Security is an oft-overlooked aspect of privacy, but it is crucial to the sustainability of privacy practices. Each time a new story appears about the loss of personal information in the consumer market, the fault is typically attributed to improper management or malicious attacks on data systems. Without proper security measures, student data is always at risk.
Student data security may depend on whether the district chooses to use on-premise or cloud-based data storage solutions. The Fordham Law study focused heavily on cloud storage; however, it must be noted that security in cloud environments is dependent on the qualifications of the cloud service provider.
Only a short time ago, on-premise storage was the most common approach. In the past five years, however, districts have increasingly opted to move their data to a cloud-based environment to save both time and money. We expect that trend to continue.
Districts that choose to store their student data on-premise should follow these key steps to ensure maximum security:
- Maintain physical security measures to protect network equipment. Include multi-step prcoesses to access network centers such as server rooms and Storage Area Networks (SAN).
- Establish separate network access points within buildings that limit student and visitor exposure.
- Limit database administrator rights to a minimum number of staff - typically primary and secondary individuals.
- Conduct routine security audits and network penetration tests.
- Establish a disaster recovery plan that keeps off-premise backups under the same level of protection as on-premise production data.
- Monitor network traffic to detect and block unusual activity.
Cloud computing is one of the fastest growing technology sectors. At the time the Fordham Law study was compiled, 95% of districts were relying on the cloud for a variety of functions, including data mining related to student performance, support for classroom activities, cafeteria payments, and transportation planning, among many others.
Districts who utilize cloud computing experience a host of benefits, from eliminating the cost of on-premise hosting and continuous hardware replacement, to enabling IT staff members to focus on other tasks besides system maintenance. The best cloud service providers also offer a significant upgrade in data security and privacy protection by controlling and monitoring direct database access at all times.
In the education industry, minimum requirements have not yet been standardized throughout much of the country and often vary from district to district. Cloud services are poorly understood and weakly governed, with only 25% of districts keeping parents informed about cloud services and as few as 20% having any documented policies for the use of online services, according to the Fordham Law findings. Often, the contractual requirements between district and service provider are outdated and incomplete.
When selecting a student information system
and a secure cloud computing provider, districts should ensure that the provider:
- Offers a single contract that includes all parties and defines up-to-date security requirements.
- Meets SSAE 16 Reporting on Controls standards as a bare minimum.
- Provides hardware updates and database management without hidden fees.
- Provides application updating and monitoring services.
- Maintains multiple data centers with redundant failover.
- Continually monitors industry standards to ensure that the latest protection and security recommendations are always being followed.