Education Framework Blog

Focused on the Future of Education in America

Do You Think Student Data is Protected? Think Again!

As student data privacy continues its moment in the spotlight, a darker reality often exists behind the scenes: one where school districts treat information security, privacy and compliance as a reactionary afterthought; where data governance programs are not properly established or implemented; where security controls are lacking; and where third party vendors are not appropriately vetted for privacy assurances.

Despite this sounding like the making of a bad after school special, this is happening in schools and districts all across the nation. Too little is being done to protect student information, exposing our students and schools to unnecessary risk.

Case in point…

The Missouri State Auditor recently conducted a comprehensive analysis of a local school district to better understand their position when it comes to protecting student information. What they discovered was failure across the board.  

The Boonville R-1 School District Student Data Governance Audit was completed as part of the Cyber Aware School Audits Initiative and designed to assess the effectiveness of privacy and security controls, with a focus on identifying practices that improve the security of information school districts have on students and their families.  

The thorough audit was conducted in response to increasing concern for protecting the security and privacy of information schools maintain on students, coupled with the continued emergence of cyber threats.

Based on six core criteria, the audit was intended to evaluate 1.) The effectiveness of privacy plans and controls for safeguarding personally identifiable information (PII); 2.) The effectiveness of information security controls for protecting the confidentiality, integrity, and availability of systems; and 3.) The effectiveness of compliance.

Listed below are the findings from the audit, the associated risk for non-compliance, and recommendations for improvement provided by the Missouri State Auditor’s office:  


1.  DATA GOVERNANCE

 

ASSESSMENT: The district has not established a comprehensive data governance program, therefore being unable to ensure PII is adequately protected and safe from unauthorized access, misuse, or inadvertent disclosure.

 

RISK: Without a formal program, the district cannot ensure that PII is adequately protected and safe from unauthorized access, misuse, or inadvertent disclosure.

 

RECOMMENDATION: The district should establish and implement a formal data governance program encompassing the full life cycle of data, from acquisition to use to disposal.

 

2.  SECURITY CONTROLS

 

ASSESSMENT: The district has not implemented necessary security controls, leaving technology assets, including PII at risk of inappropriate access, use and disclosure.

 

RISK: Without documented and approved policies and procedures, management lacks assurance that security controls are appropriate and properly applied.

 

RECOMMENDATION: The district should formally appoint a security administrator, ensure passwords are periodically changed, establish access control policies and procedures, formally document responsibility for physical protection of technology resources, and fully document and periodically review security policies and procedures.

 

3.  USER ACCOUNTS

 

ASSESSMENT: The district has not fully established controls for creating and maintaining user accounts for accessing system resources.

 

RISK: Without appropriate account access policies and procedures, users may be granted inappropriate or unauthorized access, which can provide opportunities for misuse or inappropriate disclosure of sensitive data.

 

RECOMMENDATION: The district should establish and document formal policies and procedures, periodically monitor user accounts and user access to data to ensure rights remain appropriate.

 

4.  INCIDENT RESPONSE & CONTINUITY PLANNING

 

ASSESSMENT: The district has not taken all the necessary measures to protect data in the event of a breach or other disruptive incident. It does not have a complete incident response plan, has not adopted a formal data breach response policy, and has not fully documented and tested a continuity plan.

 

RISK: Without comprehensive incident response and breach-related policies, management may not be able to respond quickly and effectively. And without a tested and functional continuity plan, management has limited assurance the organization’s business functions and computer processing can be sustained.

 

RECOMMENDATION: The district should establish and document an incident response plan, formally document and adopt a comprehensive data breach response policy, to promote an appropriate response in the event of a breach, develop a continuity plan, formally assign responsibilities, and run periodically tests of the plan.

 

5.  SECURITY AWARENESS PROGRAM

 

ASSESSMENT: The district has not established a formal security and privacy awareness training program.

 

RISK: Without adequate training, users may not understand system security risks and their role in implementing related policies and controls to mitigate those risks.

