Data Security Management for Information Systems in Schools




This project seeks to establish the best practices which may be used in database, computer system, or a software application that is concerned with student information. Of interest in the project is data that is centralised within a school and shared with third party researchers. The paper points out what may be evident as a lax attitude towards the management of information systems data, in other scenarios the absence of the minimal security measures and policies in firms that use sensitive student information. The best-practices are in line with the Privacy Act, the Computer Matching and Privacy Protection Act of 1988, and Section 208 of the E-Government Act of 2002, California Information Practices Act of 1977 Stevens, 2010). To complete the task it was necessary that previous knowledge in the course of information systems be applied so as to address the areas of concern with student information systems. However, to bring the study into focus a survey was initiated which focused on a group of randomly chosen personnel who originate from California, who regularly take student data from schools. The outcome of the survey assisted in the creation of the set of guidelines. Much as the report gives the guidelines, the focus is given to the areas that the survey points out as breaching security. The result of this project is a detailed understanding of areas in information systems that have largely been misunderstood, misinterpreted as well as guidelines which can be relied on as best-practices by organizations that are interested in student data.


With the increase in research into what is going on in schools the requirement of student information to aid in statistical analysis will be a necessity (Marchionini, 2012). This led to an increase in the issuing of sensitive student information to researchers, and statisticians. This study is founded on the hypothesis that the parties, the schools and the researchers lack the means to take care properly student information provided.

Scope of the project

The security management, which is the deliverable of the project focuses on the systems which store, distribute or receives student data but will majorly delve into the researchers and the schools which give the information. It will take account of the storage media like commercial student information systems, data warehouses and the personal computers of the two groups. Student in this report is from kindergarten through 12th-grade system (Education, Public Schools of North Carolina: State Board of, 2014). Much as the management guidelines may be used within the University framework, their system is more improved and with better-equipped personnel.

Additionally, because state constituents usually have their security guidelines in line with student records, this project focuses on California State and in some few cases the federal laws. The project will not delve into security topics that deal with getting a workstation, or a configured network except in cases where these are linked to student information systems (Escalera, 2013).

Defence of the solution

From experience and prior knowledge there is no breach of security which has been reported in line with the management of data received from students. This means it has been overlooked in terms of security. No financial assistance has been extended in this sector especially with the belief that most student information is not sensitive except when social security number is involved (Escalera, 2013). For the information acquired by the third parties to be useful, there have to be files like the SSN-to-Student Identifier table. For an individual who wants to trace the student identifiers to sensitive information is easy, and the guidelines will no doubt be used by the organizations seeking to comply with the security regulations (Escalera, 2013).

Methodology Justification

The state and federal laws and regulations are detailed in handling of student information. This is, however, not done as should be because the school staff is under-equipped to realise this aim. Under instances where the staff in a firm is skilled and certified to manage personally identifiable student information there are limited resources to carry out the tasks (Escalera, 2013). In scenarios where the staffs are ill-equipped to handle security management then they should be given less demanding tasks so as to be in line with the existing regulations.

In either case the two kinds of staff would use a checklist of items that make their firm compliant with the regulations that deal with security and management of student records.

Organization of the Capstone Report

The project is undertaken through the following sections: a system and process audit, the requirements, project design, methodology, development of the project, quality assurance, implementation plan, risk assessment, post-implementation plan and conclusion (Escalera, 2013).

Systems and Process Audit

The initial audit entailed talks with a number of the persons surveyed in the official audit. I engaged these people about once in all the four visits and as well asked those queries concerning their security procedures in a casual way (Escalera, 2013). The questions were related to the survey and were the prerequisite of the survey. The result was verification since the presence of lax attitude was anticipated.

Problem Statement

The age of school going young Americans stands at about 5years to 18 years. While in school, data is collected about them which is inclusive of the date of birth, social security number, medical information, test scores, health data among others. Data can be the words, numbers or observations which are acquired systematically (Christina, 2008).

