Protecting Access to School Records – Steps to Make FERPA Work
August 22nd, 2016
The Family Educational Rights and Privacy Act (FERPA) is a Federal law originally enacted in 1974 that protects the privacy of student educational and personal family records. FERPA grants parents specific rights with respect to their children’s educational records and access to review or comment on the results. Educational institutions must have written permission from the parent or eligible student in order to release any information from a student’s educational record. FERPA also allows schools to disclose those records to the following parties without consent, but provides provisions that educational institutions must protect against the misuse or inappropriate access to student records.
Challenges Educational Institutions Face When Trying to Protect Access to Student Records
Traditionally, educational institutions have always found it difficult to find funding for large scale security solutions. In addition, many organizations consider their student networks apart of the public internet and provide no protection capabilities from traditional threats (they may offer free AV but not proper segmentation and isolation capabilities). This leaves strategic initiatives within an environment to focus strictly on the backend systems as specified by FERPA. Protection of an individual’s records on their personal devices is not covered by the mandate. Therefore, best practices to protect privileged access to student records and vulnerability management of operating systems and applications falls within the IT and Security staffs realm for management.
The challenge is not keeping the databases locked down, or installing patches, but answering the question: Who should have access and for how long?
Typically, these controls are very loose in educational intuitions due to the variety of access required and by all approved entities. This may include stale user accounts, non-rotating passwords, legacy applications with no support, or even custom applications written by students or faculty to access information. All of these create environmental concerns that lead to poor IT management controls and risks to the data being accessed inappropriately.
In the end, FERPA requires protection to this information but fails to provide the necessary checks and balances – like PCI DSS in the payment card industry – to ensure organizations are making good security decisions to protect the information.
3 Steps to Stop Insider and External ttacks Against Information Technology Assets
There are several steps educational institutions can take to better protect access to student records, here are my top 3 recommendations:
- Privileged Access Management – Implement a strategy (and if needed a technology solution) to remove administrator rights from all backend and supporting user systems. This implies segmented access via proxy or password safe technology complimented by least privileged with full session monitoring, auditing, and reporting.
- Vulnerability Management – Ensure whatever the asset is; from operating system and application, to router, switch, and HVAC all security patches are applied and tested regularly for new threats.
- Education – Ensure team members are educated on the latest cyber security threats from ransomware to phishing. Once teams understand how modern (and legacy) attacks occur, they are better prepared to architecture, configure, and defend against them within the intuition. BeyondTrust has partnered with multiple education institutions like Embry-Riddle, providing free information technology security training videos to help staff and students understand the latest security threats and architectures to protect against them.
Where to Start
For any educational institution’s IT department, I would recommend following security best practices from SANS or even PCI. These frameworks can be easily adopted to protect the crown jewels (student information) from would-be hackers and provide a consistent process for identifying threats and securing the information. For example, treat student information just like credit card information, and:
- Limit access and log all activity
- Encrypt the data at rest and in transit
- Split critical information like SSN numbers across multiple databases
- Perform regular vulnerability assessments and pen tests
- Limit administrator access
- Have network and application segmentation
Learn how the University of California San Diego Keeps Focus on Collaboration with PowerBroker in this case study.
Then, the risks to the personally identifiable information can be minimized and secured against hacks. For more information on how BeyondTrust can help your educational institution better control access to student records, contact us today, or check out one of the many case studies where customers used BeyondTrust to secure against hacks and data breach threats.