 

RECOMMENDATION: The district should establish a formal security and privacy awareness training program, because those with proper security and privacy awareness training and clear communication of data and device use policies, can become the first line of defense against cybersecurity incidents.

 

6.   VENDOR MONITORING

 

ASSESSMENT: The district has not established a process for ensuring software acquired or outsourced from information technology vendors complies with data security principles. Additionally, the district is unable to locate a written contract with the vendor of one of its key systems.

 

RISK: Without an effective process for monitoring and managing risk and software acquisition or outsourcing, the district has less assurance in a vendor’s ability to deliver services effectively, securely and reliably, and to ensure that services meet current and future data privacy and security needs.

 

RECOMMENDATION: The district should develop procedures to formally monitor information technology vendors have access to, to ensure the district’s data is properly protected and the vendor acts in accordance with contract terms and conditions.


CONCLUSION 

While this audit casts a negative light on a single district, it illuminates the reality of what is really going on in schools and districts across the nation, and it shows the unfortunate truth of how student information is regularly exposed.

By establishing and implementing the proper plans and procedures, schools and districts that proactively protect student privacy are better poised for success. In contrast, assuming it will take care of itself is a recipe for disaster.

As technology usage advances in schools, increased risk of PII being compromised and exposed is a real and ever-present danger. The need to protect information against cyber threats and misuse is increasingly important, and school districts need to do more to ensure student information is safe, private, secure and protected.

Note: After failing on all six counts, the Boonville R-1 School District has addressed their areas of weakness and have issued an action response to remedy their shortcomings. Read the full audit here >>  

EdProtect by Education Framework [VIDEO]


At Education Framework, we specialize in developing student data privacy and paperless consent services for U.S. K-12 schools and districts. 

Because we believe that every student has a right to privacy while using online learning technologies in school.

We believe that school and district leaders need a safe and secure method to manage the privacy and parental consent process. And that parents have a right to know what technologies their children are using in the classroom.

Everything we do is with the intent of improving systems, simplifying processes, minimizing waste and most importantly, protecting students.

Because we believe in a simpler way.

At Education Framework, we develop 21st Century consent & student data privacy solutions that provide safety, security and peace-of-mind for parents, students, schools and districts alike. 

Our solutions provide knowledge and understanding to help educators make informed decisions about technology usage in the classroom.

EdProtect, an all-in-one student data privacy & paperless consent manager simplifies and streamlines the process from end-to-end, providing comprehensive safety and protection for schools and districts across the nation. It also helps you to better understand the health and safety of your student privacy initiatives.

EdProtect enables you to quickly and easily determine the safety of apps and websites used in your district. It allows you to track and monitor technology usage in the classroom, set parameters, establish privacy guidelines for your staff to follow, and communicate information in a clear and concise manner. 

EdProtect also helps you to track, organize and store responses in a systematic way. And it allows for easy recovery of information when requested. 

It eliminates wasteful paper permissions of the past, and it ensures schools are compliant with Federal regulations of the present, like COPPA & FERPA.

EdProtect rates, reviews, and assesses the safety and privacy of each and every app & website used in your school or district. And it continuously monitors privacy policies so you know immediately if and when a change occurs. 

EdProtect opens lines of communication between parents, teachers and administrators, and it provides transparency and accountability for schools looking to establish greater controls. 

EdProtect is really designed to do it all... for you!

It’s a student privacy manager and a communication tool, in one.

It engages parents. It empowers teachers. And it acts as a governance tool for administrators and IT leaders looking to establish guidelines that align with school & district privacy initiatives.

It’s an easy-to-use, ultra-secure and cost-effective solution that helps educators make informed decisions about technology usage in the classroom.

Through the use of privacy analytics, EdProtect offers a window into the health and vitality of your school or district's student privacy efforts.

It produces actionable data to make continuous improvements. 

