Education Organization Baseline Control Protection and Trusted Level Security
 

Wasim A. Al-Hamdani, PhD
Information Security Lab
Division of Computer and Technical Sciences
Kentucky State University, Frankfort, KY 40601
Phone: (502)597-6728, Fax (502)597-5763
wasim.al-hamdani@kysu.edu
 

ABSTRACT

Many education organizations have adopted for security the enterprise best practices for implementation on their campuses, while others focus on ISO Standard (or/and) the National Institution of Standards and Technology.

All these adoptions are dependent on IT personal and their experiences or knowledge of the standard. On top of this is the size of the education organizations. The larger the population in an education organization, the more the problem of information and security become very clear. Thus, they have been obliged to comply with information security issues and adopt the national or international standard. The case is quite different when the population size of the education organization is smaller. In such education organizations, they use social security numbers as student ID, and issue administrative rights to faculty and lab managers – or they are not aware of the Family Educational Rights and Privacy Act (FERPA) – and release some personal information.

The problem of education organization security is widely open and depends on the IT staff and their information security knowledge in addition to the education culture (education, scholarships and services) has very special characteristics other than an enterprise or comparative organization

This paper is part of a research to develop an “Education Organization Baseline Control Protection and Trusted Level Security.” The research has three parts: Adopting (standards), Testing and Modifying (if needed).

The baseline control criteria covers the following topics: management control, operational control, logic control, physical control and development and maintenance control. This paper is concerned with the first two controls.

Definition: for the purpose of this research, the following definition will be used: Education organization:  a university campus, technical colleges, and high school; include several education units (department, college), with four different personals: faculty, staff, student and administration.

Keywords: Information security, information security control, information security baseline, security trusted level, education organization, education environment, campus information security, information security education , information security infrastructure