Much as there are established laws and regulations about the storage, use, and distribution of the information a number of factors bring about the inadequacy of the resources used in the area of student information security. The lack of interest on student information security is founded on the belief that younger students are not vulnerable to security breaches as far as information systems are concerned.

Causes of the problem

The major cause of the problem stated above is inadequate resources. The resources come in the form of qualified security personnel, the right software solutions, establishment and maintenance of a firm’s security policy.

Business Impacts

The impact that the problem brings is the violation of state privacy laws should there be a security breach. For the students whose private information is released they may suffer identity theft, they may be stalked, political attacks when data is wrongly used (BC Ministry of Education, 1996).

Cost Analysis

The result of this project is the coming up with guidelines that may be used in an existing school environment and is easily interpretable and are in line with the existing state laws and regulations about security, privacy and school records. There are no recommendations made to the effect of buying of any software or getting more personnel. Should a firm feel obliged to hire more skilled personnel or acquire some software to be in line with the recommendations then, it does so at its discretion. The cost is hence at a minimum (Escalera, 2013).

Risk Analysis

The greatest risk lies in the failure to apply the guidelines. This may result from complacency on the part of the personnel in the firm.

Detailed requirements

As far as the standards are concerned, this project seeks to be in line with the existing state laws that govern education records and privacy. To comply with the guidelines involve compliance with the existing state laws and regulations on privacy and security of school records.

Project Design

Security management, which is the aim of this project solves any system that stores distributes, or receives student information and is biased towards a system that involves data sharing between a school and researchers. This makes use of storage media like commercial student information systems, customized data warehouses and personal computers that are used by both parties (Escalera, 2013).

The project will not involve security topics that concern the acquisition of a workstation, and a specific information media or network configured. The students will be involved as they will be asked some questions during the survey phase (Fletcher, n.d).

The project will be undertaken through the stages including preliminary study, evaluation of the preliminary study to come up with a survey, analysis of the survey outcomes to come up with a number of security guidelines and implementation of the guidelines at a specified place of work (Escalera, 2013).


It is assumed that the problem is based on inadequacy of resources like money, time, and qualified staff. Also, it is assumed that it will pay out financially if these guidelines are taken into consideration.

Phases of the project

The project went through Auditing, design and development, Quality Assurance, Implementation, Post-Implementation Support and a draft report.


The time was in terms of weeks, which was a total of 16 weeks.


Each of the project phases depended on the phase preceding it. This means that the analysis of data would only come after gathering of the data and so on and so forth (Lynch & Heinze, 2007).

Resource Requirements

Because of the nature of the project, no hardware and software resources were needed. Of significance were time, money and basic skills in technology.

As far as implementation was concerned a few resources like the hardware, a web-server would be necessary.

The software resources comprised of the operating system (Microsoft Windows Server 2008), Web-server software (Microsoft IIS Server), a database for storage of the survey outcomes (Microsoft SQL Server 2008), Web-application development software (Microsoft Visual Studio 2012) for design of the survey and its launch online (Escalera, 2013).

Risk factors

It was feared that the laws and regulations would change throughout the project duration because the project took a longer time than was planned. This would mean the guidelines being obsolete before publication (Escalera, 2013).

Important Milestones

The most significant milestone in the project is the ability to collect and analyze the survey outcomes. With no survey results, the guidelines wouldn't have been sufficient.


The project report will be available to any person who wishes to keep current with the guidelines on security and privacy of student information system data.


The project was undertaken through a survey as well as prior knowledge of the variables. This formed the foundation under which the guidelines were established. With the results of the survey, a complete document was drafted and was availed for the parties interested in getting guidance from it.

Project Development

The deliverable of the capstone project is where the implementation of the project is by the user. The coming sections are arranged into the completed project and the role that will be played by the end-user where necessary (Escalera, 2013).


During the completion of the project, a computer was used. The computer used was a Samsung Desk-top that was used in storing and launching the security survey phase of the project timeline. The computer is needed only once as the project progresses and until its completion. It might be used again during the post-implementation phase should the need arise. The end-user, as already have been stated earlier will not require any hardware in order to implement this project. This is also in line with the relevant state and federal guidelines on security and privacy of shared data.


