If you’re looking for advice on how to safeguard student information on your school computer systems, Mike Chapple might be your man.
Chapple is an associate teaching professor of IT, analytics and operations at the University of Notre Dame. He recently produced an article that appeared in EdTech magazine looking at ways that schools can better protect their student records.
What follows is an abbreviated version of Chapple’s tips.
1. Minimize your data collection. It’s sounds obvious but the idea is stop and think whether you really need all of the information you’ve asked students to supply. If there’s no business purpose for it, don’t collect it. This way, in case of a data breach, that’s one less piece of sensitive data to worry about.“Social security numbers are low-hanging fruit for minimization efforts. Many schools began a practice years ago of collecting student and/or parent SSNs for identification purposes,” Chapple said. “While almost every school has moved beyond the use of SSNs as a student identifier, many still ask for student and parent SSNs on registration forms. There is no good reason to do that.”
2. Purge, purge, purge. Purging old records does the same thing that minimizing data collection does: it leaves you with less to worry about in case of a breach. If you don’t have a record retention policy, institute one, specifying the length of time different categories of records should be preserved. For example, documents collected to prove residency can be eliminated once they’ve been validated and approved by an administrator.
3. Encrypt your data. Any records that you retain need to be carefully secured, preferably using strong encryption technology to protect information that “is either at rest; stored on a server or device; or in transit, being sent over a network.” You want encryption at both the file and disk level.
4. Adhere to the Principle of Least Privilege. The idea here is that each user should be assigned the minimum level of access necessary to perform their job functions. It’s a mistake, in other words, for a school IT administrator to grant all faculty and staff access to student records stored on a server. Doing so simply exposes those records to unnecessary risk. A least-privilege approach would create access control groups that limit each user’s access to only those records required for their job. For example, only the school nurse and principal should have access to health records.
5. Keep an eye on user activity. Did you know that Windows file servers include auditing capabilities that allow tracking and logging of all successful or unsuccessful attempts to access files? Monitoring user activity can help you identify suspicious activity – including logs to determine who might have viewed educational records leaked to the media.
“Schools must exercise more caution and discretion to protect students’ and families’ information from unauthorized uses,” Chapple said. “Following a few simple security practices will go a long way toward preserving the public trust in educational institutions.”
We couldn’t have said it better.
Robert Simones is an Insurance Advisor at CCIG. He can be reached at 720-212-2059 or Robert.Simones@thinkccig.com.
CCIG is a Denver-area insurance, employee benefits and surety brokerage with clients nationwide. We do more than make sure you have the right policy. We help you manage your long-term cost of insurance with our risk and claims management expertise and a commitment to service excellence.