Two emails arrived at the same time last week, which reminded me to write about the issue of data security.
The first email was Becta's ictadvicealert email (sign up here), which reminded readers about their information security guidance for schools- as they put it "What your school should be doing to protect personal information and minimise the risk of data being misused". I took a look at the guidelines, and thought it was worth repeating the five key bullets here:
School management teams should take urgent steps to ensure data controllers in their institutions follow this guidance:
- All data should be kept safe and made available only to those who are authorised to access it.
- Do not remove sensitive or personal data from the school premises unless this is part of your school’s security policy, for example where backups are being taken off site. In this case make sure that the media used has been encrypted and is transported securely for storage in a secure location.
- When data is required by an authorised user from outside of the school premises – for example by a teacher working from their home – we recommend that they have remote secure access to the management information system (MIS) or learning platform, where this is available.
- Protect all desktop, portable and mobile devices, including media, used to store and transmit personal information using approved encryption software.
- Delete sensitive or personal data when it is no longer required.
The second email was from a colleague working in the Government team of Microsoft, about the work we've been doing with the CESG. CESG are the Information Assurance (IA) arm of GCHQ and are based in Cheltenham. As the UK Government’s National Technical Authority for Information Assurance, they're responsible for “enabling secure and trusted knowledge sharing to help government organisations to achieve their business aims". The CESG worked with us to create the Government Assurance Pack (GAP) configurations of Windows Vista and its BitLocker functions.
According to John Widdowson, CESG Director, “Our early collaboration with Microsoft has made it possible for CESG to endorse the rapid adoption of Windows Vista by the UK Public Sector. This means that the benefits of the product, which raises the bar in terms of information security, can be realised some 15-24 months earlier than would normally be expected.”
BitLocker Drive Encryption is our full volume disk encryption component, supplied with Windows Vista Enterprise. CESG, after examining our source code and development methods is in a position to deem BitLocker Drive Encryption suitable for protecting the majority of UK Government data on a hard disk. This assessment of BitLocker addresses the needs of approximately 80% of government information security requirements. The general examination of Windows Vista has enabled the development of a UK Government-specific configuration of Windows Vista, using tailored group policy and Microsoft best-practices, known as the Government Assurance Pack (GAP).
Which means what?
1) The advice about information security guidance puts the onus firmly on the school’s data controllers (is that you?)
2) Sensitive and personal data leaving the school premises must be encrypted
3) The BitLocker encryption in Windows Vista Enterprise/Ultimate versions meets the standards of CESG, part of GCHQ
How good is that – I get to write “encryption”, “GCHQ” and “teacher” in the same article? But if it’s good enough for them, it’s good enough for me.