The educational process concerns the most vulnerable members of society – children and adolescents – who are less protected from propaganda.
Therefore, the information security system of an educational institution should not only ensure the safety of databases and confidential information contained in them, but also guarantee the impossibility of access to the walls of the school and institution of any propaganda, both illegal and harmless, but impacting the consciousness of students in secondary and higher education institutions.
The concept of information security of an educational institution includes a system of measures aimed at protecting the information space and personal data from accidental or intentional penetration in order to steal any data or make changes in the configuration of the system.
The second aspect of the concept will be the protection of the educational process from any information having the character of propaganda prohibited by law, or any type of advertising.
There are three groups of legally protected information held by an educational institution:
- Personal data concerning students and teachers, digitized archives;
- The know-how of the educational process, which is intellectual property and protected by law;
- Structured learning information that supports the educational process (libraries, databases, training programs).
All this information can not only be the object of theft. Intentional intrusion into them can jeopardize the safety of digitized books, destroy knowledge repositories, and make changes in the code of the programs used for training.
It should be the responsibility of those responsible for protecting information to preserve the integrity and integrity of the data and to ensure that it is maintained:
- Availability at all times to any authorized user;
- protection against any loss or unauthorized alteration;
- confidentiality, inaccessibility to third parties.
Information security threats
The peculiarity of the threats is not only the possibility of data theft or damage to arrays by some deliberately acting hacker groups, but also the activity of teenagers intentionally, maliciously or incorrectly able to damage computer equipment or introduce a virus.
There are four groups of objects that may be subject to intentional or unintentional exposure:
- Computer equipment and other hardware that may be damaged by mechanical impact, viruses, or other reasons;
- Programs used to keep the system up and running or in the educational process that may be affected by viruses or hacker attacks;
- data stored on hard disks as well as on separate media;
- the personnel responsible for the operation of IT systems;
- Children who are exposed to external aggressive information influences and who are able to create a criminal situation at school. Recently, the list of such situations has expanded significantly, which indicates a possible targeted psychological attack on the minds of children and adolescents.
Threats aimed at damaging any component of the system can be either accidental or deliberate. Threats that do not depend on the intent of staff, students or third parties include.
- any emergency situation, such as a power failure or flooding;
- Human error;
- Software malfunctions;
- Equipment failure;
- Problems in the operation of communication systems.
All these threats to information security are temporary, predictable and easily addressed by staff and intelligence services.
most cases cannot be foreseen. Students, employees, competitors, third parties with the intent to commit cybercrime may be the culprits.
To undermine information security, such a person must be highly qualified in the way computer systems and programmes operate. The most dangerous are computer networks whose components are separated from each other in space. Disruption of communication between the components of the system may lead to a complete disruption of its operation.
An important problem may be copyright infringement, intentional theft of someone else’s work. Computer networks are seldom subject to external attacks in order to influence the minds of children, but this is not excluded. And the most serious danger will be the use of school equipment to involve children in crime and terrorism.
From the point of view of penetration into the perimeter of information security and to commit theft of information or create a violation in the operation of systems, unauthorized access is required.
Methods of unauthorized access
Several types of unauthorized access can be distinguished:
- Human. Information can be stolen by copying to temporary storage media, or sent by email. In addition, if you have access to the server, changes to the databases can be made manually.
- Software. Special programs are used for data theft, which provide copying of passwords, copying and interception of information, redirection of traffic, decryption, changes in the work of other programs.
- Hardware. It is connected either with the use of special technical means, or with the interception of electromagnetic radiation through various channels, including telephone channels.
The fight against various types of information security attacks must be conducted on five levels, and the work must be comprehensive. There are a number of methodological developments that will help to build the protection of an educational institution at the necessary level.
Regulatory way of protecting information security
The Russian Federation has adopted the National Strategy of Action for Children, which defines the degree of threats and measures to protect the safety of children. Actions to limit the aggressive impact on the child’s consciousness should be the main ones. The second place should be occupied by ensuring the safety of databases.
Information protection is based on the laws in force in this area, which define individual data sets as subject to protection.
They highlight information that should be inaccessible to third parties for a variety of reasons (confidential information, personal data, commercial, business or professional secrecy).
The order of protection of the personal data is defined including by the federal law “About the information”, the Labour code. They and the Civil Code help to develop a methodology to ensure the protection of information related to commercial secrets.
Except for laws it is necessary to allocate the state standards operating in this sphere, defining an order of protection of the data, and techniques and hardware applied for these purposes.