A number of software packages were used in order to complete this project. The software included an operating system for the server (Microsoft Window Server 2008), web-server software (Microsoft IIS Server), database for the storage of the survey results (Microsoft SQL Server 2008), and Web-Application development software (Microsoft Visual Studio 2012) for the design of the survey and launching it online. The software were only essential during the implementation phase of the project and will not be needed during the post implementation phase except when a redesign of the project is necessary (Escalera, 2013).

Tech Stack

There is no need for the layer of services according to the guidelines given forth.

Architecture Details

The design of the project requires no proposition of any specific hardware or network configuration. The goal of the project is also explicit as it complies with the state and federal privacy laws and it will be implemented by an under-qualified personnel so there is no need of proposing a specific distribution source (Escalera, 2013).

Resources used

Adequate time was required during the whole phase of the project. Sufficient knowledge was required in the design of the project and the resources required for this included HTML, XHTML, ASP.NET, and VB,NET, launching of the survey online by making use of web-server administration, design of the database by use of (ANSI-SQL, Transact-SQL) (Escalera, 2013).

Final output

The results are not detailed. There is a project report, available to the public for the guidelines and the processes of development of the guidelines. This document is self-explanatory and may be adopted by any firm or school which wants to understand the security guidelines presented herein.

The aim of educating people on information security of data is explicitly explained and therefore a guide towards elimination of security breaches and increased compliance with the relevant state laws and regulations targeting the privacy (Escalera, 2013).

Quality Assurance

The approach

Quality assurance was undertaken during the fourth and sixth phases of the project timeline. This was necessary for completion of the document without errors (Breaux & Anton, 2008). Phase four was important to come up with unbiased guidelines while phase six allowed the testing of the revised guidelines in actual environmental setting (Escalera, 2013).

Quality assurance will continue even beyond the implementation of the project at the schools and firms through follow-ups.

Solution Testing

Phase six was necessary for the project timeline because the actual implementation of the project is the effort of the end-user. The guidelines were tested in a number of business set-ups before being distributed. This was necessary to ensure the guidelines were satisfactory and did not affect business productivity even as they met their stated goals.

Implementation Plan

The focus here is the implementation of the project within the school environment.

Strategy for implementation

The user will be required to follow the guidelines proposed in order to implement this project. The project is such that one step follows another, and they are not arbitrary. The alternative to the guidelines are the constitution, education code, the federal constitution and are used complementarily to the project guidelines.

Rollout Phases

Before the project is set-up, there should be staff awareness and training. The whole staff within an organization should ensure they understand the guidelines very well prior to implementation. No step should be skipped in the rollout and feedback should be given by the concerned personnel. The firm should make any modifications they deem fit, but the modifications should not deviate largely from the intended purpose of the project. A check is necessary to ensure that the implementation of the guidelines does not affect the policies of the firm. For it to remain relevant, it should be revisited annually and updated in line with the guidelines. The updates will only be found from the author.

Full operation

The point where the project will be considered fully implemented is when the steering committee has accepted its adoption. The staffs also have to agree to work with the guidelines.


The guidelines should be adhered to in the order they appear in the final document. The phases of the rollout are also in order and should be strictly followed. Nonetheless, within the guidelines there are areas that don't require sequence in the implementation. Should there be a situation where the firm has to contravene the order then they need to follow the guidelines.

Training Plan for Users

There is very minimal training required for the implementation of this project. This is, however, the case in a scenario where the personnel concerned with implementation has very basic training in information technology. The author has not offered any of that training, and it is the hope of the designers that the training should be done by the implementing institution.

Risk Assessment

Quantitative and Qualitative Risks

Very minimal risks will occur with the adoption of this project. If anything, currently there is a risk since the schools are not observing care in handling the security of data so with the adoption there will even be an improvement (Escalera, 2013).

