Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
de Tecnologías
de la Comunicación
Executive Summary
INTECO would especially like to thank the following for their assistance in
preparing this study:
This publication is the property of the Instituto Nacional de Tecnologías de la Comunicación (INTECO), and is licensed by
Creative Commons under a recognized non-commercial 2.5 Spanish license. It is therefore permitted to copy, distribute and
publicly communicate this work under the following conditions:
• Acknowledgement: The contents of this report many be reproduced either partially or in their entirety by third parties, as
long as they cite its origin and make express reference to both INTECO and its web site: www.inteco.es. This recognition
many not in any way imply that INTECO provides support to these third parties or supports the use they make of their
work.
• Non-commercial use: The original material and derivative works many be distributed, copied and exhibited as long as they
are not used for commercial purposes.
When reusing or distributing this work, the terms of its license must be made perfectly clear. Some of these conditions may not
apply if permission is obtained from INTECO, as the owner of the copyright. No part of this license reduces or restricts
INTECO’s moral rights.
Full license text:
http://creativecommons.org/licenses/by-nc/2.5/es/
The following were defined as the general objectives for this study:
2) To identify the incidents and needs of different user groups with regards to on-
line educational platforms.
The method used to reach these goals consisted of performing work in three phases:
a. The Ministry of Education, Social Policy and Sports, and the Ministry of
Industry, Tourism and Commerce.
The computer security risk framework was also applied in this phase, Using the
Magerit methodology as an independent measure, but one that has recognised
prestige, in order to contrast the results of this study. This methodology,
developed by the High Council on Electronic Administration, is based on the
analysis and management of risks for information systems.
The project ended with the writing of a report containing the results of the three
aforementioned phases. It has been translated into English and the country’s co-official
languages.
The starting point for this study makes a brief mention of the process of ICT incorporation
in education. It began with the appearance of personal computers at the beginning of the
1980s, and continues in the present time. People have begun to speak of computer
literacy as one of the basic competencies that students must acquire, as well as the new
competencies that teachers must acquire in the area of technology.
a comprehensive manner to the multiple needs that are inherent in the life of an
educational centre.
When analysing their structure and operation, platforms consist of different modules that
allow them to meet the management needs of centres on three major levels:
administration, communication and teaching-learning process support. Likewise, they are
intended to provide services to four types of users: centre administrators, families,
students and teachers.
Among their main functions, we see that in addition to permitting the development of
distance learning, when they are used as a support to the classroom teaching and
learning process, they make the following possible:
If we take a look at the type of educational platforms currently available, we generally find
that some are commercial products with a cost associated with them, while others are free
tools that are usually developed using open code.
Private initiatives
There are several platforms on the market that have been developed by private
businesses. Their functions are oriented towards supporting the required curriculum and
providing centres with efficient tools for academic and administrative management, as well
as powerful channels that favour communication and the exchange of information.
In any case, opinions appear to agree in considering that the ideal educational platform
must allow the joint management of all an educational centre's needs associated with
administrative and academic tasks, communication with the different members of the
educational community and instructional support. Presently, all the development
tendencies are evolving around this line of work.
It is also commonly accepted is that a learning platform that is incorporated into the
working practices of a school may offer a wide range of benefits to teachers, students and
parents, and at the same time, support the organisation and management processes
within the centre. Differences are made among the following user profiles:
• Students. They were born with technology, and most share a liking for the ICTs.
They are active educational platform users, in both school and at home in their
free time.
• Teachers. As platform users, they use them mainly as an educational resource for
working with their students in class, and on the individual level, for their own
personal training.
• Parents. As platform users, most affirm that they use them as a means of
communication, allowing them to participate in their children’s teaching-learning
process. However, they recognize that the degree of their implication and use is
still far from being optimal or adequate.
Finally, there appear to be three great benefits associated with the use of educational
platforms:
3) Technological literacy in society. This is due to the fact that there are a large
number of citizens who are potential educational platform users.
An educational platform, like any other computer application and its associated data, must
be made secure in accordance with its level of sensitivity. The security measures
implemented must, as much as possible, serve as a guarantee that the platform will be
available, operate correctly, process information and safeguard the confidentiality of the
information stored on it. The most important peculiarity of educational platforms is their
massive use by minors, a sector of the population that needs greater levels of protection.
Through this analysis, certain expectations were identified that are common for all or at
least most of those interviewed, such as:
• Personal data and information, especially those related to minors, must not be
accessible to or consulted by unauthorised users.
• Access control to the platforms must be controlled so that each user can only
access what corresponds to him.
Besides these common expectations, each group of users has their own special
requirements or expectations, according to their functions and responsibilities.
• Asset management.
• Physical security.
• Security in communications.
• Access control.
• Continuity management.
