Professional Documents
Culture Documents
de Tecnologías
de la Comunicación
INTECO would especially like to thank the following for their assistance in
preparing this study:
This publication is the property of the Instituto Nacional de Tecnologías de la Comunicación (INTECO), and is licensed by
Creative Commons under a recognized non-commercial 2.5 Spanish license. It is therefore permitted to copy, distribute and
publicly communicate this work under the following conditions:
• Acknowledgement: The contents of this report many be reproduced either partially or in their entirety by third parties, as
long as they cite its origin and make express reference to both INTECO and its web site: www.inteco.es. This recognition
many not in any way imply that INTECO provides support to these third parties or supports the use they make of their
work.
• Non-commercial use: The original material and derivative works many be distributed, copied and exhibited as long as they
are not used for commercial purposes.
When reusing or distributing this work, the terms of its license must be made perfectly clear. Some of these conditions may not
apply if permission is obtained from INTECO, as the owner of the copyright. No part of this license reduces or restricts
INTECO’s moral rights.
Full license text:
http://creativecommons.org/licenses/by-nc/2.5/es/
TABLE OF CONTENTS
TABLE OF CONTENTS.......................................................................................................3
1.1 Introduction..........................................................................................................10
3.3.5 Royal Legislative Decree 1/1996, 12 April, regarding the Intellectual Property
Law 41
3.3.6 Organic Law 1/1996, 15 January, regarding the Legal Protection of Minors42
4 RISK ANALYSIS.........................................................................................................47
4.2 Vulnerabilities and other detected weaknesses and their impact ........................50
V Associations ............................................................................................................80
VII Others..................................................................................................................80
III Law 34/2002, 11 July, regarding Information Society and Electronic Commerce
Services .........................................................................................................................84
V Royal Legislative Decree 1/1996, 12 April, regarding the Intellectual Property Law
85
VII Law 20/2003, 7 July, regarding the Legal Protection of Industrial Designs .........87
VIII Law 30/2007, 30 October, regarding Contracts in the Public Sector ..................87
IX Organic Law 1/1996, 15 January, regarding the Legal Protection of Minors ......88
II Associations ............................................................................................................92
KEY POINTS
In spite of the fact that there is an overall consensus when considering an educational
platform as an ideal tool for providing a learning space, the information, communication
and participation of different members of the educational community is not easy to define.
Furthermore, we are also faced with the difficulty of categorisation. Due to the many uses
and functions that these platforms have, platforms developed with freeware and
proprietary software coexist at the same time and in the same educational environment.
What also sets them apart is their internal development and structure, focused on the use
that different users want to make of them. As a result, we may distinguish among user
profiles (students, instructors, parents, departments of education and educational
inspectors) and service provider profiles.
The main peculiarity of an educational platform lies in the massive use that minors make
of it.
The opinion of experts regarding the future of educational platform security is divided
between those that believe that the increase in its use is directly proportional to security
problems, and those that believe that we must be alert and adopt a proactive position.
Different guidelines exist regarding information security, from both a legislative point of
view and those related to good practices.
Faced with the diversity of threats that platforms experience or may experience, it is
necessary to estimate the probability of such threats coming to fruition and take into
consideration the damage that they would cause. Such an analysis allows us to contrast
the strong points (logical security, access control, purchasing and development, the lack
of incidents, awareness and compliance with legislation) and the vulnerabilities that are
characteristic of the platforms.
IV Detected needs
The needs have been developed from different scopes of action that will affect the
platforms, depending on the degree to which they evolve, and with awareness, training
and information, regulations, certification and standardisation, functionality and content
security in mind.
1.1 Introduction
They have a two-part objective: on one hand, to contribute to Spain’s convergence with
Europe in the Information Society, and on the other hand, to promote regional
development, through a project with global implications, which is taking root in Leon.
The Observatory has designed a plan of activities and studies with the goal of producing
specialised, useful knowledge in the area of security on behalf of INTECO, as well as
creating recommendations and proposals that define valid trends for future decision-
making by public leaders.
Within this plan of action, work is being performed in the areas of research, analysis,
study, advisement and dissemination, which involve the following strategies (among
others):
• The creation of our own studies and reports on the topic of the security of
information and communication technologies, with special emphasis on Internet
security.
• The tracking of the main indicators and public policies related to information
security and confidence at both a national and international level.
• The generation of a database which permits analysing and evaluating the security
and confidence over time.
This report is set within the process of technological change in which society is currently
immersed, and into which the field of education is gradually being incorporated.
Faced with this emerging reality, INTECO has considered the need to conduct research
which would allow us to:
• Understand the point of view of the developers, providers and users of these on-
line educational platforms for children, focusing the study on the identification of
hazards and security solutions.
• To generate strategic lines for action and improvement with regards to the quality
of these services.
In this sense, the study has a wide set of objectives that are specified by general,
operational objectives, the details of which are provided below.
General objectives
Operational objectives
3) To determine the level of security with which they are operated from the various
providers and platform developers, and compare this to that which is considered
to be optimal.
4) To detect the main risks in the area of security, as well as possible solutions to
be implemented.
Research phase
• The holding of a discussion group with students from Secondary and Upper
Secondary School, of different ages, sexes and levels of technological
competence.
Parallel to this, meetings were held with the goal of consolidating the information we
obtained during the previous phase, trying to perform a preliminary analysis and
classification of both the documentary sources and the information obtained from the
interviews.
For this purpose, and prior to writing the report, several team meetings were held, during
which the table of contents was developed, and a consensus reached regarding its final
validation and focus.
1
This consists of a dynamic communications process between two people, the interviewer and the interviewee, under the
control of the first party. The objective sought after is to obtain information that is as significant as possible about the subject
of our proposed analysis
2
Appendix I contains a list of all the organisations and professionals who were interviewed during the research phase.
Based on the data from this last report, the recommendations and guidelines for action
were identified which were expressed by those experts interviewed, in order to establish
the potential scope and responsibilities that are necessary in the areas of self-regulation,
legislation, certification and standardisation for the creation and/or development of these
platforms; the sensitisation, training and information required by the users, and in a
general sense, other measures that public organisations must develop.
Literacy is now recognised as a concept that changes over time, where the mastery of
cognitive processes and strategies takes on a greater relevance than the assimilation of
contents, and where there are no longer any space-time barriers to limit learning.
Within this innovative and changing framework, the option of generating virtual learning
environments based on Information and Communication Technologies (ICT) means being
able to respond comprehensively to the requirements imposed by a Knowledge Society
and the new needs of the educational environment. It is within this context of innovation
that the educational platforms are emerging.
The appearance of personal computers at the beginning of the 1980s and access to
specialised telecommunications networks, thanks to the Internet, have made possible the
worldwide exchange and access to sources of information, generating important changes
in the educational environment along with it.
Since the 1990s and continuing in the present, new technological resources have been
gradually incorporated, which makes the need to reconceptualise the traditional processes
and models of teaching and learning quite evident.
Presently, it would seem unthinkable to throw our youth into a global communications
culture without providing them with some training about when, how and why to use the
emerging technologies. The development of concepts such as “life-long learning,”
“learning how to learn,” etc., have meant that schools, as institutions, have had to modify
the traditional roles of teachers and students, and in many cases, begin to specify both
standardised and general criteria.
In Spain, the Organic Education Law (LOE) and royal decrees establishing minimum
learning competencies 3 have highlighted technological literacy as one of the basic
competencies that students must acquire. On a similar note, UNESCO has just published
the ICT competency standards for instructors 4 , with the goal that each country use these
guidelines in order to maximise teacher training in technology-related subjects.
The public business organisation Red.es, which is under the Ministry of Industry, Tourism
and Commerce, along with the Ministry of Education and Science and the different
departments of education in the autonomic communities, has launched different programs
intended to promote the incorporation and use of technology in non-university Spanish
public schools.
Specifically, they have promoted the programs Internet in the Schools (2002-2006),
Internet in the Classroom 5 (2005-2008), and Teach 6 (2007-2008), which are designed to
reinforce and complement the policies that support the non-discriminatory development of
the information society in educational environments, striving for territorial cohesion and
the sharing of initiatives among all the participating autonomic communities.
In spite of the fact that there is an overall consensus when considering an educational
platform as an ideal tool for providing a learning space, the information, communication
and participation of different members of the educational community is not easy to define.
Several recurring points stand out from the different explanations gathered during the
interviews 7 , allowing the formation of different definitions:
• Some, based on their origin and evolution, declare that its beginnings go back to
the start of e-learning platforms, and over time came to offer more services, in
such a way that these platforms may be considered as a concentration of efforts
made over the last few years by the educational community to find formulas to
renew the teaching-learning process.
• In their definitions, others highlight the value that they have as information systems
within educational centres, and more specifically, as services managing centres so
that they may relate to the educational community over the Internet.
3
Royal Decree 1631/2006, 29 December, which establishes the minimum instruction corresponding to Compulsory
Secondary Education, BOE, 5 January, 2007.
