Page 22 - The Edge - Spring 2018
P. 22

MAINTAINING CONFIDENTIALITY                            most responsible when it comes to keeping its data secure, Sanders
                                                                   said, adding, “   e weakest link is you.”
            CONTINUED FROM PAGE 21                                   Everyone is responsible for doing what they can to keep their

            does it go away? Access to certain information should be removed  data secure and con  dential. When it comes to who is accountable,
            when an employee transfers to another school. Attendees were  Sanders said IT and the system owners are. “We need to put up
            asked about their system for notifying key people when someone  controls,” he said. “We’re going to be the scapegoats.”
            leaves their job. For example, how do you let all appropriate people   AASBO members were encouraged to obtain a copy of the
            know about removing someone’s access? It was also recommend to  National Institute for Standards and Technology publication
            document when someone’s access is reduced or increased.   (NIST sp800-53) – Security and Privacy Controls for Information
              Where someone works in a school district can determine access.  Systems and Organizations at www.nist.gov. Sanders said, “It
            And regardless where someone works, Sanders recommended  provides a catalog of security and privacy controls for federal
            locking your computer from prying eyes, even if you leave your  information systems and organizations to protect organizational
            desk for only 15 minutes.                              operations and assets, individuals, other organizations, and the
              McLaughlin told of a situation where di  erent levels of security  nation from a diverse set of threats including hostile attacks,
            were provided to multiple assistant superintendents. Apparently  natural  disasters,  structural  failures, human  errors,  and
            each of them wanted full access, which was deemed unnecessary.  privacy risks.    e controls are   exible and customizable and
            To resolve such issues, McLaughlin recommended getting “the  implemented as part of an organization-wide process to manage
            right people at the table.”                            risk.”
                 e crux of the access issue relates to the “Why” question – data   Sanders cautioned that hostile attacks on a computer system are
            risk, exposing all of the school district’s information. In some cases,  not necessarily from the outside.    ey can be from within, he said.
            student records have been changed.    at’s considered a big deal.  Controls need to be   exible. “   ey’re not written in stone,”
              Data that becomes exposed can be harmful to parents, vendors  Sanders said.
            and  employees,  Sanders  said.  Banks  have  all  sorts  of  personal      e ultimate goal is: “We need to ensure the con  dentiality of
            information, including Social Security numbers. Banks are the  our data.”



















































           22                                                                           THE EDGE              SPRING 2018

                                                                                        THE EDGE  |
   17   18   19   20   21   22   23   24   25   26   27