Why Do You Need a Security Policy?

Who is responsible for securing an organization's information? Perhaps the Research and Evaluation
department? Not exactly. The Management Information System (MIS) staff? Wrong again. Ultimately,
it is not only individual employees or departments that are responsible for the security of confidential
information, but also the institution itself. It is, therefore, incumbent upon top administrators, who are
charged with protecting the institution's best interests, to ensure that an appropriate and effective
security policy is developed and put into practice throughout the organization.

While policies themselves don't solve problems, and in fact can actually complicate things unless they
are clearly written and observed, policy does define the ideal toward which all organizational efforts
should point. By definition, security policy refers to clear, comprehensive, and well-defined plans, rules,
and practices that regulate access to an organization's system and the information included in it. Good
policy protects not only information and systems, but also individual employees and the organization as
a whole. It also serves as a prominent statement to the outside world about the organization's
commitment to security.

It Really Happens!

Like many people, Fred Jones thought he had a difficult job. As the Information Systems Manager in a
small school district, he was responsible for operating a district-wide computer network--everything
from installation and maintenance to user support and training. While it was clearly not a one-man job,
he was his own one-man staff. Fred had tried to explain to his superintendent that the district's network
was vulnerable to a range of threats because his small budget and non-existent staff prevented him
from handling system security effectively, but his warnings had always been ignored.

One morning at a staff meeting, and much to Fred's surprise, the superintendent announced that he had
read a newspaper article about a student breaking into a neighboring school district's computer system
and changing report card records. The boss proceeded to declare that Fred was now being charged with
developing and instituting a computer security policy for the school district.

As soon as the meeting was over, Fred approached the superintendent to request an appointment for
them to discuss a shared vision for development of the security policy. "Effective security policy requires
input and commitment from the whole organization, so I think we should sit down and map out a plan
for developing our security policy," Fred asserted.

But the superintendent declined the invitation to participate in the policy-development process. "Fred,
I'm just too busy to get involved in this project. I trust you to do a job that will make us all proud." When
Fred asked about expanding his staff and budget to meet the increased workload, the superintendent
again dismissed the issue. "Fred, times are tough and the budget is lean. Maybe next year we'll be able
to work something out. In the meantime, you get cracking on securing our system as if your job depends
on it... in fact, I guess your job does depend on it."

Fred watched his unrealistic, if well-intentioned, boss walk away, realizing that his job was no longer
difficult, but truly impossible. He was now expected to develop, institute, manage, and monitor an
organization-wide security policy without assistance, consent, or buy-in from a single employee, much
less empowered high-level administrators. He knew that the organizational support he failed to receive
meant that there was little chance of his being able to effectively secure the system--and that it was just
a matter of time before a significant breach in system security would take place. Fred found himself in
the terrible position of being responsible for stopping the inevitable, yet powerless to do so.

Commonly Asked Questions

Q. What does this document have to offer that experienced education policy-makers don't already
know?

A. Experienced policy-makers certainly bring a great deal of skill to security policy development. But in
many ways, security policy is different from other forms of more traditional policy--it requires policy-
makers to think like data entry clerks, MIS staff, research and evaluation specialists, legal counsel,
building administrators, teachers, and so on. Many of the procedural guidelines included here will
already be appreciated by seasoned policy-makers, but this document tailors the information so that it
can be more readily applied to the specific concerns of information and system security--an area of
expertise not always held by educational administrators and policy-makers.

Q. Isn't policy written at the district and state level?

A. Yes, but not exclusively. Whoever is in charge of a site (be it a building, campus, district, or state
education agency) must be concerned about protecting sensitive information and critical systems that
can be accessed from within that site. This concern is articulated through security policies that are
designed to regulate access and protect information and systems as circumstances within the
organization specifically warrant.

Q. Shouldn't expert technology consultants be hired to do the job?

A. There certainly are roles for expert consultants when instituting security policy: they could be hired as
general technical support or they might be useful in offering advice about countermeasures (e.g., a
password system). But generally speaking, the chief educational administrator and his or her employees
need to shoulder the responsibility of protecting their system because, after all, it is their system. They
are the people who know it best and they will be the ones who have to implement adopted security
policy. Outside contractors, while certainly capable of lending expertise to the process, cannot take the
place of committed and informed staff.

How to Develop Policy

Tenable security policy must be based on the results of a risk assessment as described in Chapter 2.
Findings from a risk assessment provide policy-makers with an accurate picture of the security needs
specific to their organization. This information is imperative because proper policy development
requires decision-makers to:

Identify sensitive information and critical systems

Incorporate local, state, and federal laws, as well as relevant ethical standards

Define institutional security goals and objectives

Set a course for accomplishing those goals and objectives

Ensure that necessary mechanisms for accomplishing the goals and objectives are in place

In this way, legal and regulatory concerns, organizational characteristics, contractual stipulations,
environmental issues, and user input can all be incorporated into policy development. Effective security
policy synthesizes these and other considerations into a clear set of goals and objectives that direct staff
as they perform their required duties.