As technology becomes more commonplace in higher education, the call for increased measures to protect student privacy grows louder. Members of Congress and many in the higher ed community are calling for an update to the more than 40-year-old Family Education Rights and Privacy Act (FERPA) that protects student education records.
Regardless of if or when the law is updated, college and university IT departments will continue to be called upon to do their part to fortify student data. Following are five pillars that can serve as the foundation for better data governance and security.
IT Security management
Colleges and universities should have a comprehensive IT asset profile of their hardware, software, and networks. They also should create a data map to determine the level of data held by the institution, where it’s stored and who has authorized access.
Another potential level of IT security management is to contract with a Managed Security Service Provider (MSSP) that provides IT security services; a scanning service that can provide up-to-date information on your infrastructure vulnerabilities; and/or an IT threat intelligence service.
One of the challenges of protecting student data is the need to share some of that information with relevant parties. For example, FERPA provides the right for parents and students to view academic records. It also allows institutions to disclose, without consent, education records to other schools, parties connected to student financial aid, and accrediting organizations; plus any “directory information.”
It’s necessary for institutions to have written policies regarding data sharing that correspond to federal and state privacy laws as well as industry best practices. Policies need to be centralized so that appropriate parties from across campus and satellite locations can review, revise and approve new and updated policies. Any gaps between regulations and current policies and procedures should be addressed as quickly as possible.
IT personnel should strive to obtain a comprehensive view of all organizational and IT risks. Risks should be documented and mapped to compliance controls, and any policy exceptions should be assessed for risk. You should also identify the most critical risks and prioritize remediation efforts.
Higher education institutions should have a detailed, written process for handling data breaches and other IT incidents. The process should include identifying the incident, reporting, assigning remediation tasks, monitoring remediation progress, and resolving issues. Institutions should capture and store relevant information on a data breach or other incident, which is especially important given that universities often cover a wide geographical area and consist of many departments.
Vendors and third-party relationships should be managed, especially those in which the third party has access to student data. This process should include risk assessments on current and prospective vendors, third-party data security policies similar to internal policies, regular audits, and establishment of responsibilities in the event of a data breach.
Each of the five pillars should include training of faculty and staff, and acknowledgement that university employees understand student privacy policies.