4
United Nations Organization for Education, Science and Culture (UNESCO) (2008): ICT Competency Standards for
teachers. On-line. Available at: http://cst.unesco-ci.org/sites/projects/cst/default.aspx
5
[Homepage]. Viewed 3 April, 2008 on the World Wide Web: http://www.red.es/actividades/Internet_aula.html
6
[Homepage]. Viewed 3 April, 2008 on the World Wide Web: http://www.red.es/actividades/ensena.html
7
It proved impossible to classify those interviewed who participated in the field work phase by their professional profile.
• One last definition of the term, much more general in nature, would consider an
educational platform to be any portal belonging to the educational administration or
school: with on-line contents, used for academic management, educational
services (videoconferencing, on-line libraries, etc.), educational web pages and
blogs, etc.
In any case, the common denominator seems to define them as a tool whose design
and purpose is to respond in a comprehensive manner to the multiple needs that
are inherent in the life of an educational centre. It may even be considered that this is
a question of school organisation, in which technology may play a role.
Structurally, they have different modules that allow them to meet the management needs
that centres have at three broad levels: administrative and academic management,
communications management and the management of the teaching-learning process.
To accomplish this, these technological systems provide users with shared workspaces
designated for the exchange of contents and information, and they include communication
tools (chat rooms, e-mail, debate forums, videoconferences, blogs, etc.) and, in many
cases, they include a large repository of digital items for learning that have been
developed by third parties, as well as tools designed for generating the resources
themselves.
The operation of the platforms is intended to provide services to four profiles of users:
centre administrators, parents, students and teachers. Each of these profiles is identified
by means of a user name and a password, through which the users may access the
platform. This operating structure represents the creation of a workspace with closed,
controlled interactions, in which any hazardous situations the users might experience are
less severe than outside these spaces.
Although these may vary considerably in their design and development, they must always
provide a series of functionalities (such as, for example, collaborative tools that stimulate
the idea of cooperation and interaction) and means for developing new work methods and
educational models that go beyond the simple use of technology as a tool.
If we analyse the main functionalities that are defined by its design, we find that there are
two fundamental applications:
Recently, educational platforms have also been used to generate spaces for discussion
and the construction of knowledge by research groups, or for implementing virtual
communities and learning networks by groups of people who are joined by a common
topic of interest.
With regards to its support functions in the teaching-learning process, some of the most
important are related to:
8
Hardware: any physical component used to operate the platform (servers, hard drives, uninterrupted power supplies, load
balancers, firewalls, etc.)
9
Software: a set of programming code that makes it possible to perform a specific task.
• An instrument for instruction and evaluation that provides quick correction and
immediate feedback, reducing time and costs, while providing the possibility of
tracking students, etc.
Based on the period of time in which these platforms have gained importance, it is to be
expected that their proliferation and improvement will increase at a considerable rate, and
over a short period of time. This is true for both platforms that are the results of initiatives
from the various departments of education as it is for those that have been created based
on initiatives from private businesses.
Over the last few years, each of the autonomic communities has made significant
investments in order to equip their educational centres with technological resources and
tools. Simultaneously with this effort, emphasis is being placed on digital literacy for all
members of the educational community.
All the departments of education are working with the objective of providing broad band
connectivity to educational centres and to extend both intra- and intercentre educational
networks, as well as equipping and incorporating them with new technological resources
and common spaces on the Internet, through the development of these educational
platforms.
This reality has been understood by the different departments, which are carrying out
significant and varied teacher training initiatives, as well as different projects and contests
that encourage instructors to create resources that may then be shared in common
repositories.
Private initiatives
There are also several platforms on the market that have been developed by private
businesses. Their functions are intended to support the required curriculum, trying to
innovate and improve the teaching-learning processes. In addition, they provide the
centres with efficient tools for academia and administrative management, and constitute
powerful channels that aid communication and the exchange of information among the
different agents in the educational field. In this case, the applications have normally been
developed using proprietary software.
For a short time now, we have observed a great proliferation of solutions intended to
facilitate communications between the family and the school. However, it is much more
difficult to find platforms that integrate digital contents that are adapted to the student
curriculum.
10
Red.es and the Centro Nacional de Información y Comunicación Educativa (CNICE) (2007): Informe sobre la
implantación y uso de las TIC en los centros docentes de Educación Primaria y Secundaria (curso 2005-2006). [Report on
the implementation and use of ICTs in Primary and Secondary schools (2005-2006 school year).] Madrid. On-line. Available
at http://www.oei.es/TIC/DocumentoBasico.pdf
It has been demonstrated that there are very few platforms that implement all three
functions. At this time, the communications module is the one in highest demand by the
centres, while the least developed is that corresponding to content. In one form or
another, all the centres have some sort of tool that facilitates administrative and academic
management.
It should also be noted that the majority of those interviewed have stated that, in order to
take maximum advantage of these platforms, it is necessary to pay attention to and
guarantee four basic pillars: connectivity, the availability of technological resources and
instructional content, and teacher training.
While without a doubt, there is an enormous potential to be derived from having platforms
that manage all the abovementioned actions in an integrated manner, we must not forget
that, along with the development of new functions, we may also see increased security
risks (given that they will contain more and more sensitive information).
With regards to this point, expert opinions are once again divided among those who do
not anticipate greater security problems in the future and those that believe that we must
be alert and take a proactive stance, not waiting for incidents to make us aware of the
need to generate more secure systems. What both groups do agree on is that a serious
security breach would damage the credibility of these tools and would halt development in
the sector.
Until a short time ago, the use of educational platforms was normally seen in centres with
a long history in ICT, teachers that used them for their own training and university
environments. This is changing, however. Presently, it has been recognised that they are
a powerful tool which can benefit all members of the educational community.
The incorporation and use of these platforms in the field of education has not occurred in
all sectors equally. Based on general statistics regarding ICT use 11 , we can see that they
are used more in the public sector than in the private, and more in Secondary school than
in Primary school. These data are also repeated in countries like the United Kingdom,
11
Red.es and the National Centre for Educational Information and Communication (CNICE): óp. cit.,10.
where the data also reflect a certain resistance among teachers to integrate technological
advances in classroom activities. Specifically, it has been calculated that approximately
20% of teachers habitually use these platforms and 40% use them sporadically 12 .
In any case, what is commonly accepted is that a learning platform that is incorporated
into the working practices of a school may offer a wide range of benefits to teachers,
students and parents, and at the same time, support the processes of organisation and
management within the centre.
2.3.1 Students
Today’s students form part of a generation that was born with technology. The majority
have in common their taste for ICT and are active users of educational platforms in both
the school environment and at home, in their free time.
The main use they make of these resources is playing, communications (instantanea mail,
chat rooms, forums, e-mail, etc.) and, more recently, as a work tool. They still strongly link
the concept of technology with playing, perhaps because this was its purpose in the
beginning. Currently, they are starting to become aware of its value in supporting their
learning, something contributed to by the incorporation of these platforms in the teaching-
learning processes.
On the other hand, both the opinions collected from experts on the use that children and
young people make of technology and the studies we have reviewed demonstrate that
differences exist in the manner in which Internet is used, depending on gender: boys
primarily prefer on-line games, while girls tend to prefer communications pages, those
involving interaction 13 , etc.
The impressions we gathered show that students, in many cases, are self-taught with
regards to technologies, one step ahead of their teachers and parents, who due to
generational differences, have not had these experiences or training. The result of this is
that in the area of security, the information they receive comes primarily from the
experiences of their friends and their own common sense.
12
[Homepage]. Viewed 3 April, 2008 on the World Wide Web: www.becta.org.uk/research
13
APCI and Protégeles (2002): Seguridad infantil y costumbres de los menores en Internet. [Childhood safety and the
habits of minors on the Internet.] On-line. Madrid: The Child Advocate in the Community of Madrid. Available at:
http://www.protegeles.com/costumbres.asp
14
APCI y PROTÉGELES, op. cit.,13.
2.3.2 Teachers
The most customary profile for a teacher is that of a professional who has been trained
within a context where ICT did not exist or was integrated into classroom activities as an
element of support to the teacher's explanation. For the youngest teachers, computer
science was part of the official curriculum, taught as a separate subject.
This personal experience, together with the fact that most of the teachers have not
received specific training in how to integrate ICT in the classroom during their university
studies, fundamentally results in this professional group generally having little theoretical
knowledge and practical experience in how to implement them efficiently into their daily
tasks 15 .
The opinions reveal that, as platform users, they use them mainly as an educational
resource for working with their students in class, and on an individual level, for their own
personal training.
Over the last few years, however, the increased need to incorporate technology into the
teaching-learning processes is such that most departments of education have created the
position of the ICT coordinator. The instructor who takes on this responsibility in each
centre is freed from a certain percentage of his teaching load in order to invigorate and
lead these processes among his colleagues. Some of his main functions are:
• Collaborating with the coordination structures in the ICT field that have been
established, in order to guarantee coherent actions at the centre, and in order to
incorporate and disseminate successful initiatives.