The guidelines have been designed to lower all the risks that may occur. Further risk will be reduced with time if the project is evaluated with time for accuracy and to check any errors that may have occurred. Considering two types of firms there is one significant risk that may occur. The first type is where a minimal number of policies are in place for the securing of student information. Here, if the guidelines are not revisited and revised yearly the firm may feel they are doing well as far as adherence to the guidelines is concerned when in fact they are noncompliant. The other type of firm is where there is a set of security policies and the guidelines are only used as a checklist. What may result is a realignment of the policies of the firm with the guidelines. In both scenarios, the qualitative assessment is deviation of confidence and their abandonment.

Cost Benefit Analysis

There is an average shortfall in the benefit. The risk may occur because the project cannot suggest the control of implementation of the guidelines in the firms or the schools (Escalera, 2013). The skill level of the staff within an organization is an impediment to mitigation hard. Should the guidelines be implemented fully then the firms will achieve full compliance with the regulations.

Risk Mitigation

The project scope is defined within the area of data security, and it will be hard to mitigate the risks mentioned (Escalera, 2013). It is the duty of the implementor to control the risks. The implementer is also faced with the task of revising the project guidelines or acquire updated guidelines from the project designers yearly. If this is done, then compliance with the laws and state regulations will continue. The risk of information disclosure are sufficiently managed by the federal laws (Buchalter et al., 2004).

Post Implementation

This will consist of yearly revision of the guidelines that concern this project. To make sure the guidelines are in line with the security guidelines the revision will commence at the end of the year and the changes will subsequently be published for the public to know (Escalera, 2013).

Post Implementation Support Resources

The designer will revise and re-administer the security survey yearly. The revision will be in line with the survey carried out in the last years (Escalera, 2013). The revisions will rely on the quality of survey that will be got from the previous year.

Maintenance Plan

Maintenance will be done as has been described in the previous sections. The maintenance plan consists of annual revision of the project guidelines to suit the changes in the state and federal laws or to be in line with the recommendations that shall have been offered by the end-users of the guidelines like the schools and the firms.

Conclusion, Outcomes and Reflection

With the existence of lax attitude in the student security information, the designer of this project set to come up with guidelines that will assist in the management of the security breach that may occur under the circumstances. The project consisted of eight phases and the guidelines set forth are in line with the existing state and federal laws on privacy of data. The practices will address the non-existent security concern within the firms and the schools. Survey assisted in coming up with some of the guidelines while others were adapted from real life experience. The outcomes of the project are guidelines that will supplement the state regulations and the federal laws that are already established to deal with privacy of information gathered from the public. The only deviation is that the students are not comprehensively covered in the laws since they are minors.

As a reflection, the guidelines will be a major milestone in handling security as it will help eliminate security breach.


BC Ministry of Education. (1996). School Act. Revised Statutes of British Columbia, 1996.Britain: Ministry of Education: Governance and Legislative Branch.

Breaux, T. &. (2008). Analyzing Regulatory Rules for Privacy and Security Requirements.IEEE Transactions on Software Engineering, 5-20.

Buchalter, R. G. (2004). Laws and Regulations Governing The Protection of Sensitive butUnclassified Information. Federal Research Division.

Christina, B. (2008). Using Data to Improve Student Achievement. The Literacy and Numeracy Secretariat, 1-4.

Education, Public Schools of North Carolina: State Board of. (2014). School Attendance and Student Accounting Manual 2013-2014. North Carolina: Department of Public Instruction, School Business Services.

Escalera, J. (2013). Data Security Guidelines for Student Information Systems. Western Governors University.

Fletcher, A. (n.d). Defining Student Engagement: A Literature Review. Student Voice in Schools , 1-4.

Lynch, K. &. (2007). Information Technology Team Projects in Higher Education: An International Viewpoint. Journal of Information Technology Education, 1-18.

Marchionini. (2012). Research Data Stewardship at UNC. University of Carolina.>

Stevens, G. (2010). Federal Information Security and Data Breach Notification Laws.Congressional Research Service.