Toulouse. Privat.

• LESY, M. (1976): Real Life: Louisville in the Twenties. Nueva York, Pantheon.

• TAYLOR, S. J., Y BOGDAN, R. (1998): Introducción a los métodos cualitativos de


investigación. [Introduction to qualitative research methods.] Barcelona, Paidós.

• WAX, R., (1971): Doing Fieldwork: Warnings and Advice. Chicago, University of
Chicago Press.

• WEBB, E.; CAMPBELL, D.; SCHWARTZ, R., Y GROVE J. (1996): Nonreactive


Measures in the Social Sciences. Boston, Houghton Mifflin

Study on educational platform safety measures Page 95 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

LIST OF TABLES

Table 1. Risk map: natural and industrial disasters ...........................................................57

Table 2. Risk map: errors or human mistakes ...................................................................58

Table 3. Threat map for natural and industrial disasters, according to the probability that
they will occur and their impact..........................................................................................64

Table 4. Threat map for human errors or malfunctions, according to the probability that
they will occur and their impact..........................................................................................64

Study on educational platform safety measures Page 96 of 97


Information Security Observatory
Instituto Nacional
de Tecnologías
de la Comunicación

http://www.inteco.es

http://observatorio.inteco.es