15
Sigales, C. (2004): Formación universitaria y TIC: nuevos usos y nuevos roles. [University training and ICT: new uses and
new roles.] On-line. Available at: http://www.uoc.edu/rusc/dt/esp/sigales0704.pdf
From all perspectives, it is an undeniable fact that a key element for incorporating
platforms and for methodological change is, without a doubt, the teacher. Currently, a
clear commitment is being made in this area, with regards to the provision of resources
and training, from the different educational administrations.
2.3.3 Parents
When analysing the profile of parents as technology users in general, and more
specifically as educational platform users, there are several points that stand out.
First, almost all of the opinions gathered from associations, security experts and
educational administrations describe them as not being knowledgeable about ICTs, which
means that in most cases, they cannot control what their children are doing in front of the
computer. In spite of the fact that they play a fundamental role when warning their children
about hazardous situations, in all reality, their actions are usually limited to prohibiting
them from viewing sexual or violent content on television, without being aware of what
they see or are exposed to while surfing the Internet.
Furthermore, as platform users, most affirm that they use them as a means of
communication that allow them to participate in their children’s teaching-learning process.
However, they recognize that the degree of their implication and use is still far from being
optimal and adequate.
All these aspects demonstrate the need for parents to receive training aimed at sensitising
them about security problems, since in this area, a key task is increasing awareness on
the part of families. Along these lines, it has been observed that parents are asking for
environments where their children may play and learn in an autonomous, safe manner,
without being exposed to the immensity of the Internet. Educational platforms are
beginning to be these virtual spaces for learning and interaction that are being demanded.
The use of educational platforms that manage all the administrative and academic
information for students in a comprehensive manner, establishing standards for
exchanging data result in a decreased work load for the centres themselves, and would
make decision making and the internal management processes for the educational
authorities much more streamlined.
The intent is for the Internet to be used as a means of intercommunication among the
members of the school community, as an access point to a large bank of specific
resources for an area or subject, as an door to collaborative workspaces that, in some
cases, extend the classroom beyond the physical space defined by the educational centre
itself.
The fruit of all this effort is that platforms have been designed that meet the needs of the
members of the educational community. Currently, there are vastly different conditions on
the Spanish scene. There are many differences in the areas of the functions and services
that they offer, the development technologies and the degree of interdependence of the
modules they consist of.
Generally speaking, the topic of security on these platforms is not a question that
generates concern, as the level of incidents is practically zero. Furthermore, this is a
responsibility that, in most cases, has been guaranteed by contracting specialised
external personnel. They believe that the initiatives that are being created meet the needs
of the developments that are currently in place, and that in any case, they are
guaranteeing work environments with a very low level of risk.
Presently, a trend has been observed towards grouping different companies together in
order to provide educational institutions with comprehensive solutions to their needs. This
has resulted in the first platform developments on the market that meet the three great
needs of educational centres (academic and administrative management,
communications and support for the teaching-learning processes 20 ).
With regards to security issues, once again, the idea commonly recorded is that it is
necessary to pay closer attention to this aspect as the functions of these platforms
increase and as they manage more sensitive information: scholarship applications, bank
information, psycho-pedagogical reports, etc.
16
Hosting: This is a service that provides Internet users a system to store information, images, video or any other content
that is accessible over the web.
17
Housing: This is a service that consists of renting a physical space in a data centre where the client may place his own
computer. The company provides him with an Internet connection, but the server is chosen by the client, as is the hardware.
This is a mode of web hosting designed mainly for large companies and web service companies
18
Proprietary software: The ownership of this type of software remains in the hands of the person who has its rights, and not
in the hands of the user, who may only use it under certain conditions.
19
Free software (freeware): This type of software has an open-source code, which permits the user to run it for any
purpose, study how it works and adapt it to his needs, as well as distribute copies, improve upon it and release these
improvements to the public.
20
More information is avaliable in Section 2.2.1: General structure and operation of an educational platform.
In spite of the undeniable social impact of ICTs, we still do not have any definitive
guidelines for integrating them at each educational level 21 . In general, it is true that their
use in educational centres has been on the increase, as indicated by numerous
quantitative indicators 22 (there are more computers in the classrooms and more Internet
connections, and the students use this technology in class) during longer periods of time,
however the educational results associated with the use of technology has yet to be
quantified.
Most research conducted on the impact of ICTs in education points out, as a first step, the
need for theoretical models to guide their use.
21
Newhouse, P. (2002): Literature review. The impact of ICT on learning and teaching. Western Australia, Specialist
Educational Services.
22
Red.es and Centro Nacional de Información y Comunicación Educativa (CNICE), op. cit.,10.
23
Marchesi and Martín (2003): Tecnología y aprendizaje. Investigación sobre el impacto del ordenador en el aula.
[Technology and learning. Research on the impact of computers in the classroom.] SM Group.
24
Lajoie (2002): Computers as cognitive tools. Hillsdale, Erbaulm.
• Student centred. The teacher would cease to be an instructor who has mastered
a certain set of knowledge in order to become a facilitator and a mediator in the
teaching-learning process, in such a way that students are capable of attaining
knowledge on their own. In other words, an evolution occurs from an educational
scheme based on merely transmitting knowledge to a new scheme in which the
student studies the information provided by the instructor in greater depth through
individual or group work.
Furthermore, today’s society will demand that the student be an intelligent and
critical user of the multitude of information that he will need to manage. To reach
this goal, he will need to acquire new skills, which nowadays are referred to as
“competencies”.
This inclusion has several intents: i) to integrate learning, both formal (that forming
part of the curricular areas and subjects) and informal and not formal; ii) to
promote contexts in which students may integrate their learning, relating them to
different contents and using them effectively to solve problems in different
situations and contexts, and iii) to guide instruction and inspire decisions related to
the teaching and learning processes.
The professional profile of the instructor includes, even today, competencies for
knowing the capacities of his students, designing interventions focused on their
activities and participation, evaluating resources and materials, and if possible,
The improvements must be focused on the inner workings of the centre itself: more
efficient management of the administrative workload and educational resources;
improvements in internal communications, etc., as well as externally: greater parent
involvement in life at the centre and in the learning processes; the simplification of routine
administrative tasks involving families, such as authorisations or information requests; the
standardisation of language and the flow of information, etc. For these latter
improvements to occur, it is necessary to establish standards, especially with regards to
the exchange of information.
The possibilities presented by ICTs make the undeniable relationship between innovation
and computer literacy in the population at large patently obvious. Its expansion into all
25
Marchesi y Martín (2003): óp. cit.,23.
areas and levels of society has occurred very quickly, and is an ongoing process, as new
elements of technology are constantly appearing.
The progressive reduction in costs for the majority of technological products, the result of
increases in production volumes and the optimisation of manufacturing processes, is seen
in prices and allows us to receive more features for the same money. This facilitates the
inclusion of these powerful technologies in all human activities and in all socioeconomic
environments 26 .
Along this line of growth, development and the rapid diffusion of educational platforms
seems to contribute to the process of enriching and educating society about the use of
new technologies. It is an unquestionable fact that scientific and technological advances
have been converted into true social advances when they have become popularised.
26
Marqués, P. (2005): Las TIC y sus aportaciones a la sociedad. UAB
Educational platforms, like any other software application, must meet certain minimum
security standards that ensure their correct operation so that they are available when
needed, there are guarantees that all information is processed adequately and that only
authorised people can access them.
The main peculiarity of an educational platform lies in the massive use that minors make
of it. For any other application, there is a group of users that may be further divided into
groups according to their needs and attributes. However, in this case, a very significant
part of this group are minors, and therefore we must be very careful with the information to
which they have access and which is collected from them, in order to comply with the
letter of the law and reduce risks and prevent potential incidents.
As we have seen, the potential users of these platforms include all the participants in the
educational community: school administrators, students, teachers, parents, the public
administration, etc. In addition to these end users, both developers and personnel
providing support to these tools are very interested in them having an adequate security
level.
In general, all these users have a very concrete vision of what to expect from platforms in
the area of security. In broad terms and with different nuances, all agree that:
• Information and personal data must not fall into the hands of unauthorised users,
or even into the hands of those that the information does not concern. For
example, one student's grades should not be visible to another's parents.
Independently of the legal importance that this bears, information handled in an
educational environment is very sensitive for its users, which is why preserving
confidentiality is fundamental.
• Platforms must be available whenever they are needed, due to the many problems
that arise when this is not the case: cancelled classes, work not handed in,
delayed administrative tasks, etc. Given that they are used for the daily work of
many people, it is fundamental that the applications be free of malfunctions related
• Platforms must be reliable and easy to use, so that any of the users, no matter
how low their level of computer knowledge is, may effectively and efficiently use
the resources available. In addition, due to the fact that users give a lot of
credibility to what appears on computer systems in educational environments, it is
important that the information stored on them be correct, complete and reliable.
However, when we go into greater detail, we observe that each group of users has
different uses and interests, which also results in different expectations.
3.1.1 Students
The use of platforms by students is closely linked to the use their teachers make of them
in the classroom, and to the technological and instructional resources that their school
has. They are normally limited to being receivers of materials suggested to them by their
teachers, which makes their role very limited. However, they are a sector of the population
that uses the computer at home in high percentages (92.4% of homes have a computer 27 ,
from which they connect to the Internet for different purposes, in many cases, on a daily
basis 28 ), and they are quite familiar with the Internet and communications tools, which it is
to be hoped that platforms may be used in the same manner.
