Instituto Nacional

de Tecnologías
de la Comunicación

Study on educational platform

safety measures

Executive Summary

INFORMATION SECURITY OBSERVATORY

 Instituto Nacional
de Tecnologías
de la Comunicación

Edition: June 2008

INTECO would especially like to thank the following for their assistance in
preparing this study:

This publication is the property of the Instituto Nacional de Tecnologías de la Comunicación (INTECO), and is licensed by
Creative Commons under a recognized non-commercial 2.5 Spanish license. It is therefore permitted to copy, distribute and
publicly communicate this work under the following conditions:
• Acknowledgement: The contents of this report many be reproduced either partially or in their entirety by third parties, as
long as they cite its origin and make express reference to both INTECO and its web site: www.inteco.es. This recognition
many not in any way imply that INTECO provides support to these third parties or supports the use they make of their
work.
• Non-commercial use: The original material and derivative works many be distributed, copied and exhibited as long as they
are not used for commercial purposes.
When reusing or distributing this work, the terms of its license must be made perfectly clear. Some of these conditions may not
apply if permission is obtained from INTECO, as the owner of the copyright. No part of this license reduces or restricts
INTECO’s moral rights.
Full license text:
http://creativecommons.org/licenses/by-nc/2.5/es/

Executive Summary of the Study on educational platform safety measures Page 2 of 16

Information Security Observatory
 Instituto Nacional
de Tecnologías
de la Comunicación

The current study conducted by the National Institute of Communication Technologies

(INTECO) intends to analyse the risks related to security that may be experienced in
educational environments, due to the progressive implementation of technology in
schools.

INTECO’s mission is to promote and develop innovation projects related to the

Information and Communication Technologies (ICT) sector, which improve Spain’s
position and contribute to its competitiveness, extending its capacities in both European
and Latin American environments. Within its strategy, the promotion of technological
security is one its main objectives. To reach this goal, it conducts studies, analyses and
research and then advises the Public Administration in this area, if necessary. This study
on educational platform security in Spain is perfectly aligned with the objectives and
studies performed by INTECO’s Information Security Observatory.

The following were defined as the general objectives for this study:

1) To achieve a global understanding about security on educational platforms.

2) To identify the incidents and needs of different user groups with regards to on-
line educational platforms.

3) To define certain general recommendations concerning regulations, best

practices and safety guidelines related to the use and development of these
platforms.

The method used to reach these goals consisted of performing work in three phases:

1) Research phase. This was based on gathering a wide spectrum of information

through a) an analysis of documentary sources (studies, articles, initiatives,
published guides, etc.) about security in the school environment and,
specifically, about educational platforms, including numerous sources related to
experiences in other countries and b) the opinions of experts and key
participants, through the administration of 29 interviews and the sending of 20
questionnaires. Those contributing opinions and knowledge in this second part
include:

a. The Ministry of Education, Social Policy and Sports, and the Ministry of
Industry, Tourism and Commerce.

b. The departments of education in the autonomic communities.

c. Companies that have participated in developing educational platforms

and companies specialised in the provision of professional services
related to information security.
Executive Summary of the Study on educational platform safety measures Page 3 of 16
Information Security Observatory
 Instituto Nacional
de Tecnologías
de la Comunicación

d. Experts in computer security (high office holders in the main security

associations active in the country).

e. National Security Forces and Administrations.

f. Associations dedicated to protecting minors.

g. Platform users (teachers, parents and students).

2) Analysis and discussion phase. The information obtained was accumulated in

this section, organised by area, type of risk detected and possible solutions and
recommendations.

The computer security risk framework was also applied in this phase, Using the
Magerit methodology as an independent measure, but one that has recognised
prestige, in order to contrast the results of this study. This methodology,
developed by the High Council on Electronic Administration, is based on the
analysis and management of risks for information systems.

3) Recommendation phase. This phase consisted of proposing a series of

practical recommendations for the situations observed in the previous phase, in
a coherent manner, supported by arguments.

As in the previous phase, precautions were taken not to present baseless

opinions, which is why we refer to the standards and best practices found on the
market in the area of security, as well as the current legislation that was relevant
to this study.

The project ended with the writing of a report containing the results of the three
aforementioned phases. It has been translated into English and the country’s co-official
languages.

