Synergetic Data Privacy and Security Information Sheet

Overview

Synergetic has been used by schools since the late 90's with many long term clients reliant upon its financial and student management features to help run school data operations. The software is installed and initially configured for schools with the help of the Synergetic Systems and Professional Services consultants, with initial administrator training provided to the school's allocated Synergetic System Administrator. During installation, training and general guidance on setup of SQL Server users and Synergetic application permissions is normally provided to the administrator. From the time of installation, schools management and administrators need to be aware of the Synergetic Systems Responsibilities and how day to day management of security and environment configuration needs to be factored in to their care.

At the core of Synergetic is Microsoft SQL Server, which hosts databases that contain both sensitive and personal information, a lot of which would be considered personal or sensitive information within the Notifiable Data Breach policy. Additional risks are often introduced by misconfiguration of the additional application layers, such as overuse of administrator accounts or lack of adequate network firewall protection. Security configuration is just part of the overall picture and organisations should follow best practices to further define information security policies and educate staff on the responsibilities of data handling and protection of information they have access to. Without this in place, the lack of education and adequate system security configuration or practices puts the organisation at higher risk of data breach or damage to business reputation and daily operations.

This document provides a summary information sheet to help school admins and management understand their responsibilities associated with Synergetic data and system configuration protection. The overall objective is to bring more awareness towards responsibilities for maintaining confidentiality, integrity and availability of critical data and the underlying systems.

Data Protection

Image result for data protection

Sensitive and Personal Data

Synergetic is an information system with facility to store a significant amount of personal and financial data.

Some examples of sensitive or personal data are as follows:

  • Personal information
    • names, addresses
    • contact details
    • gender
    • date of birth (age) 
    • family relationships and contacts
  • Health information 
    • information or opinion about a person’s physical, mental or psychological health or disability
    • health status, medical history and incidents
    • immunisation status and allergies
    • counselling records
  • Financial information 
    • Payroll and creditor details - eg. tax file number and bank details
    • Debtor account history, family payment arrangements and payment information
    • School financial ledger
  • Sensitive information 
    • racial or ethnic origin
    • religious affiliations
    • legal information relating to parent separation such as court orders
    • student academic results and teacher comments

This information is normally core to the organisation and must be protected from unauthorised access to avoid potential data breach incidents. The integrity of the data recorded is also critical for duty of care requirements and daily processes for schools so records should only be updatable by authorised personnel. Security configuration should ideally be set so that permission sets follow the 'Principal of Least Privilege' whereby staff are only granted the minimum permissions required to perform their duties.

Examples of incidents affecting Data Confidentiality

  • Not following the 'Principal of Least Privilege'
  • Lack of policy or staff education on data access and sensitive information handling policies
  • Unauthorised system access due to:
    • compromised accounts
    • weak passwords or password management processes
    • database backups copied to insecure locations
    • overuse of administrator accounts and privilege
    • inadequate account provisioning/de-provisioning processes
    • malware/viruses

Governance Policies and Legal Obligations for Data Privacy 

School management and staff should have understanding of their applicable legal, regulatory and contractual requirements relating to information security. 

Examples and guidelines:

      

These are just a couple of examples so each school should check their local country, state, membership and other regulatory requirements.

System Availability

 Image result for high availability

System uptime and availability is also an important aspect of securing information systems. Inadequate system security leads to higher risk of system instability, due to events such as unauthorised or unintentional changes to system configuration. Along with security configuration it is recommended to also review system High Availability and Disaster Recovery systems in place to ensure adequate compliance for business continuity requirements.

The Synergetic database and software suite provide the following types of services listed below:

  • Staff: 
    • Financial accounts reporting and data processing, accounts receivable/payable, payroll, sales and invoicing
    • Access to student data including contact, medical and health records
    • Attendance and reporting areas need to be accessible to teaching staff or third party vendors (if using LMS)
  • Parents:
    • Community Portal for student information, account balances and payments, parent-teacher interview bookings, excursions
  • Students:
    • Community Portal for timetables and results
  • Third Party Vendors:
    • Synergetic SQL databases are normally considered the source of truth for many third party applications.
    • Web service APIs are normally used for vendors to access the Synergetic databases

Examples of incidents affecting System Availability

  • Unintentional or unauthorised:
    • data update or deletion
    • configuration or service status updates on the database or web servers
  • Database or server corruption
  • Software and operating system patching
  • Hardware/application performance issues
  • Inefficient or un-tested user queries (eg. MS Query or Power BI) performed directly on production database servers
  • Malware or ransomware


Synergetic Security Considerations

The table below lists areas to consider within your security framework, policies and system reviews to help secure sensitive data stored within Synergetic and the Synergetic applications.

This is not an extensive list and it should be used in conjunction with best practices and security standards.

Useful Reading

Policies and Guidelines

What is Personal Information (OAIC): https://www.oaic.gov.au/privacy/guidance-and-advice/what-is-personal-information/

Australian Privacy Principals: https://www.oaic.gov.au/privacy/australian-privacy-principles/read-the-australian-privacy-principles/

DET Privacy Policy Advisory Guide: https://www.education.vic.gov.au/school/principals/spag/governance/Pages/privacy.aspx

ISV Privacy Policy Compliance Manual: https://isca.edu.au/wp-content/uploads/2019/12/Schools-Privacy-Compliance-Manual-National-Updates-November-2019.pdf


Best practices and Standards

Information Security Management (ISO/IEC 27001): https://www.iso.org/isoiec-27001-information-security.html

Restriction of System Administrator Accounts: https://www.cyber.gov.au/publications/restricting-administrative-privileges

Principal of Least Privelage: https://digitalguardian.com/blog/what-principle-least-privilege-polp-best-practice-information-security-and-compliance

SQL Server Security: 

https://www.sqlshack.com/top-10-security-considerations-sql-server-instances/

https://www.red-gate.com/simple-talk/sql/database-administration/how-to-get-sql-server-security-horribly-wrong/