• Confidentiality in communications.
• Available applications.
3.1.2 Teachers
Teachers are the main motors behind the use of platforms. They expect them to provide
the tools that facilitate their class preparation and the transmission of knowledge to the
students. They use them to prepare content material and design new ways of delivering
27
INTECO: Estudio sobre la seguridad de la información y e-confianza de los hogares españoles. [Study on information
security and e-confidence in Spanish homes.] Primera oleada (diciembre de 2006-enero de 2007). On-line. Available at:
http://www.observatorio.inteco.es
28
European Commission: Directorate-General Information Society and Media: Safer Internet For Children Qualitative Study
In 29 European Countries - National Analysis: Spain. April 2007.
• Application availability.
3.1.3 Parents
Parents, in general, have a lower level of knowledge about ICTs, and therefore they do
not have too many initial expectations for platforms. However, when a centre provides
them services through digital means, this improves their perception of the centre’s quality
and increases the demand for new features.
They take it for granted that the platforms must be “secure,” understanding this to mean
that no situations can occur where their children have access to contents that are
inappropriate for their age or an unauthorised person can access their personal or family
information.
• Application availability.
29
Centros de Uso Avanzado de las Tecnologías Educativas. [Centres with Advanced Use of Educational Technologies.]
IES Doña Jimena: Informe de evaluación III: curso 2006-2007. [Evaluation report III: 2006-2007 school year.]
main concerns are availability, in other words, that the tool works correctly at times with
the greatest work load, and that it complies with the Organic Law for the Protection of
Personal Information 30 (LOPD), since there are increasing incidents and complaints filed
as the result of infractions of this law.
At the same time, the development of communications tools on these platforms has
caused their use to become common among the members of the educational community,
which raises certain questions about the confidentiality of communications (that student
marks or absences are sent to only authorised recipients).
• Equipment availability.
• Application availability.
Educational platforms are a powerful tool that the departments may use to quickly access
information related to the educational community, centralising it and permitting it to be
managed better. In addition, platforms may be effective chains for transmitting new
30
Organic Law 15/1999, 13 December, regarding the Protection of Personal Information (LOPD). A summary is included in
Section 3.3.1 of this document.
The effort that many autonomic communities have made through their departments of
education clearly expresses the Administration's desire to promote the use if ICTs in
schools. Platforms are expected to help with this task; in fact, they are the fundamental
tool to accomplish this, given that significant efforts and investments are being made
along these lines.
• Equipment availability.
• Application availability.
Emphasis has been placed on the platform contents, as this forms their knowledge base,
and in all reality, they are conceived of as complements to instructional material in paper
form. The other aspects of academic and administrative management and
communications are gradually being incorporated.
As product manufacturers, they are more conscious than other user groups of what
platforms can and cannot (or should not) do, and their products often exceed the users’
expectations and create needs. Their own expectations are primarily directed towards
disseminating the benefits of their platforms and expanding their use, in order to
strengthen or improve their market position as providers of educational materials.
• Information integrity.
• Equipment availability.
• Application availability.
• Information integrity.
• Equipment availability.
• Application availability.
When thinking about information security, the first thing that normally comes to mind is
keeping our information safe from indiscretions. However, when users are in daily contact
with ICTs, and in this case, with educational platforms, they realise that there are other
points that are also of utmost importance. This is the case, for example, of the information
itself, which must be displaced accurately and in the correct form; the same thing occurs
with the correct operation of the information systems, which must be guaranteed against
technical or supply problems. These are also security aspects that must be taken into
consideration.
Inaccurate or incomplete information is not very useful, and it may even present a serious
problem if it is used inadvertently as correct information in any process. For this reason, it
is fundamental to use the means necessary so that incidents that compromise this aspect
of security do not occur.
Availability is the most technical aspect, and the one that is not always considered as a
topic related to security. This has the advantage that, in many cases, there are measures
aimed at ensuring availability as a routine procedure, and for this reason, it is an aspect
that is sufficiently covered.
The most common control objectives (taken from the list Control objectives and controls in
the UNE/ISO-IEC 27001 standards) used to guarantee information security are the
following:
systems as complex as platforms, there are many persons involved who may
access the information, and therefore, it is critical that any third parties
(subcontractors, maintenance personnel, suppliers, etc.) have the same
obligations and responsibilities as an internal user, especially with regards to such
a sensitive topic as confidentiality. Aspects covered include: confidentiality and
integrity.
• Security. It is a well-known fact that all the technological measures applied with
the most rigourous criteria may still be useless if the users are not concerned with
following reasonable security practices. For this reason, it is crucial for all
personnel to be informed and trained according to their needs and responsibilities,
so that they are active users in the protection of the information they handle,
instead of being the weakest link in the chain. Another crucial point to guarantee
confidentiality is the elimination of all access modes to information that a person
might have when he ends his relationship with the organisation. He must be
required to return any assets that are in his possession and his access privileges
must be cancelled. Aspects covered include: confidentiality and integrity.
• Physical security and the environment. Any security measure related to access
control is basic in order to guarantee the confidentiality and the integrity of
information, given that what we intent to prevent is precisely that no unauthorised
person access them. Any damage suffered by the equipment may mean a loss or
filtration of information, which means that systems must be located in
environments that are physically safe, in order to prevent damage that would
compromise their security. Aspects covered include: confidentiality, integrity and
availability.
• Access control. The rules regarding privileges that each user may have must be
clearly defined and rigorously implemented in order to prevent errors. If accesses
are correctly controlled, guaranteeing that only authorised users can access
pertinent information, this will prevent incidents from occurring to a large degree
that might affect information integrity. In spite of the fact that user control can
prevent errors, it is fundamental for the users to behave in an appropriate manner,
so that undesirable events do not occur. A positive attitude on the part of an
adequately trained user may do more for security than many of the technical
measures that are implemented. Aspects covered include: confidentiality, integrity
and availability.
• Managing security incidents. Perfect security does not exist, and therefore
incidents will always occur. When this happens, it must be possible to have the
right tools to detect them as soon as possible and solve them effectively. In order
for the errors to affect no more than what is strictly unavoidable during the
operation, there must be effective incident management, putting in place the
measures that are necessary to solve the incident as soon as possible, and
The importance of information in our society and the preponderance of technology have
been the driving forces behind a certain level of awareness with regards to information
security. This new reality has resulted in numerous legislative developments being passed
over the last few years, which regulate situations that were a continual source of conflicts
and irregularities, and the violations of fundamental rights.
The objective of this law is to guarantee and protect public freedoms and the fundamental
rights of individuals, and in particular, their honor and personal and family privacy, where
the processing of personal information is concerned (regardless of whether this is
automated or not).
Many of those interviewed agree that communications are going to be the tools that are
the most used over the short to medium term on platforms. These communications will
link all members of the educational community to one another. This implies that it must be
clear what the tools are to protect communications and demand a minimum level of
services from providers in order to guarantee platform security.
Platforms have been present on the market for only a short time as compared to other
types of applications, and the services they offer are very heterogeneous, which is why
this law may not apply to all platforms. But the logical evolution would be to gradually add
services, and it is very possible that some of those considered by this law will end up
being provided by most platforms. This would mean that these legal requirements should
be included.
In the case of educational platforms, intellectual property is a topic that many of those
interviewed identified as problematic, but that since there have not been serious
consequences up until now, it is a topic that remains latent and, in many cases, ignored.
The ease of locating and copying information in digital formats and ignorance of the fact
that the information being used is subject to intellectual copyrights may sometimes lead to
violations in this regard.
One possible solution to this problem would be the use of Creative Commons 32 licences
on contents used by educational platforms.
3.3.6 Organic Law 1/1996, 15 January, regarding the Legal Protection of Minors
This law provides a vast legal framework for protecting minors, linking all public authorities
and institutions specifically related to minors, parents and other relatives, and citizens in
general.
The Minor Protection Law is an important source of requirements for digital platforms.
They must be designed, developed, implemented and managed in such a way that
guarantees the rights represented in this law. In addition, it is an opportunity for
developers, the Administration and school administrators to promote new uses of ICTs in
teaching, opening new doors to instructional modes that make it possible for a minor to
really exercise his rights in a secure environment.
As many of those interviewed were aware of only part of the legislation in effect which
may apply to digital platforms, it goes to show that knowledge about the international
regulations and best practices is quite limited, being confined to those professionals who
in some way have found themselves exposed to security problems.
Any of the regulations and best practices that are described below may be used as a
reference for developing security policies and measures for educational platforms, as they
are generally intended for information systems.
These regulations are, therefore, specifically for use in deciding what security measures to
implement, how to do this, and how to verify that they function adequately, measuring the
control performance.