I What is an educational platform?

The starting point for this study makes a brief mention of the process of ICT incorporation
in education. It began with the appearance of personal computers at the beginning of the
1980s, and continues in the present time. People have begun to speak of computer
literacy as one of the basic competencies that students must acquire, as well as the new
competencies that teachers must acquire in the area of technology.

It is within this framework of technological development that educational platforms

emerged, and their definition is one of the first elements analysed in this report. In spite of
the variety of definitions found, each accenting different characteristics, there is a certain
consensus in considering them as a tool whose design and main purpose is to respond in

Executive Summary of the Study on educational platform safety measures Page 4 of 16

Information Security Observatory
 Instituto Nacional
de Tecnologías
de la Comunicación

a comprehensive manner to the multiple needs that are inherent in the life of an
educational centre.

When analysing their structure and operation, platforms consist of different modules that
allow them to meet the management needs of centres on three major levels:
administration, communication and teaching-learning process support. Likewise, they are
intended to provide services to four types of users: centre administrators, families,
students and teachers.

Among their main functions, we see that in addition to permitting the development of
distance learning, when they are used as a support to the classroom teaching and
learning process, they make the following possible:

• Digital literacy in students (as well as teachers and families).

• Access to information, communications and data management and processing.

• The centre’s academic-administrative management: the secretary’s office, the

library, etc.

• Its instructional use to facilitate the teaching-learning processes.

• Communication with families and the community.

• Relations among instructors over networks and through virtual communities:

resource sharing, experiences, etc.

If we take a look at the type of educational platforms currently available, we generally find
that some are commercial products with a cost associated with them, while others are free
tools that are usually developed using open code.

Platforms/portals belonging to departments of education

There is a common tendency on the part of departments of education towards providing

broad band connectivity to educational centres, extending intra- and intercentre
educational networks and providing new technological resources and commons spaces
on the Internet. For this reason, the development of these educational platforms is
becoming increasingly popular, along with the corresponding training courses for the
teaching staff.

Private initiatives

There are several platforms on the market that have been developed by private
businesses. Their functions are oriented towards supporting the required curriculum and

Executive Summary of the Study on educational platform safety measures Page 5 of 16

Information Security Observatory
 Instituto Nacional
de Tecnologías
de la Comunicación

providing centres with efficient tools for academic and administrative management, as well
as powerful channels that favour communication and the exchange of information.

In any case, opinions appear to agree in considering that the ideal educational platform
must allow the joint management of all an educational centre's needs associated with
administrative and academic tasks, communication with the different members of the
educational community and instructional support. Presently, all the development
tendencies are evolving around this line of work.

It is also commonly accepted is that a learning platform that is incorporated into the
working practices of a school may offer a wide range of benefits to teachers, students and
parents, and at the same time, support the organisation and management processes
within the centre. Differences are made among the following user profiles:

• Students. They were born with technology, and most share a liking for the ICTs.
They are active educational platform users, in both school and at home in their
free time.

• Teachers. As platform users, they use them mainly as an educational resource for
working with their students in class, and on the individual level, for their own
personal training.

• Parents. As platform users, most affirm that they use them as a means of
communication, allowing them to participate in their children’s teaching-learning
process. However, they recognize that the degree of their implication and use is
still far from being optimal or adequate.

• Departments of education and educational inspection. They quite frequently

need to ask the information centres for information in order to understand the
current situation and make decisions. The use of educational platforms that
manage all the administrative and academic information for students in a
comprehensive manner and establish standards for exchanging data make
decision making and the internal management processes much more streamlined
for the educational authorities.

The following educational platform provider profiles have been observed:

• Public administrations. They intend for the Internet to be used as a means of

intercommunication for the members of the school community and as a means of
access to a large resource bank. The fruit of all this effort is that platforms have
been designed that meet the needs of the members of the educational community.

Executive Summary of the Study on educational platform safety measures Page 6 of 16

Information Security Observatory
 Instituto Nacional
de Tecnologías
de la Comunicación

• Private companies that are interested in integrating ICTs in education (telephone

service providers, Internet providers, software developers, etc.).

