CATHOLIC UNIVERSITY OF EASTERN AFRICA

FACULTY OF SCIENCE

DEPARTMENT OF COMPUTER SCIENCE

UNIT NAME : SECURITY AND PRIVACY OF BIG DATA

UNIT CODE : CMT 436

NAME: PETER KIVEVO JOHN

REG NO : 1033983
 Question: Write a proposal of how data held in an institution should be handled in big data.

Introduction

Technology makes accessing student data rather easy. However, all student data needs to be
maintained in a confidential manner to protect students’ rights, security, and dignity. At the
same time, federal and state laws and guidelines may have certain rules regarding the type of
safety precautions that must be taken regarding this data, but they might not specify specific
tasks. Unfortunately, not all school may provide a higher level of interpretation of those
guidelines and laws. Therefore, there some steps need to be considered when protecting
student data.

1) Minimize Data Collection of Student Information.

The single most important step schools can take to lower the risk of unintentional or
malicious disclosure of sensitive student information is to reduce the amount of information
collected in the first place. This might include collecting of details that are of less use to the
institution but are mostly used by the students. They include the student bank account, which
is of less use to the institution and focus on the most needed details such as the student
registration number and the student names. That is a practice known in the privacy field as
minimization. When schools don’t collect sensitive data elements, there is no risk they will
lose control of that information if a data breach occurs.

2) Purge unnecessary student records.

In addition to minimizing the information collected, schools should also take actions to purge
sensitive information when it is no longer used for its original purpose. Purging old records
serves a similar purpose as minimizing data collection: lowering the impact of a potential
breach. Schools should set standardized record retention policies that specify the length of
time different categories of records should be preserved. For example, a school might decide
to retain course-level grades permanently to generate transcripts, but purge student
disciplinary records seven years after graduation. Exceptions might be made for students who
were expelled from school or other specific circumstances.
Some retention periods might be quite short. For example, some private schools often collect
documentation from parents to prove their residency,in a particular school district.
Once those records are validated and approved by an administrator, there is no valid reason
to maintain copies of the records to themselves. It may suffice to maintain a record created
by the administrator documenting the evidence was received, reviewed and validated.

3) Encrypt data at rest and in transit.

After completing minimization and purging efforts, chances are schools will still need to
retain some sensitive information about students and their parents. Those records should be
secured carefully, using a mix of technical and administrative controls. The most important
technical control schools may apply to information is authentication of the data, the use of
strong encryption technology to protect information that is either at rest; stored on a server or
device; or in transit, being sent over a network. Schools should identify devices that store
sensitive information and apply encryption at both the file and disk level. That is particularly
important for notebooks and other mobile devices that might be lost or stolen when outside
of school. Schools should also identify cases where they send or receive sensitive
information over a network connection and ensure that the connection is encrypted. For
example, standard email does not use encryption and should never be used for sending
sensitive information to parents or students. Secure messaging portals that use HTTPS-
encrypted websites are a much better alternative as they are much secure.

4) Follow principle of least privilege.

The security principle of the least privilege states that each user should be assigned the
minimum level of access necessary to perform his or her job functions. That principle is often
unintentionally violated in schools as a matter of convenience.
For example, a school IT administrator might grant all faculty and staff access to student
records stored on a server. That may make administrative tasks easier, but it also exposes
those records to unnecessary risk.
A least-privilege approach here would create access control groups that limit each user’s
access to only those records required for his or her job. For example, the school nurse and
principal might be the only two individuals with access to health records.

A student’s current course grades might be available only to teachers who have that student
in class, the student’s guidance counselor and senior administrators. It may seem obvious but
reducing the number of people with access to sensitive information helps keep that
information more secure.

5) Monitor user activities on school networks.

Schools should monitor the activity of any users granted access to sensitive information. That
does not require elaborate monitoring systems; most likely, changes to settings in existing
software will be sufficient. For example, Windows file servers include robust auditing
capabilities that allow tracking and logging of all successful or unsuccessful attempts to
access files. Any records gathered through user monitoring can also help to identify
suspicious activity and also aid in tracking down the source of leaks of sensitive information.
For example, if a high-profile student’s educational records are leaked to the media,
administrators may look at the access logs to determine who recently viewed those records.
Schools must exercise more caution and discretion to protect students' and families’
information from unauthorized uses. Following a few simple security practices will go a long
way toward preserving the public trust in educational institutions.

6) Use of Virtual Private Network (VPN) for University-related tasks.

Due to the high security needed to protect the university student and even staff data, the use
of Virtual Private Network every time a person needs to log into the system and perform a
specific task is highly recommended. This service keeps the information private and secure
from attack by hackers. The use of Virtual Private Network, however, is not easy for the
students and therefore there should be a training session for the first year students, and even
the new staff members, on how to use them so as to keep their data safe when accessing their
portal addresses.

7) Avoidance of unsecured networks, for instance, the cafeteria and other public areas.

Many students are always eager to use free public WIFI to perform their daily activities such
as browsing and even accessing their university data, such as the student portal. Most of
those public WIFI are free and therefore students finds them ‘economical’. However,public
WIFI are not secure at all. Hackers use them to steal your details from you when you are
logged into them to browse. The hackers steal your passwords and use them to access your
data without your consent

8) Backup of data.

The school administration should consider backing up their data into different devices in
case of an attack or data loss. Backing up of data occasionally is highly recommended mean
of data preservation as it is very rare for a data to get attacked at the same time. This will be
of high help if one loses some data, they could use other means of data storage to access the
same data.

9) Use of strong and unique passwords.

This could be obtained by making sure that all university-related password include letters,
numbers and special characters. It is also recommended that they use both lower-case and
upper-case letters. Different departments should also have their different password, and
strong passwords. They should not share the same passwords to access data even if they are
related.

10) Avoid clicking on suspicious links or download files from unknown sources.

Hackers and scammers often employ fake or phishing emails to impersonate real companies’
messaging and you can be tempted to click on them. After clicking on them you are then
convinced to fill in your details on them. The hacker then is able to obtain your data and use
 it to harm you by logging into your data to perform malicious activities. If you are unsure
about an email, especially one with an external link or attachment, you should double-click to
check the sender before filling in your details or eve before downloading any software from
their website because it might be a malicious one.

Conclusion

Understanding the importance of protecting student data is essential to surviving in education.

There are so many levels of ethics and efficiency that need to be considered, so being overly
prepared for any situation or breach is the best method for protecting against exposing this
data to prying eyes.