32
Creative Commons is a non-profit organisation that has Developer a series of Standard legal documents – usage
licences– under which to distribute digital contents. In this way, the owner of the contents may establish whether he permits
third parties to use a part or whole of his contents to perform work with or without a commercial purpose. Creative
Commons licences permit reserving some rights and granting others. For more information, see http://creativecommons.org/
33
Available at: www.iso.org
Commission 34 (IEC). The series contains the best practices recommended in the area of
information security in order to develop, implement and maintain Information Security
Management Systems (ISMS). The range of numbers reserved by ISO run from 27000 to
27019 and from 27030 to 27044. The main standard in this series are:
• ISO 27001. This is the main standard in the series and it contains the
requirements for information security management systems. In its Appendix A, it
lists a summary of the control objectives and controls developed by ISO
27002:2005 for selection by organisations developing Information Security
Management Systems.
• ISO 27002. Since 1 July 2007, this is the new name for ISO 17799:2005, keeping
2005 as the year it was published. It is a guide of best practices that describes the
control objectives and controls recommended for information security. It is not
certifiable. It contains 39 control objectives and 133 controls, grouped into 11
domains.
3.4.2 Cobit
Cobit (Control Objectives for Information and related Technology) is a framework for the
governance of ICTs developed by the Information Systems Audit and Control Association
(ISACA) 35 and the IT Governance Institute 36 (ITGI). In addition to the framework, it
provides the support tools that allow administrators to establish relationships among the
control requirements, technical matters and business risks.
The first version of the Cobits was published in April 1996, developing the control
objectives derived from the analysis and study of international standards and directives,
as well as best practices. Directives were then developed for performing audits that
evaluate whether these control objectives have been adequately implemented.
The main contents of the Cobits (control objectives, management directives and maturity
models) are divided into 34 ICT processes, and each is broken down into four sections
that cover how to control, manage and measure the process.
The latest version, Cobit 4.0, emphasises regulatory compliance and assistance to
organisations in increasing the value obtained from ICTs; likewise, it allows for business
alignment and simplifies the implementation of the framework.
34
Available at: www.iec.ch
35
Available at: www.isaca.org
36
Available at: www.itgi.org
Among the results of their many activities, they have issued several documents on best
safety practices, in particular, the NIST Handbook: An Introduction to Computer
Security 38 .
This manual, written in 2001, is intended for those in charge of the security of information
systems and all technicians who need assistance in understanding basic security
concepts and techniques.
The NIST also has other publications that are widely used within the computer security
field, such as the Contingency Planning Guide for Information Technology Systems 39 and
the Guide for Developing Performance Metrics for Information Security 40 .
37
Available at: www.nist.gov
38
National Institute of Standards and Technology (2001): NIST Handbook An Introduction to Computer Security. Special
Publication 800-12.
39
National Institute of Standards and Technology (2002): Contingency Planning Guide for Information Technology Systems,
SP 800-34 NIST. On-line. Available at: http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf
40
National Institute of Standards and Technology (2006): Guide for Developing Performance Metrics for Information
Security, SP 800-80 NIST’s Computer Security Division, 4 de mayo. On-line. Available at:
http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-80
Its products and services are intended for IT product users and manufacturers, including
mainly the public Administration at the federal, regional and local levels, in addition to
companies and private users.
Like the National Security Agency, its objective is to promote IT security, so that everyone
may take advantage of the opportunities the information society has to offer.
The BSI has published The IT Baseline Protection Manual 41 , which contains standard
security measures, advice for implementation and assistance for the numerous ICT
configurations. The goal of the information in this manual is to provide a quick solution to
security problems, support efforts aimed at improving the levels of security for information
systems and to simplify the creation of ICT security policies.
The general opinion among those interviewed is that the better designed and developed a
platform is, the more secure it will be, which is why it is important to use working and
development methodologies that ensure the absence of vulnerabilities in the code that
might later be exploited by malicious attacks or simply generate errors. In this sense, it
should be pointed out that although there are opinions and arguments in favour of both
freeware and proprietary software, the implementation of one solution over the other is
more closely related to reasons such as economic criteria or the ease of development
than security arguments. Professionals believe that any of the options is secure, as long
as the application has included security requirements from the very beginning of its
development.
41
Federal Office for Information Security (BSI) (2004): The IT Baseline Protection Manual. On-line. Available at:
http://www.bsi.bund.de/english/gshb/manual/download/pdfversion.zip
42
Available at: www.imsglobal.org
• OWASP. Best practices in secure web programming. OWASP stands for Open
Web Application Security Project, and it is an open community dedicated to finding
and combating the causes of insecurity in software, in an impartial and practical
manner.
43
Available at: www.adlnet.gov
44
Available at: www.ieee.org
4 RISK ANALYSIS
For an in-depth study of the problems related to platforms, we first extracted from the
information obtained from the study those points in which security tasks are being
performed in accordance with the best practices established by the standards in the ISO
27000 family.
Secondly, the weak points that were able to be identified were examined. One weak point
in this context is any situation that a) does not follow the best practices established by the
standards in the ISO 27000 family, and b), that, in one way or another, might allow one or
more of the threats being considered to occur.
Finally, a risk map was developed, with two differentiated groups. On one hand, it includes
threats stemming from natural or industrial disasters, and on the other, those of a human
origin. These threats have been chosen from among those proposed by the Magerit
methodology 45 , due to their applicability to educational platforms. Once selected, the
parameters of probability of occurrence and impact if they do occur were evaluated,
justifying these evaluations based on the information collected.
The most obvious conclusion with the widest consensus among those interviewed is that
platforms, which have a public area and a private area that can only be accessed by a
user login name and password, are relatively secure for their users, as they do not
present the same dangers that, for example, may be found over the Internet. This explains
why neither frequent nor serious incidents have occurred. If this separation did not exist,
we would expect a much higher volume of incidents, especially considering the significant
number of platform users.
45
Magerit (2006): Metodología de análisis y gestión de riesgos de los sistemas de información. [Information system risk
analysis and management methodology.] Public Administration Ministry, version 2.0. On-line. Available at:
http://www.csi.map.es/csi/pdf/magerit_v2/metodo_v11_final.pdf
security based on known devices (firewalls, load balancers, web content filters,
spam and phishing protection, antivirus 46 , etc.).
• Virus resistance. Since they are closed environments with little or no external
connection, platforms are less exposed to this type of incidents. Another argument
that was given to explain the low impact of viruses on them is that most platforms
use Unix/Linux, if not completely, at least in part. These are operating systems for
which malicious code has barely been written, although we should not fall into the
temptation of stating that no specific malware exists that affects Linux 47 .
• Task segregation. Platforms have multiple functions that use information with
different levels of sensitivity. Applications that manage sensitive information are
usually logically, and even physically, separate from instructional applications. In
some cases, management applications have more access controls or are more
rigorous.
46
A firewall is hardware or software used on a network of computers to control communications, either permitting them or
prohibiting them.
Load balancers are devices that are used to manage the requests from a large number of users on the networks, redirecting
traffic to avoid bottlenecks.
Web filters are applications that permit filtering information that is downloaded to any of the computers on the network.
Antispam, antiphishing and antivirus software are programs that use various techniques to separate junk mail from wanted
mail, detecting fraudulent pages or those with malicious code.
47
INTECO: Estudio sobre la seguridad de la información y e-confianza de los hogares españoles. [Study on information
security and e-confidence in Spanish homes.] Tercera oleada (mayo-julio de 2007). On-line. Available at:
http://www.observatorio.inteco.es
o Password files and other very sensitive information are usually encrypted.
• Lack of anonymity. The platforms are usually closed, and there is no anonymity,
which makes ciberbullying 48 practically nonexistent, since the ease of identifying
the guilty party is a powerful dissuading factor.
• Contract Law 49 . This established the criteria that govern hiring in the public
sector, as well as other parameters, and the necessary expertise that
entrepreneurs or professionals must have and be able to accredit in order to enter
into contracts. In the area of platforms, this law requires potential content
developers to accredit their expertise, and grants the right to require that
48
Cyberbullying is understood to mean the harassment among peers by means of new technologies (Internet, mobile
telephones or on-line games). It is not confined only to the school environment, as occurs with bullying, nor does it refer to
stalking for sexual purposes performed by adults. The terms cyberabuse and cyberharassment are sometimes used, but
these words are often confusing, due to the sexual connotations that they have in other contexts.
49
Law 30/2007, 30 October, regarding Contracts in the Public Sector. On-line. Available at:
www.boe.es/boe/dias/2007/10/31/pdfs/A44336-44436.pdf
4.1.4 Incidents
• Low number of incidents. Those interviewed agreed in pointing out that
platforms do not generate a significant number of incidents, much less security
incidents. They believe that this is the result, on one hand, of the fact that the
security controls that have been implemented are working well, and on the other,
that platforms are not an attractive target for attacks, since they do not contain
information that is interesting to a potential attacker.
4.1.5 Awareness
• Security awareness. Although there is a notorious lack of training in security
issues and it is believed that there is little sensitivity towards the topic in
educational centres, a certain concern about the topic has been detected by those
interviewed, who are aware of the problems and conflictive situations that this
situation may cause if it continues over time.