Finally, there appear to be three great benefits associated with the use of educational
platforms:

1) The development of a new instructional model. True incorporation of

technology means developing a new instructional model, which requires
modifying the roles of the teacher and the student. Some of its main
characteristics include a student-centred model that permits technological
literacy (in compliance with the Compulsory Education Law) as one of the basic
competencies that students must acquire, which makes it possible to customise
the instructional process and engage in life-long learning.

2) Optimisation of the academic and administrative management processes.

In addition to all the instructional improvements described in the previous
section, the implementation of a comprehensive educational platform must mean
a clear optimisation of the many processes associated with the operation of an
educational centre.

3) Technological literacy in society. This is due to the fact that there are a large
number of citizens who are potential educational platform users.

II Why must an educational platform be made secure?

According to the Standard UNE/ISO-IEC 27001, “information security is defined as the

preservation of its confidentiality, integrity and availability, possibly involving other
properties such as authenticity, responsibility, the lack of repudiation and reliability.”

An educational platform, like any other computer application and its associated data, must
be made secure in accordance with its level of sensitivity. The security measures
implemented must, as much as possible, serve as a guarantee that the platform will be
available, operate correctly, process information and safeguard the confidentiality of the
information stored on it. The most important peculiarity of educational platforms is their
massive use by minors, a sector of the population that needs greater levels of protection.

In addition to children, other educational platform participants were considered: school

administrators, teachers, parents, the Public Administration and institutions with
educational responsibilities, publishing companies and development consultants.
Expectations were analysed for each of these groups, with regards to the security
measures that should reasonably exist on educational platforms, taking into account the
relative seriousness of any possible incidents if one or more of the potential risks or
threats were to come to fruition.

Executive Summary of the Study on educational platform safety measures Page 7 of 16

Information Security Observatory
 Instituto Nacional
de Tecnologías
de la Comunicación

Through this analysis, certain expectations were identified that are common for all or at
least most of those interviewed, such as:

• Personal data and information, especially those related to minors, must not be
accessible to or consulted by unauthorised users.

• Access control to the platforms must be controlled so that each user can only
access what corresponds to him.

• Availability is an important factor in order to guarantee continuing education for

students and so that there are no delays in administrative tasks.

• Likewise, an important requirement is for information on the platforms to be

reliable, complete and correct.

Besides these common expectations, each group of users has their own special
requirements or expectations, according to their functions and responsibilities.

An analysis of the expectations and requirements of the different groups of educational

platform users or participants, we reached the conclusion that platform security must
include, in accordance with the recommendations found in Standard UNE/ISO-IEC 27001:

• Security policies or guidelines.

• Security organisation and management.

• Asset management.

• Awareness, training and controls.

• Physical security.

• Security in communications.

• Access control.

• Control over program development and acquisition.

• Incident monitoring and management.

• Continuity management.

• Legal compliance.

Executive Summary of the Study on educational platform safety measures Page 8 of 16

Information Security Observatory
 Instituto Nacional
de Tecnologías
de la Comunicación

Having reached these conclusions, a brief study was made of the applicable legislation
and best practices stemming from the different security regulations, in order to identify
which were relevant for the rest of the analysis. The following were considered to be
specifically applicable to the project:

• Legislation

o Organic Law 15/99, 13 December, regarding the Protection of Personal

Information (LOPD).

o Law 32/2003, 3 November, regarding General Telecommunications

o Law 34/2002, 11 July, regarding Information Society and Electronic

Commerce Services

o Law 59/2003, 19 December, regarding Electronic Signatures.

o Royal Legislative Decree 1/1996, 12 April, regarding the Intellectual

Property Law.

o Organic Law 1/1996, 15 January, regarding the Legal Protection of Minors.

• Regulations and best practices

o The ISO 27000 series of standards on information security.

o CobIT (the ISACA framework for good security governance).

o National Institute of Standards and Technology (NIST).

o Bundesamt für Sicherheit in der Informationstechnik (BSI).

III Risk analysis

A risk analysis consists of evaluating a set of threats according to the probability of which
they will occur, and the impact they would have.

Bearing in mind the expectations of the different user groups and the possible impacts of
failures in the security measures derived from our analysis, in this section of the project,
we analyse the results found by the study. This evaluation considered both the strong
points, where security levels and practices exist that are in agreement with the best
practices and user expectations, and the weak points we found, understanding weakness
to mean those situations that are not in agreement with best practices, laws or regulations
or situations that might result in the occurrence of one or more of the threats previously
considered.

