It is, therefore, incumbent upon top administrators, who are charged with protecting the institution's best interests, to ensure that an appropriate and effective security policy is developed and put into practice throughout the organization. Ultimately, it is not only individual employees or departments that are responsible for the security of confidential information, but also the institution itself.As the Information Systems Manager in a small school district, he was responsible for operating a district-wide computer network--everything from installation and maintenance to user support and training.
"Fred, I'm just too busy to get involved in this project.
I trust you to do a job that will make us all proud." When Fred asked about expanding his staff and budget to meet the increased workload, the superintendent again dismissed the issue. Maybe next year we'll be able to work something out.
Fred had tried to explain to his superintendent that the district's network was vulnerable to a range of threats because his small budget and non-existent staff prevented him from handling system security effectively, but his warnings had always been ignored.
One morning at a staff meeting, and much to Fred's surprise, the superintendent announced that he had read a newspaper article about a student breaking into a neighboring school district's computer system and changing report card records.
They are the people who know it best and they will be the ones who have to implement adopted security policy.
Outside contractors, while certainly capable of lending expertise to the process, cannot take the place of committed and informed staff.Many of the procedural guidelines included here will already be appreciated by seasoned policy-makers, but this document tailors the information so that it can be more readily applied to the specific concerns of information and system security--an area of expertise not always held by educational administrators and policy-makers. This concern is articulated through security policies that are designed to regulate access and protect information and systems as circumstances within the organization specifically warrant. There certainly are roles for expert consultants when instituting security policy: they could be hired as general technical support or they might be useful in offering advice about countermeasures (e.g., a password system).But generally speaking, the chief educational administrator and his or her employees need to shoulder the responsibility of protecting their system because, after all, it is their system.Good policy protects not only information and systems, but also individual employees and the organization as a whole.It also serves as a prominent statement to the outside world about the organization's commitment to security. Like many people, Fred Jones thought he had a difficult job.He was now expected to develop, institute, manage, and monitor an organization-wide security policy without assistance, consent, or buy-in from a single employee, much less empowered high-level administrators.