50
Op. cit., 30, and the details in section 3.3.1 of Organic Law 15/1999, 13 December, regarding the Protection of Personal
Information (LOPD). Also in Appendixo II
example, the lack of protection against natural incidents), but that may also compromise
platform security.
The vulnerabilities are usually related to information confidentiality, but an attacker may
also compromise the integrity of the information or affect system availability. Other
weaknesses usually affect availability to a greater degree, although they might also affect
information integrity and even (but less frequently) confidentiality.
It is very difficult to take action against each and every threat that exists for platforms,
given that security can never be perfect, due to the constant evolution of new threats and
that fact that the more restrictive the security is, the less operational the platform is for its
users. This makes it absolutely necessary to achieve a reasonable balance, which must
be defined in collaboration with security technicians from the development companies and
professionals who are knowledgeable about the dynamics of educational centres.
The ultimate question, therefore, is to determine the relative criticality of the risks
(measured in terms of their potential negative results and the probability that they will
occur) and invest in security measures according to this estimate. The question about
whether it is more important to protect ourselves mainly against vulnerabilities or against
weaknesses is important and depends, to a certain degree, on which of the three
concepts is the most important, among confidentiality, integrity and availability. In a bank,
the confidentiality of the clients' information, for example, is of great importance, but
system availability is probably even more important. In the case of educational platforms,
taking into account the possible risks associated with unauthorised access to sensitive
information about minors, information confidentiality is obviously a critical aspect that must
be considered when designing platform security measures.
It is true that among the sources of information and especially the different opinions
expressed by those interviewed, weaknesses related to confidentiality were given greater
importance. However, aspects related to information integrity and availability were also
commented on.
The sections below summarize the weaknesses found during the field work phase of this
project.
As far as the students are concerned, there is no awareness of the risks that they
take if they share passwords or make them overly simple. Teachers are generally
not conscious of infractions of the Law for the Protection of Personal Information or
the Intellectual Property Law that they might commit when creating or sharing
contents. The administrative teams of these centres also suffer from the same lack
of awareness.
• Lack of quality control. In most of the cases, the materials are used by their own
creators without being subjected to any type of revision. This is a serious
impediment for improving the quality of content materials.
The gradual increase in the number of passwords that a user must use, the
different degrees of authentication that it must be subjected to, as well as the
frequency with which they must be changed 52 , make it increasingly more
complicated and difficult to maintain a rigorous access control using this system.
Normally, the suppliers provide the software that is necessary to update the
platforms. But only happens when the platform is housed in their installations and
the centres access it remotely, can we be reasonably sure that it is correctly
updated.
4.2.5 Incidents
• Service continuity. Continuity plans barely exist in the case of a disaster. Those
interviewed expressed that they were generally not worried about this problem.
Educational centres completely trust that, in the case of a disaster, the
Administration or the service providers would be able to give them support in order
to continue.
However, in some departments of education this aspect of security has been taken
into consideration, and they do have continuity plans for action, if necessary.
many cases, and only come to light when one of the parties involved reports the
situation; for example, based on complaints from parents, requests for
authorisation to hang photos of their children on school web pages has become
commonplace.
53
Óp. cit., 45.
The other type of risk classification includes those that originate in human mistakes made
by the different users that access the educational platforms, either due to thier use or the
interest that the content or the systems that host them have for them (Table 2).
Each of the threats has been evaluated in terms of the likelihood that it will occur and the
impact it would have, based on a three-point scale (high, medium and low), with the sole
purpose of calculating the risk and identifying what those interviewed have stressed most.
The first classification refers to disasters caused by nature or by industrial errors beyond
the control of individuals. However, as can be seen in Table 3, Threat map for natural and
industrial disasters, although the probability is minimal in most cases, this is not reflected
in the impact that these actions may have on educational platforms. Table 4 shows the
threat map related to human errors. Unlike the data collected in the previous table, human
errors have a great probability of occurring, which means a more serious impact.
Table 3. Threat map for natural and industrial disasters, according to the probability that
they will occur and their impact
Probability Impact
Threat High Medium Baja High Medium Low
Fire X X
Water damage X X
Industrial disasters X X
Physical or logical malfunction X X
Electrical power loss X X
Inadequate temperature and/or
X X
humidity conditions
Communications service failure X X
Interruption of other services and
X X
essential supplies
Degradation of the information
X X
storage media
Source: INTECO
Table 4. Threat map for human errors or malfunctions, according to the probability that they
will occur and their impact
Probability Impact
Threat High Medium Baja High Medium Low
User errors X X
Administrator errors X X
Monitoring errors (log) X X
Configuration errors X X
Organisational deficiencies X X
Diffusion of harmful software X X
Information leaks X X
Altered information X X
Entering incorrect information X X
Information deterioration X X
Destruction of information X X
Revealing information X X
Program vulnerabilities X X
Program maintenance and
X X
updating errors
Maintenance and equipment
X X
(hardware) updating errors
System crashed due to depleted
X X
resources
Unavailability of personnel X X
Probability Impact
Threat High Medium Baja High Medium Low
Manipulation of the configuration X X
Indentity theft X X
Abuse of access privileges X X
Unanticipated use X X
Redirecting messages X X
Unauthorised access X X
Traffic analysis X X
Repudiation X X
Intercepted information X X
Information modification X X
Entering false information X X
Corruption of information X X
Destruction of information X X
Revealing of information X X
Program manipulation X X
Service denial X X
Theft X X
Destructive attack X X
Extortion X X
Social engineering X X
Source: INTECO
As pointed out in several sections of this report, educational platform safety is not
currently an important problem. However, some of those interviewed painted a picture of a
future that is different, in which security will be compromised to a greater extent. This
evolution will be linked to the generalisation of platform use and the increase in the
functions they support, especially those related to communication and processing more
sensitive information that is interesting to potential attackers.
As previously mentioned in this study, many of those interviewed have commented that
the low number of incidents may increase if the information stored on the platforms
becomes attractive for some reason. The way we use technology changes constantly, and
the information that is stored also varies. Five years ago, no-one considered the possibility
that it was necessary to have to authorise the publication of a photo of their child, but
nowadays, this has become a legal requirement. Since it is not possible at the present
time to predict what type of information will begin to be included on the platforms over the
medium to long term, it is necessary to evaluate the risks to which information is regularly
exposed. In this way, we can begin to make informed decisions about the security
measures that need to be included as the needs change.
Another aspect that does not present serious problems at the moment is availability.
However, given that it is expected that the number of users will grow considerably over
the short to medium term, it will be necessary to conduct a study in order to anticipate the
capacity that systems should have in order to provide quality service at key times when it
is anticipated that important peaks of simultaneous activity will occur (registration,
evaluations, scholarship applications, attendance reporting), due to greater use of
resources or an improvement in the platforms themselves.
Communications were mentioned in several interviews as tools that present the best
possibilities for development over the short term. It is to be expected that within a short
time, users will be provided with powerful means of communication to exchange all types
of data and information. Parallel to this increase in functions, the control mechanisms
aimed at preventing the compromise of information security or users must also be
increased. On one hand, user authentication must be strict, making unequivocal
identification fundamental for all platform users. On the other, we must prevent
interceptions of these communications, sidetracking and delivery errors for potentially
confidential messages, and ensure that the recipients are only those intended.
5 DETECTED NEEDS
The analysis performed in the previous sections has given us an approximate idea of the
setting in which the design, construction, implementation and use of educational platforms
occurs in our country.
This analysis is in line with the study objectives, which as they identify each collective
involved and compare them to the real situation revealed by those interviewed and the
recommendations made by the existing standards, laws and best practices, allow us to
detect the needs that are being created with the emerging use of platforms.
It has been demonstrated throughout the study that it is necessary to continue to promote
security policies for educational platforms. This need is motivated by several factors; all
the same, developers do not believe that a specific security policy is necessary in this
area, since the contents are not subject to possible incidents. Furthermore, given that up
until now there have not been cases in which systems housing platforms have suffered
vulnerabilities, the topic of making them secure has not been considered. In the case of
administrators and users, the level of use and the performance that they may receive from
them is limited by their lack of training. Most experts who participated in the study agree in
pointing out that:
• A serious security incident would damage the credibility of these tools and would
halt development in the sector, as well as the spread of their use.
• Strict compliance with the Personal Information Protection Law and the new
regulations developed from the LOPD (RDLOPD) must be included in the
development requirements for any platform, thereby facilitating the work of the
users and avoiding potential infractions.
• The topic of intellectual property has been identified as a sensitive issue; however,
since so far there have not been any serious consequences, it is an issue that lies
dormant and, in many cases, is ignored. One possible solution to this problem
would be the use of open licenses, such as Creative Commons, for the contents
used by educational platforms.
Taking into consideration the opinions of experts and the real situation of these platforms,
INTECO has identified the needs that exist over the short, medium and long terms below,
for the following scopes of action:
54
In order to facilitate the development of these criteria, programmes have been initiated in the European Union, such as
Safer Internet Plus, which promote the development of activities along four lines of action
55
Junge, Kerstin, y Hadjivassiliou, Kari (2007): What are the EU and member states doing to address digital literacy? E-
learning Papers, núm. 6. ISSN 1887-1542.