Executive Summary of the Study on educational platform safety measures Page 9 of 16

Information Security Observatory
 Instituto Nacional
de Tecnologías
de la Comunicación

The following strong points were found with regards to security on educational platforms:

• Logical security. Most of the platforms had correctly included on their access
networks protective systems such as firewalls and IDS. The developers or those
responsible for the platforms conducted audits (although not as frequently as might
be desired), there was an adequate separation of functions and tasks with regards
to the access levels and generally speaking, the security levels found on the
Spanish educational platforms were similar to those of the rest of Europe.

• Access control. Passwords are used to log in, and files with passwords in them
are encrypted. There is a profile hierarchy, each with different privileges, and logs
or access and usage records are kept. In addition, there is a separation of
environments, and in some cases of the most sensitive information, and the
activity of specific users may be identified.

• Purchasing and development. Developers usually include control mechanisms

on the platforms, even though they are not expressly required in the bids for
tender.

• Incidents. The level of security incidents on educational platforms is, to date, very
low.

• Awareness. Most of those interviewed (but not necessarily those with direct
responsibility for the platforms) are professionals who are aware of the hazards
that exist.

• Legislative compliance. At least with regards to the Personal Information

Protection Law (LOPD), there is a reasonable level of compliance.

The following vulnerabilities and weaknesses have been found:

• Training and awareness. A serious lack of training was observed, and therefore,
awareness of the existing risks on the part of teachers and other participants
related to educational platforms. Likewise, in some cases it was observed that
there was a lack of technical knowledge on the part of platform administrators.
There is not much in the way of collaboration or the exchange of best practices
among centres with regards to security, and a lack of quality control in this area
was also detected.

• Logical security. Defects were detected in the areas of communications

connections, unauthorised software downloads, inadequate management of
network performance, varying practices with regards to back-up copy policies and

Executive Summary of the Study on educational platform safety measures Page 10 of 16

Information Security Observatory
 Instituto Nacional
de Tecnologías
de la Comunicación

contingency plans, and the possibility of other poor practices due to the lack of
security policies.

• Access control. In several cases, the authentication systems were overly simple,
considering the sensitivity of the information, and on many occasions, there is a
lack of physical access control to the installations.

• Program purchasing, development and maintenance. It was frequently

observed in the bids for tender issued by the public administrations that
requirements for security measures that must be implemented were not included,
the existence of platforms that are exposed to attacks and other vulnerabilities as
the result of having obsolete software and systems, and in general, inadequate
maintenance levels, due to a lack of training on behalf of the technical personnel
responsible.

• Contingency plans. Contingency plans barely exist for the platforms observed
that would guarantee service continuity.

• Compliance with legislation and regulations. There is a general lack of

established security policies, and in some cases (although isolated), non-
compliance with the Personal Information Protection Law was detected.

Finally, these results were imported into a risk map, following the format based on
Magerit’s methodology, linking each weakness or vulnerability to its potential threat and
then evaluating the probability of the related threat occurring, and its impact on a scale of
high, medium and low severity.

In conclusion, in spite of the low volume of known incidents up until now in relation to
educational platform security, their proliferation over the recent years, along with the
increasingly complex technology and the incorporation of new functions, leads us to a
situation in which security must take on greater importance.

IV Detected needs

This section of the report and in the following Recommendations and proposals section,
the main conclusions of the project.

With regards to the main needs that were detected, it was concluded that the study was
sufficient in scope and its alignment with the initial objectives, enabling us to make a
comparison between the observations and situations found on one hand and the best
practices, regulations and laws on the other.

Executive Summary of the Study on educational platform safety measures Page 11 of 16

Information Security Observatory
 Instituto Nacional
de Tecnologías
de la Comunicación

There is no specific security policy related to platforms for several reasons, but mainly due
to purely operational reasons and the lack of serious incidents. However, the study has
also shown a series of concerns and threats that merit study and solutions. Specifically:

• A serious security incident would damage the credibility of these tools and would
halt development in the sector, as well as the spread of their use.

• Strict compliance with the Personal Information Protection Law and the Security
Measures Regulations must be included in the development requirements for any
platform.

