With all Government and public sector systems there is a need to make sure that information stored in them is appropriately protected. ‘Appropriate’ could range from:
- open to the public;
- to patient records;
- right through to highly secret national security information.
So there needs to be a process to assess what is required in each case. When you think about risks to a system, it makes sense to think about the “What if” should the system be compromised. The impact that it would have on the school is a logical place to start. If you group that into levels, you get Business Impact Levels. They are currently defined from 0 (no impact) to 6 (severe impact).
An Impact Level (IL) comes from consideration of 3 potential compromise areas:
- Confidentiality – the potential impact if the information is seen by those who should not see it;
- Integrity – the potential impact if the accuracy or completeness of the information is compromised,
- Availability – the potential impact if the information becomes inaccessible.
It is very unlikely that a school will be responsible for datasets with a BIL (or IL) value of greater than 4.
The following table defines the Impact Levels most likely to require managing by schools and includes some examples:
|Personally identifiable, or aggregated beyond 1,000 records
||Limited impact but caution must be taken at all times.|
||The vast majority of data should be classified at IL2-Protect, or lower. Likely to cause embarrassment to an individual, or organisation.|
||Most of the information in a school’s MIS is likely to fall into this category. Likely to cause loss of reputation to an individual, or organisation.|
|IL4||Additional detail to Special Needs, or Child in Care||Likely to cause loss of reputation to an individual, or organisation.|