56
In Europe, these efforts consist of initiatives intended to improve digital competence through, for example, including
competences in the curriculum with a wider scope regarding the topics of security and safe Internet navigation (such as the
programme “Ligar Portugal”) and the creation of a network for teachers where they may also receive training on e-learning
tools and develop material in conjunction with others that may be made available to the entire school community (such as
the Opinpolku project). On-line. Available at: http://www.ligarportugal.pt/ y en http://www.opinpolku.com/www/
57
As part of the effort to reach this objective, in the United Kingdom, the British Government’s Educational Communications
and Technology Agency, BECTA, has developed a strategic tool as the result of collaboration among 38 local authorities, 5
regional broadband consortiums and representatives from Scotland, Wales and the European Union. It has been developed
with the idea of facilitating the sharing of best practices and offering support and guidance so that local authorities may
guarantee the on-line security of children and students. It includes numerous recommendations in several areas, among
them, how to develop a secure infrastructure, how to project a security training strategy and the monitoring and
communication of incidents. For more information, see BECTA (2008): Safeguarding children in a digital world. Developing
an LSCB e-safety strategy.
The growing use of platforms and the increase in the functions they support,
especially those related to communication and managing more sensitive
information that is interesting to potential attackers, makes it necessary to
establish mechanisms that guarantee their continuity 59 . Since it is not possible to
anticipate at this time what type of information will be incorporated onto the
platforms over the medium to long term, it is necessary to evaluate the risks to
which the information is regularly exposed; in this way, decisions can be made
regarding the security measures that must be incorporated as the needs change.
Another aspect that currently does not present serious problems is availability,
although, since the number of users is expected to grow considerably over the
short to medium term, a study should be conducted concerning the capacity that
the systems must have in order to offer the quality of service that is expected,
independently of whether there are key moments when significant peaks of
concurrent activity may occur (registration, evaluations, scholarship applications,
attendance reporting, etc.).
58
One example of the use of standards adapted to the diversity that exists in platforms, devices and languages that are
used is Intel’s Skoool initiative, based on Skoool™ technology. On-line. Available at: http://www.skoool.com,
http://www.skoool.co.uk y http://www.skoool.es
59
Anticipating the complexity of the issue, in the United Kingdom, BECTA has developed a guide on ICT use security for
educational centres. For more information, see BECTA, ICT (2004): Essential guides for school governors, Safety and
security with ICT.
In light of the needs identified in the previous section, we can identify some proposals and
recommendations that the different participants and users of the educational platforms
studied, namely, those from primary and secondary school settings and related services,
should consider with regards to information security. These recommendations should be
kept in mind when:
In this manner, the security levels currently found within the framework of educational
platforms can be improved.
The recommendations and proposals for improvement that INTECO suggests are:
• Using the media to disseminate information. These may become great allies in
any strategy to make the public aware of and sensitive to security issues.
6.2 Regulations
6.4 Functionality
• Make platform operation more flexible and operational, which would lead to
their possible self-regulation 60 with the idea that they would internally assume the
standards that must control their activity. This is even more necessary on those
platforms that have been created by mans of different developments, freeware or
proprietary software, which makes it impossible to commonly manage them.
• Improve the physical security for the areas where platforms may be used,
since in many cases it is very easy to physically access them, which makes them
vulnerable to possibly hazardous situations. Equipment that stores sensitive
information or that which might be used to access this type of information should
be located in places that are reasonably protected from unauthorised access. If
this is not possible, for example, in common area in educational centres that are
open to the public, more restrictive logical controls must be established that
prevent access to the applications. Of course, this does not apply to platform
developers, who in any case, should have access controls of their own to ensure
that only authorised personnel may enter the installations and data processing
centres belonging to the departments of education; for this reason, they must be
very restrictive with regards to their access privileges. Besides access control, fire-
proofing measures covered under current legislation must be considered, as well
as other measures intended to prevent damage in the event of natural disasters,
such as floods or wind, which may cause serious problems.
• Manage capacity. Various sections of this study have commented on the concern
raised among those interviewed with a more technical profile regarding the
possibility that the increase of users may cause malfunctions in the system,
causing them to crash due to lack of capacity. This is especially critical in the case
of work peaks within the educational community, such as during registration or
marking periods. For this reason, a significant advance would be for capacity
management to be gradually incorporated within the management of information
systems that are involved in platform use. It is necessary to perform a detailed
tracking of user additions, traffic levels, the periods of greatest use, and in general,
any parameter that might indicate system capacity requirements, in order to be
able to plan for the needs ahead of time. In this manner, the necessary actions
can be established to anticipate the capacity that the users will need and ensure
60
Self-regulation is defined as the voluntary internal control and monitoring process that an organisation has, with the
capacity to perform real analyses of situations.
that the systems remain constantly adjusted to the real use that is being made of
them.
• Give more importance to platform design, in the sense that they must be
designed so that it is more difficult for the users to make mistakes. For example:
o They must be equipped with help mechanisms that act as the first level of
user support.
jeopardises their continuity, they can use the installations at another school that
has not been affected.
• Manage incidents. These are so few and far between that the actions taken to
solve them are not recorded. It is important for the Public Administration remain
technologically vigilant by keeping a record of incidents that may identify
vulnerabilities, as well as mechanisms and agreements that this may create with
the Security Forces and Administrations to alert and pursue those causing such
incidents. This does not free the platforms from the responsibility of keeping a
record of vulnerabilities. To accomplish this in a coherent manner, the educational
centres should have mechanisms so that students, instructional staff and
administrators may report potentially harmful incidents. This may uncover many
incidents that are currently undetected. In addition, system administrators must
also have their own mechanisms for informing someone qualified to solve these
incidents, and formal procedures for detecting and managing incidents related to
security and information system malfunctions. There must be formal procedures
that permit finding a solution to the problems that occur, studying the causes
behind them, in order to eliminate them effectively.
• Have security policies and guidelines in the educational centres and the
organisations or businesses that provide infrastructure support to these
centres. In this way, we will unify and improve user practices, maintaining at least
a minimal acceptable level of security. These policies must specify the sanction
received in the case of infractions of this policy.
• Perform risk analyses. These analyses must be performed first and foremost by
the platform suppliers, in order to incorporate security measures into their products
that are intended to reduce the detected risks. Those in charge of purchasing
these applications must also perform them in order to demand the corresponding
security controls and to make an informed decision from a global perspective
regarding the best product for their circumstances.
• Control malicious code attacks. In spite of the fact that platforms have very
closed operating and usage environments, they are not immune to possible
malicious code attacks in any format (viruses, worms, Trojans, etc.). Given that
viruses and other hazards spread very quickly, and often without the end users
even being aware of them, it is very important for the platforms to be equipped with
a quick warning alert system, or if this is not possible, to have professionals who
perform constant supervision, so that an incident of this type does not go
unnoticed. With regards to this point, it is fundamental to have sufficient human
and technical resources that are capable of regularly performing the following
actions:
o Installing and updating the programs that detect and elimine malicious
codes.
o Information updating.
If these guidelines are not met, an attack may be successful long enough to cause
irreparable damage to the systems and the information stored on them.
• Perform and manage security audits. This type of audit generates a lot of
relevant information regarding the technical condition of the systems, and they
may detect latent problems that would otherwise not be discovered. Likewise, they
must be systematised in order to guarantee their continuance, regardless of who is
assigned to the task.
method, replacing it with other safer systems for accessing applications, such as
biometric devices, or by reinforcing it, for example, by using digital signatures.
I Public administrations
II Departments of education
• Castille and Leon: María José Martínez y Javier Fernández (responsible the CyL
Platform Contents).
• Catalonia: Jordi Vivancos (responsible for ICT Projects for Education), Laia Martui
(Legal Support), Jordi Orgue (responsible for ICT Area Systems), Dolores Jiménez
(responsible for Quality in the Area of ICT) and Assumpta Rocosa (director of ICT).
• Anaya: Carlos San José (director of the Network Contents and Services
Department).
• Cospa-Agilmic: Ignasi Hosta (sales and marketing director) and Xavi Valls
(Systems manager).
• Intel Skoool: Juan Pablo Ferrero (director of Information Society Development for
Intel Spain) and Enrique Celma (director of the Education Sector).
• S21 SEC: Antonio Ramos (director of Standards and Best Practices) and Alfonso
del Castillo (director of the Security Technology Area and Managed Security).
V Associations
VII Others
The objective of this law is to guarantee and protect public freedoms and the fundamental
rights of individuals, and in particular, their honour and personal and family privacy where
the processing of personal information is concerned (regardless of whether this is
automated or not).
Personnel who have access to this information are obliges to maintain professional
secrecy with regards to them, and therefore, they must not communicate this information
to third parties for any reason other than that for which they were collected.
Likewise, this personnel must keep in databases that information that is necessary for
them to perform their functions, in other words, the information must not be excessive in
relation to the scope and the determined purposes. Personal information must be precise
and up-to-date, so that they truthfully represent the affected party’s current situation.