It brings parents into the privacy conversation. It clearly communicates what apps and websites are being used by their children in the classroom. And it allows you to obtain consent when necessary.

EdProtect provides a level of control and understanding unparalleled to any other service of its kind on the market. 

One feature that makes it so great is the Privacy Quality Scoring System.

This 5-point rating system helps teachers and administrators know at-a-glance the safety and privacy of the apps and websites use in school. 

The scoring system provides a quick glance number rating, but it also provides a detailed description, so you know  EXACTLY why it scored the way it did.

All scoring is done internally by Education Framework staff, so you don’t have to think about reading the privacy policies for each and every app and website used in your school or district. 

EdProtect gives educators the knowledge they need to make informed decisions.

By utilizing this approach, schools and districts eliminate the risk of inadvertently adopting unsafe technologies in the classroom...and putting schools, districts and students in jeopardy. It also minimizes the bottleneck that often occurs when waiting for technology approvals.

EdProtect manages the process for you from start to finish. 

It is a streamlined and sustainable solution that saves time and money, not to mention countless headaches.

It provides safety, security and peace-of-mind when utilizing online technologies in schools, and helps educators, administrators and parents gain a better understanding of technology usage by students in schools. 

Please visit our website where you can learn more about our services. Read our blog (which you are, so thank you!). And sign up for a free live demo to see if EdProtect is right for you.

WWW.EDUCATIONFRAMEWORK.COM


Privacy & Security of Student Data: An Increasing Concern for IT Leaders

A recent article by eSchool News highlights latest COSN survey, stating: 

IT leaders list student data privacy as one of their primary concerns.


According the the fourth annual K-12 IT Leadership Survey Reportbroadband and network capacity top the list of priorities for school technology leaders. But the survey also indicated that they're spending more time and devoting more resources to student data privacy and security than in previous years. 

Major IT findings emerged from the survey and are outlined in the report:

1. Broadband and network capacity is the top priority for IT leaders
2. Privacy and security of student data is an increasing concern for IT leaders
3. Districts are turning to digital learning materials.
4. Ninety-nine percent expect to incorporate digital Open Educational Resources .
5. Nearly 80 percent of IT leaders use online productivity tools 
6. District bans on student devices are shrinking. 
7. The path to IT leadership differs for women and men
8. Racial diversity in IT leadership is lacking
9. IT leaders have advanced education.
10. Demographics are changing

The article indicates that respondents major challenges include budget constraints and lack of resources; the existence of silos that hamper collaboration; and lack of vision and support from senior district leadership.


Education Framework Joins SchoolMessenger Ecosystem Partner Program


We are happy to announce that we have joined the SchoolMessenger Ecosystem Partner Program.

To support schools and districts as they select and deploy web-based education products and services, West Corporation, a leading provider of technology-enabled communication services, announced four new partners in their SchoolMessenger Ecosystem Program. Education Framework's student data privacy and parental consent solution, EdProtect was among the listed, along with Hero by HeroK12, Professional Learning Maps and EduVision by JDL Horizons. 

The Ecosystem is built into SchoolMessenger Passport, West’s Education group’s free single sign-on product for districts. Introduced in fall 2015, SchoolMessenger Passport allows districts to provide teachers, staff, parents and students with quick and secure access to online learning applications, open educational resources (OER), and a variety of school management and administration software programs using single sign-on (SSO). That means each individual only has to remember one user ID and password to log into multiple district-approved educational resources, including SchoolMessenger products.

Both the free standard and paid premium versions of Passport include a catalog of “product connectors” that enable SSO to popular web-based services. Through the SchoolMessenger Ecosystem Program, companies can highlight additional services they can provide, such as allowing schools to use one-click account provisioning tools within the Passport catalog.


Author's Note: We are thrilled by this opportunity because it enables schools and districts to quickly and easily utilize the paperless parental consent and automated student data privacy services that we provide. Think of EdProtect as a "plug-in"  that extends the communication functionality of SchoolMessenger.