Best Practices for Ensuring Data Security in the Cloud – EdTech Magazine: Focus on Higher Education


1. Know Where Your Data Resides

One of the major benefits of cloud platforms is that they are simple to adopt. With a few keystrokes, teachers get immediate access to cutting-edge tools that improve the classroom experience. However, they often do so after clicking through legal agreements that may impact the ownership, privacy and security of student records.

That’s why it’s imperative for administrators and IT leaders to understand the diverse set of solutions used in classrooms and the data implications of those choices. Teachers should know the importance of clearing new cloud solutions with technology and legal experts before using them to store or process student records.

This is a delicate balancing act and requires prompt attention to faculty requests. Teachers who find themselves facing a bureaucratic approval process will either abandon the use of innovative technology or simply bypass administrative review, possibly putting student privacy at risk.

2. Understand Vendor Security Mechanisms

When reviewing a cloud service, IT leaders should explore the security mechanisms put in place by the vendor. At a minimum, the vendor should be implementing the same level of security controls around student data that the school would implement itself if it were building the same system onsite.

This process usually begins with a review of security materials prepared by the cloud vendor. Most vendors are now used to answering questions about their security controls and often have white papers explaining them. These documents serve as an excellent starting point for a security review and the basis for follow-up conversations to probe specific details.

READ  Trump Touts Tech Industry Support for Huawei Exemptions - The Wall Street Journal

One of the best ways to conduct these reviews is to use a standardized checklist, such as the one offered by the Cloud Security Alliance. This checklist covers the major security controls that vendors should implement and provides a structured approach for covering your security bases.

MORE ON EDTECH: Read about how cloud computing can increase student access to educational technology while saving school districts time, space and money.

3. Require Periodic Security Assessments

The initial review that you perform when engaging a new vendor lets you establish a security relationship with them. It ensures that they meet your security requirements and creates a baseline for ongoing compliance monitoring.

That’s crucial to maintaining the security of student information — it verifies that the vendor continues to live up to their security and privacy obligations. However, control effectiveness may fade over time, and ongoing security requires a continuous improvement process. Security assessments offer a point-in-time verification that the vendor is adequately protecting confidential information.

There’s also the Systems and Organization Controls (SOC) program, which allows cloud vendors to engage independent auditors to verify their security controls and then share the reporting with their clients. Check with your cloud vendors to see if they conduct SOC assessments and then ask for updated reports on an annual basis.

4. Remain Compliant with Regulatory Obligations

Questions about compliance with the Family Educational Rights and Privacy Act frequently stymie cloud efforts. Administrators worry that moving data to the cloud might bring new regulatory issues and often ask, “Is this vendor FERPA-compliant?”

The reality is that there’s no official seal of approval for FERPA compliance. Instead, educators are responsible for ensuring that they have reasonable security mechanisms in place to protect student records. Conducting initial and periodic reviews of vendor security controls should satisfy this requirement.

READ  Black Hat 2019 keynote: Software teams must own security - TechTarget

The remaining hurdle is making sure a contractual relationship is in place that ensures the cloud partnership meets FERPA requirements. Specifically, the contract must designate the cloud provider as a “school official” under FERPA to allow the transfer of student educational records. You’ll find more information on this topic in the FERPA cloud guidance available from the Department of Education.



READ SOURCE

LEAVE A REPLY

Please enter your comment!
Please enter your name here