Those from whom personal information is requested must be previously, expressly and
clearly informed about:
• The existence of a file or the processing of personal information, the reason the
information was collected and the recipients of this information.
• The identity and address of the person responsible for handling the information, or
if applicable, their representative.
In order to maintain the confidentiality, integrity and availability of the information, the
Personal Information Protection Law requires there to be a security document with the
regulations and procedures for compliance with the previous points.
The affected parties, persons whose personal information is saved, have a serious of
rights protected by this law.
• The right to information. When the affected party provides his information, he
must be informed about the previous points.
This law incorporates the contents of community regulations into the Spanish legal
regulations, fully abiding by the principles contained therein, however, adapting them to
the peculiarities that form part of our law and the economic and social situation in our
country.
The objectives and principles of this law are, among others, the following.
This law regulates the legal control over information society services and their contracting
by electronic means, with regards to service provider obligations and those of parties who
act as intermediaries in the transmission of contents over telecommunication networks.
Likewise, it includes commercial communications by electronic means, the information
before and after the execution of electronic contracts, conditions related to their validity
and effectiveness, and the range of sanctions applicable to information society service
providers.
This law applies to information service providers established in Spain, as well as the
services they provide.
This is a law that regulates electronic signatures, their legal validity and the provision of
certification services.
It shall apply to certification service providers established in Spain and the certification
services that the providers residing or with headquarters in another State offer through a
permanent establishment located in Spain. A certification service provider is considered to
be any individual or legal entity that issues electronic certificates or provides other
services related to electronic signatures.
An advanced electronic signature it that which permits identifying the signer and detecting
any ulterior change in the signed information, which is uniquely linked to the signer and
the information referring to him, and which has been created by means that the signer
may maintain under his exclusive control.
A recognised electronic signature shall have the same value with regards to information
recorded electronically as a handwritten signature does with regards to information
recorded on paper.
This law stipulates that the intellectual ownership of a literary, artistic or scientific work
belongs to the author, due to the mere act of its creation.
Intellectual property includes personal and property rights, which give the author the full
capacity and the exclusive right to exploit the work, with no more limitations that those
established by law.
Intellectual property rights concern all original literary, artistic and scientific creations
expressed by any medium or format, tangible or intangible, currently known or those that
will be invented in the future, including, among others, the following.
• Conferences, forensic reports, academic explanations and any other works of the
same nature.
• Projects, diagrams, models and designs for architectural and engineering works.
• Computer programs.
Notwithstanding the author’s rights to the original work, the following are also subject to
intellectual property rights:
Also subject to intellectual property under the terms of Book I of this same law are
collections of the works of others, of information or other independent elements, such as
anthologies and databases that, by the selection or arrangement of their contents,
constitute intellectual creations, notwithstanding any rights that may pertain to these
contents, if any.
The protection recognised in this article for these collections refers only to their structure,
as far as the way in which the selection is expressed or the arrangement of its contents,
but not extending to the contents themselves.
For the purposes of this law, and notwithstanding what was stipulated in the previous
section, databases are considered to be collections of works, data or other independent
elements that are arranged systematically or methodically, and that are individually
accessible by electronic or other means.
The protection given to databases by virtue of this article does not apply to computer
programs used in the manufacture or operation of databases accessible by electronic
means.
This is a matter in which many of those involved recognise that a problem exists, which
since serious incidents have not occurred, remains latent, and in many cases, ignored.
The ease of locating and copying information in digital formats results in this law being
broken habitually and on a daily basis, sometimes involuntarily, by simply being unaware
that the information used is subject to intellectual property rights. This is particularly
serious in the case of teaching staffs, who are the largest consumers and producers of
contents.
In accordance with this law, the following industrial property rights are granted for the
protection of corporate identities.
• Trademarks.
• Commercial names.
Requests, concessions and other acts or legal dealings that affect the rights indicated in
the previous section must be inscribed in the Trademark Registry, as stipulated by this law
and according to its regulations.
The Trademark Registry covers the entire national territory and is directed by the Spanish
Office of Patents and Trademarks, notwithstanding the jurisdiction in the area of executing
the industrial property legislation that corresponds to the autonomic communities, as
specified under this law.
Property rights to the trademark and the commercial name are acquired by means of a
valid registration performed according to the provisions of this law.
This law has problem that was previously commented on for intellectual property. Content
producers are unaware of the requirements of this law and wrongfully use trademarks and
commercial names, which could end up in a claim being filed by the affected company.
VII Law 20/2003, 7 July, regarding the Legal Protection of Industrial Designs
The objective of this law is to establish the legal framework for the protection of designs
that constitute industrial property.
All designs that meet the requirements established by this law may be protected as
registered designs by their valid inscription in the Design Registry.
Requests, concessions and other acts or legal dealings that affect the design right
requested or registered must be inscribed in the Design Registry, as stipulated by this law
and according to its regulations.
The Design Registry covers the entire national territory and is directed by the Spanish
Office of Patents and Trademarks, notwithstanding the jurisdiction in the area of executing
the industrial property legislation that corresponds to the autonomic communities, as
specified under this law.
The objective of this law is to regulate contracting in the public sector, in order to
guarantee that it complies with the principles of free access to bidding, publicity and
transparency of proceedings, non-discrimination and equality in treatment among
candidates, and related to the objective of budgetary stability and cost control, to ensure
an efficient use of funds allocated for public works, the acquisition of goods and the
contracting of services through the requirement for prior definition of the needs to be met,
safeguarding free competition and the selection of the economically most advantageous
offer.
Also subject to this law is the regulation of the legal framework that applies to the effects,
compliance and termination of administrative contracts, with regards to the institutional
purposes of a public nature that they aim to achieve.
This law provides a vast legal framework for protecting minors, linking all public authorities
and institutions specifically related to minors, parents and other relatives, and citizens in
general.
• The right to honour, privacy and one's own image. This right also includes the
sanctity of the family home and correspondence, as well as the secret of
communications, the diffusion of information and the use of images or names of
minors in the media. Parents, guardians and the public authorities must respect
these rights and protect them from possible attacks by third parties.
• The right to information. Minors have the right to look for, receive and use
information appropriate to their development. Parents, guardians and public
authorities must ensure that the information that minors receive is adequate, and
the public administrations must provide incentives for the production and diffusion
of informational materials and facilitate access of minors to information services.
• Ideological freedom. The minor has the right to the freedom of ideology,
conscience and religion. Parents and guardians have the right and the duty to
cooperate so that the minor exercises this freedom in a way that contributes to his
comprehensive development.
• The right to participation, association and gathering. Minors have the right to
participate fully in the social, cultural, artistic and recreational life found in their
surroundings.
• The right to freedom of expression. Minors benefit from the right to freedom of
expression under the constitutionally stipulated terms, including the publication
and distribution of their opinions, the publication and production of means of
dissemination, and the access to aid established by the public administrations for
this purpose.
• The right to be heard. Minors have the right to be heard in both a family setting
and in any other administrative or judicial proceeding in which they are directly
involved and that leads to a decision that would affect their personal, family or
social surroundings.
The Minor Protection Law is an important source of requirements for digital platforms.
They must be designed, developed, implemented and managed in such a way that
guarantees the rights represented in this law. In addition, it is an opportunity for
developers, the Administration and school administrators to promote new uses of ICTs in
teaching, opening new doors to instructional modes that make it possible for a minor to
really exercise his rights in a secure environment.
I Public administration
• BECTA, ICT (2004): Essential guides for school governors safety and security with
ICT.
• BECTA: http://www.becta.org.uk/research
• Red.es: Informe sobre la implantación y uso de las TIC en los centros docentes de
Educación Primaria y Secundaria (curso 2005-2006). [Report on the
implementation and use of ICTs in Primary and Secondary schools (2005-2006
school year).]
II Associations
• CASEY, H.; HARRIS, J., Y RAKES, G. (2001): Why change? Addressing Teacher
Concerns toward Technology.
• GILL, T. (ed.) (1996): Electronic children. How children are responding to the
informations revolution. Londres, National Children Bureau.
• LEE, C.; CHENG, Y.; RAI, S., Y DEPICKERE (2005): “What affect student
cognitive style in the development of hypermedia learning system?”, en Computers
& Education, 45, 1-19.
• MARQUÉS, P. (2005): Las TIC y sus aportaciones a la sociedad. [ICTs and their
contributions to society.] UAB.
• Royal Legislative Decree 1/1996, 12 April, regarding the Intellectual Property Law.
V Security providers
VI Qualitative methodology
• LESY, M. (1976): Real Life: Louisville in the Twenties. Nueva York, Pantheon.
• WAX, R., (1971): Doing Fieldwork: Warnings and Advice. Chicago, University of
Chicago Press.
LIST OF TABLES
Table 3. Threat map for natural and industrial disasters, according to the probability that
they will occur and their impact..........................................................................................64
Table 4. Threat map for human errors or malfunctions, according to the probability that
they will occur and their impact..........................................................................................64
http://www.inteco.es
http://observatorio.inteco.es