• Information confidentiality is obviously a critical aspect that must be considered.

• The topic of intellectual property has been identified as being problematic.

However, since there have not been any serious consequences to date, it is a
topic that remains latent, and in many cases, ignored.

• The quality of the contents must be supervised so that they do not offend moral
principles.

• The feeling of security that we currently experience is not supported by concrete

information, rather by the extremely low number of incidents.

Taking into consideration the opinions of experts and the real situation of these platforms,
the needs that exist over the short, medium and long term are listed below, for the
following scopes of action:

• Sensitisation, training and information for all users (students, instructional and non-
instructional staffs, system administrators, publishing companies, etc.)

• Compliance with existing regulations.

• Certification and standardisation.

• Functionality and availability.

• Content security through authorised user authentication.

V Recommendations and proposals

Finally, the study has identified a series of recommendations for correcting or responding
to the detected needs. These recommendations should be kept in mind when:

• Establishing the criteria for platform design.

Executive Summary of the Study on educational platform safety measures Page 12 of 16

Information Security Observatory
 Instituto Nacional
de Tecnologías
de la Comunicación

• Developing and controlling contents and utilities.

• Using the platforms.

Therefore, as a conclusion to the study performed, the recommendations and proposals

for improvement that INTECO proposed are as follows:

Sensitisation, training and information

• In collaboration with the Public Administration, develop programmes for

sensitising, training and informing about security issues, with the recipients being
all the users of educational platforms.

• Use curricular designs to train students in a cross-curricular manner about security

topics.

• Use the media to disseminate information on security issues.

Regulations

• Focus legislation on the uses that may be made of the information, applying
penalties as a deterrent for non-compliance.

• Generalise the use of confidentiality agreements in order to protect information.

Certification and standardisation

• Generate platform specifications with regards to functional and technical aspects,

and which include the security requirements that might be aligned with, for
example, the ISO 27001 series of standards.

• Certify the criteria previously established by the Public Administration or an entity

with recognised prestige. Similarly, the developers should certify the quality of their
work methodologies and the educational administrations and schools should
certify their information security management.

Functionality

• Make platform operation flexible and functional, which would possibly lead to its
self-regulation.

• Improve the physical security of the areas in which platforms may be used.

• Manage capacity when this may be affected by a large number of users.

Executive Summary of the Study on educational platform safety measures Page 13 of 16

Information Security Observatory
 Instituto Nacional
de Tecnologías
de la Comunicación

• Give more importance to platform design in areas such as a) not allowing the
entering of incorrect information, b) logical and physical separations by profile, c)
making platform use intuitive, d) make platforms resistant to user mistakes, e)
equip with support tutorials and f) incorporate control mechanisms such as
suspension after a certain period of inactivity.

• Improve Internet connections so that they are consistent and secure.

• Include business continuity management in the normal platform activity

procedures.

• Manage incidents, including their recording. It is important for the Public

Administration remain technologically vigilant by keeping a record of incidents that
may identify vulnerabilities, as well as mechanisms and agreements that this may
create with the Security Forces and Administrations to alert and pursue those
causing such incidents.

Content security

• Promote the implementation of the necessary solutions to guarantee computer

security, through loans or tax exemptions.

• Have security policies and guidelines in the educational centres and the
organisations or businesses that provide infrastructure support to these centres.

• Assign human resources to security tasks. This should be done in various

environments:

o In the area of administration and supervision, including platform definition

and development.

o In the area of execution and operation.

• Perform risk analyses.

• Control malicious code attacks, applying the following measures.

o Installing and updating the programs that detect and eliminate malicious
codes.

o Periodic software revision.

o Information updating.

Executive Summary of the Study on educational platform safety measures Page 14 of 16

Information Security Observatory
 Instituto Nacional
de Tecnologías
de la Comunicación

o Filtering inappropriate contents or those with malicious codes at their

origin.

• Create back-up copies on a rigorous, periodic basis.

• Manage network security.

• Perform and manage security audits.

Improve secure user authentication and identification

Executive Summary of the Study on educational platform safety measures Page 15 of 16

Information Security Observatory
 Instituto Nacional
de Tecnologías
de la Comunicación

http://www.inteco.es

http://observatorio.inteco.es