Check your Vendor Security Settings Most schools are now providing online student data.  These online databases store personal information – names/addresses/pictures of minors, social security numbers, passwords, test scores, grades, and much more.  Going to online or “cloud” based solutions seems easy and simple, however most of us don’t give much thought to the security of that data.  Are we asking the right questions of our vendors?  What questions should we be asking to be sure our data is secure so we can protect the privacy of our students and avoid liability?

Here is a lists what should be done to secure the data of our students.   The list below is for any Learning Management System (LMS), Student Information System (SIS), Medical, Accounting, or even email if we store any personal or confidential information about the students in these system.

We should ask our vendor what On-premises Security Systems /Controls they have?

Do they have an Outside company who test their websites to make sure it is secure?  How often (It should be an annual test at least)

How do they backup you data and have they been able to restore a backup so you know for sure their backup is working.

How do they ensure only authorized users can access our student data?

How do they ensure users have good passwords?  They should be 10 or 12 characters long , but 16 is what the NAD Technology Standards Committee (TSC) recommends. (Length matters more than complexity)

Does the vendor block the top bad 370 passwords that are blocked by twitter and face book?

http://ceoworld.biz/ceo/2010/01/04/full-370-twitter-banned-passwords-list

Does the provider make sure that if an account is logged into but not being used that it automatically logs out after 20 minutes of inactivity?  Do they limit the login hours to hours of operation.

Does the provider lock any account that is guessed more than 6 to 8 times in a row?

What types of controls are in place for the vendor to make sure they can’t see the confidential  data such as social security numbers or other personal or private data about the students unless there is an expressed need for them to see that data?  There is no reason a vendor needs to know or be able to see Social Security numbers.

What types of controls are in place to make sure your local staff only has access to the data they need access but nothing else that would be classified as confidential?

Are all forms of communication between the school and the vendor encrypted if it has any private or personal student data in the communication?

Does the vendor software provide audit trails so you can know who exactly has seen or modified any of the data about a student?

What does the vendor do to protect against a Denial-of-service (DOS) attack which would make it so you could not get to your student data?

Does the vendor make sure that all data about students is stored in an encrypted data base at their site and that SSN’s are hashed out so only the last four digits are displayed by the software except when a report requires the full SSN number?

Passwords should be stored in a hashed format at least so they are not easily discovered in case of a data breach.

Does the vendor make sure that your data is stored and transmitted according to al l the state and federal standards for your student population?  (For example if you have students from CA, FL, MI or some other state do they cover all the state standards for student record security.  )

The following information came directly from

http://www.ssa.gov/kc/id_practices_best.htm

http://www.redbooks.ibm.com/redpapers/pdfs/redp4614.pdf

http://www.csoonline.com/article/print/658279

http://blogs.wsj.com/digits/2010/12/13/the-top-50-gawker-media-passwords