Tag: FERPA

Use Task-Based Permission To Tighten Security

Erin Werra

By Erin Werra, edtech enthusiast and writer, Skyward.

One of the core tenants of FERPA states that student records should only be available to those who have a specific need to see them. On the other side of district operations, sensitive financial information can easily become fodder for fraud if it falls into the wrong hands.

There’s a lot of data to safeguard as a system administrator.

One strategy to explore is task-based roles in your student information system or enterprise resource planning system. How does this strategy keep your data safe? Let’s explore.

Roles vs. tasks

The first step is to define the difference between roles and tasks within the software.

Roles apply to the user and carry a specific set of permissions.

Tasks are actions available to the user, including screens in different areas of the software, and different data sets the user can access.

In some systems, the default method of assigning permissions (whether view or edit permissions) is based on an individual’s role in the organization. But what if users who share a role shouldn’t necessarily share access to the same screens, tasks, and data?

Task-based permission and least privilege

Rather than automatically assign everyone in a similar role the same permissions, consider instead which screens, data, and tasks people in those roles need to view. Consider the concept of least privilege: only the minimum necessary rights should be granted to maintain the highest level of security.

Let’s say, for example, a new administrative assistant needs to access data about demographics, attendance, and create new student profiles. The system administrator can create a role using those exact permissions, and then add the role to the related security group. This might mean all administrative assistants have similar, but not identical, permissions and are all part of the same security group.

Continue Reading

What Steps Must Education’s IT Leaders Take To Protect Back End Data and Information?

Response from Nathan Maxwell, founder Communication Concepts, Inc.

Educational institutions are a target for cyber crime, just like any other business or non-profit. Concrete, measurable steps need to be taken to protect assets. Making use of a framework greatly helps this. A framework has specific metrics and criteria included in it. This provides a tangible resource to assess against. Usually, an outside team is brought in to walk through the assessment. Once the assessment is done, a remediation list exists. With a list, priorities are established and budget/human capital are applied. 

FERPA is a federal law that addresses privacy of student records. It is not broad enough for a school to base its entire cyber security posture on. 

Specific steps that all institutions should take include:

What should education’s IT leaders be most aware about the current treat landscape?

The old saying, “When everything is important, nothing is important” comes to mind. There are always external threats. They will never go away. But, learning institutions are in a unique spot when it comes to insider threats. Insider threats, in a traditional business, are where staff are working as, or being used by, criminals. Schools are unique targets for insider threats.

They exist to encourage learning, challenging ideas, trying new things, even pushing boundaries. Labs need to be setup for students to learn and try things. The same systems students use for learning, academia uses for grading, class management, and transcript creation. Students are brought very close to critical systems. Insider threats are very real threat to educational institutions.