By Erin Werra, Marketing Content Specialist, Skyward.
Though the Children’s Online Privacy and Protection Act (COPPA) was implemented in 2000, a 1974 law paved the way for kids’ privacy online.
The Family Education Rights and Privacy Act (FERPA) came first and dealt primarily with paper gradebooks and report cards then. How times change.
Today, FERPA holds the line in multiple ways. Not only does the regulation give families rights to access their children’s data, but it also provides guidance for what schools need to do to protect children’s data—whether it’s kept in paper files onsite or hosted files in the cloud. And as edtech providers build solutions for schools, FERPA provides the foundation for any decision dealing with student data.
Since schools are custodians of children’s data, the buck stops with the superintendent and school board. This means school districts must choose an edtech vendor with superior security strategy. What does that look like? There are two parallel security rails that keep student data safe in a student information system (SIS).
The first is FERPA’s language about “legitimate educational interest.” The way an SIS manages who can see which student matters. This may be permissions-based, which means certain roles will have less access in the software. From a security standpoint, this tactic supports least privilege: only the minimum necessary rights are granted to each user, creating higher levels of security in the system overall.
Next, it’s crucial that each edtech vendor have a deep and rich repository of authentication tools, including multi-factor authentication (MFA) and single sign on. But it’s perhaps even more important to have the right attitude about keeping data safe and each user’s responsibility to prevent exposing credentials to a cybercriminal.
It’s up to each school district to defend whether an educator has a legitimate educational interest and therefore can view a student’s data. So in practice, limiting access to student data may result in pushback.
After all, legitimate interest may exist, but an SIS system cannot be reasoned with to accept one-off cases. What can teams do to manage the real needs of educators and create a secure AND reasonable, FERPA-compliant approach to sharing data?
Just like edtech vendors, this is a double-winged approach. First, educators can understand student data in its repository role: that is, the data is kept safe and secure (whether that’s an onsite data center or a cloud-hosted approach) until it is needed.
Next, educators can own their roles in staying FERPA-compliant with complete administrative support. On occasion an educator is asked by families to share student data, but far more common is the review of student data by professional learning communities (PLC). This analysis helps educators determine their efficacy, crowdsource ideas from other professionals, and create detailed strategies for student progress. It’s important! It’s equally important to maintain student privacy.
That’s why the practice of FERPA first can inform how educators share information amongst each other, whether in software or via printouts and screenshots. If teachers choose to print and capture, those reproductions are covered under FERPA, too.
Educators are targeted by criminals spoofing edtech software providers. Being empowered to protect the network by being critical of email requests and aware of phishing scams can help your district stay FERPA compliant.
Another obstacle for FERPA compliance? The kids themselves.
Students who are digital natives do not automatically understand good boundaries of data stewardship, but you can bet they can navigate a device quickly. This can be a recipe for disaster.
The good news is educators and edtech vendors are well aware students can pose a threat to data security. Students can infiltrate secure systems using stolen or guessed passwords, so educators can create a strong passphrase and use MFA, reporting any unexpected prompts for credentials to IT. Students can stumble upon printed data, so educators can secure, destroy, or redact the information they export from edtech systems.
For an act pre-dating the widespread use of technology, FERPA does some pretty outstanding things to keep K12 data safe in cyberspace. Whether it’s written, typed, calculated using grading software, or otherwise introduced into an edtech system, the right attitude about protecting student data matters. FERPA matters.
By Erin Werra, edtech enthusiast and writer, Skyward.
One of the core tenants of FERPA states that student records should only be available to those who have a specific need to see them. On the other side of district operations, sensitive financial information can easily become fodder for fraud if it falls into the wrong hands.
There’s a lot of data to safeguard as a system administrator.
One strategy to explore is task-based roles in your student information system or enterprise resource planning system. How does this strategy keep your data safe? Let’s explore.
Roles vs. tasks
The first step is to define the difference between roles and tasks within the software.
Roles apply to the user and carry a specific set of permissions.
Tasks are actions available to the user, including screens in different areas of the software, and different data sets the user can access.
In some systems, the default method of assigning permissions (whether view or edit permissions) is based on an individual’s role in the organization. But what if users who share a role shouldn’t necessarily share access to the same screens, tasks, and data?
Task-based permission and least privilege
Rather than automatically assign everyone in a similar role the same permissions, consider instead which screens, data, and tasks people in those roles need to view. Consider the concept of least privilege: only the minimum necessary rights should be granted to maintain the highest level of security.
Let’s say, for example, a new administrative assistant needs to access data about demographics, attendance, and create new student profiles. The system administrator can create a role using those exact permissions, and then add the role to the related security group. This might mean all administrative assistants have similar, but not identical, permissions and are all part of the same security group.
Educational institutions are a target for cyber crime, just like any other business or non-profit. Concrete, measurable steps need to be taken to protect assets. Making use of a framework greatly helps this. A framework has specific metrics and criteria included in it. This provides a tangible resource to assess against. Usually, an outside team is brought in to walk through the assessment. Once the assessment is done, a remediation list exists. With a list, priorities are established and budget/human capital are applied.
FERPA is a federal law that addresses privacy of student
records. It is not broad enough for a school to base its entire cyber security
posture on.
Specific steps that all institutions should take include:
MFA — Multi-factor Authentication is a step beyond passwords. Logging in to access a system requires not just a password, but something else. That something else can be a prompt on a phone, a code generated by your phone, a text message, a hardware token that is inserted into a USB port, a finger print … the list goes on and on. The school needs to be aggressive in ensuring there are no gaps in their MFA deployment. If all logins require MFA, but VPN access doesn’t, the crooks will find this quickly and exploit it just as fast.
Policies – While these are seen as the boring part of network security, they are critical. Who is allowed to do what? What is not allowed? What are reasonable expectations? If something happens, what is the response plan? Who is included? Who communicates to whom? Policies run the gamut and should be not only created, but yearly reviewed.
Separation of duties — Smaller schools in particular will tend to have one or two key IT staff. These staff are responsible for deployment of new technologies, while managing existing equipment. Picture this, staff is assigned to deploy a new wireless system. As they learn the components, software is installed/configured, firewall rules updated – they are do everything they can to make it work. In the end, it does. But, is the config optimal? Is it secure? Were the firewall updates done in a judicious and cautious manner? Having additional eyes on a project, particularly those that are subject matter experts, is not only helpful but critical.
Executive support — No cybersecurity progress is made without senior administrative, chancellor, and/or principle support. It’s pointless yelling into the wind for staff to try to move something forward without senior buy-in. With management support, funds and personnel follow. Educational facilities never have an abundance of either. But, management’s support allows what meager resources there are to be appropriately channeled.
What should education’s IT leaders be most aware about the current treat landscape?
The old saying, “When everything is important, nothing is important” comes to mind. There are always external threats. They will never go away. But, learning institutions are in a unique spot when it comes to insider threats. Insider threats, in a traditional business, are where staff are working as, or being used by, criminals. Schools are unique targets for insider threats.
They exist to encourage learning, challenging ideas, trying new things, even pushing boundaries. Labs need to be setup for students to learn and try things. The same systems students use for learning, academia uses for grading, class management, and transcript creation. Students are brought very close to critical systems. Insider threats are very real threat to educational institutions.