• Legal compliance.
Having reached these conclusions, a brief study was made of the applicable legislation
and best practices stemming from the different security regulations, in order to identify
which were relevant for the rest of the analysis. The following were considered to be
specifically applicable to the project:
• Legislation
A risk analysis consists of evaluating a set of threats according to the probability of which
they will occur, and the impact they would have.
Bearing in mind the expectations of the different user groups and the possible impacts of
failures in the security measures derived from our analysis, in this section of the project,
we analyse the results found by the study. This evaluation considered both the strong
points, where security levels and practices exist that are in agreement with the best
practices and user expectations, and the weak points we found, understanding weakness
to mean those situations that are not in agreement with best practices, laws or regulations
or situations that might result in the occurrence of one or more of the threats previously
considered.
The following strong points were found with regards to security on educational platforms:
• Logical security. Most of the platforms had correctly included on their access
networks protective systems such as firewalls and IDS. The developers or those
responsible for the platforms conducted audits (although not as frequently as might
be desired), there was an adequate separation of functions and tasks with regards
to the access levels and generally speaking, the security levels found on the
Spanish educational platforms were similar to those of the rest of Europe.
• Access control. Passwords are used to log in, and files with passwords in them
are encrypted. There is a profile hierarchy, each with different privileges, and logs
or access and usage records are kept. In addition, there is a separation of
environments, and in some cases of the most sensitive information, and the
activity of specific users may be identified.
• Incidents. The level of security incidents on educational platforms is, to date, very
low.
• Awareness. Most of those interviewed (but not necessarily those with direct
responsibility for the platforms) are professionals who are aware of the hazards
that exist.
• Training and awareness. A serious lack of training was observed, and therefore,
awareness of the existing risks on the part of teachers and other participants
related to educational platforms. Likewise, in some cases it was observed that
there was a lack of technical knowledge on the part of platform administrators.
There is not much in the way of collaboration or the exchange of best practices
among centres with regards to security, and a lack of quality control in this area
was also detected.
contingency plans, and the possibility of other poor practices due to the lack of
security policies.
• Access control. In several cases, the authentication systems were overly simple,
considering the sensitivity of the information, and on many occasions, there is a
lack of physical access control to the installations.
• Contingency plans. Contingency plans barely exist for the platforms observed
that would guarantee service continuity.
Finally, these results were imported into a risk map, following the format based on
Magerit’s methodology, linking each weakness or vulnerability to its potential threat and
then evaluating the probability of the related threat occurring, and its impact on a scale of
high, medium and low severity.
In conclusion, in spite of the low volume of known incidents up until now in relation to
educational platform security, their proliferation over the recent years, along with the
increasingly complex technology and the incorporation of new functions, leads us to a
situation in which security must take on greater importance.
IV Detected needs
This section of the report and in the following Recommendations and proposals section,
the main conclusions of the project.
With regards to the main needs that were detected, it was concluded that the study was
sufficient in scope and its alignment with the initial objectives, enabling us to make a
comparison between the observations and situations found on one hand and the best
practices, regulations and laws on the other.
There is no specific security policy related to platforms for several reasons, but mainly due
to purely operational reasons and the lack of serious incidents. However, the study has
also shown a series of concerns and threats that merit study and solutions. Specifically:
• A serious security incident would damage the credibility of these tools and would
halt development in the sector, as well as the spread of their use.
• Strict compliance with the Personal Information Protection Law and the Security
Measures Regulations must be included in the development requirements for any
platform.
• The quality of the contents must be supervised so that they do not offend moral
principles.
Taking into consideration the opinions of experts and the real situation of these platforms,
the needs that exist over the short, medium and long term are listed below, for the
following scopes of action:
• Sensitisation, training and information for all users (students, instructional and non-
instructional staffs, system administrators, publishing companies, etc.)
Finally, the study has identified a series of recommendations for correcting or responding
to the detected needs. These recommendations should be kept in mind when:
Regulations
• Focus legislation on the uses that may be made of the information, applying
penalties as a deterrent for non-compliance.
Functionality
• Make platform operation flexible and functional, which would possibly lead to its
self-regulation.
• Improve the physical security of the areas in which platforms may be used.
• Give more importance to platform design in areas such as a) not allowing the
entering of incorrect information, b) logical and physical separations by profile, c)
making platform use intuitive, d) make platforms resistant to user mistakes, e)
equip with support tutorials and f) incorporate control mechanisms such as
suspension after a certain period of inactivity.
Content security
• Have security policies and guidelines in the educational centres and the
organisations or businesses that provide infrastructure support to these centres.
o Installing and updating the programs that detect and eliminate malicious
codes.
o Information updating.
http://www.inteco.es
http://observatorio.inteco.es