That is particularly important for notebooks and other mobile devices that might be lost or stolen when outside of school. Schools should also identify cases where they send or receive sensitive information over a network connection and ensure that the connection is encrypted.
For example, standard email does not use encryption and should never be used for sending sensitive information to parents or students. Secure messaging portals that use HTTPS-encrypted websites are a much better alternative.
4. Follow the Principle of Least Privilege
The security principle of least privilege states that each user should be assigned the minimum level of access necessary to perform his or her job functions. That principle is often unintentionally violated in schools as a matter of convenience.
For example, a school IT administrator might grant all faculty and staff access to student records stored on a server. That may make administrative tasks easier, but it also exposes those records to unnecessary risk.
A least-privilege approach here would create access control groups that limit each user’s access to only those records required for his or her job. For example, the school nurse and principal might be the only two individuals with access to health records.
A student’s current course grades might be available only to teachers who have that student in class, the student’s guidance counselor and senior administrators. It may seem obvious but reducing the number of people with access to sensitive information helps keep that information more secure.
5. Monitor User Activity on School Networks
Finally, schools should monitor the activity of any users granted access to sensitive information. That doesn’t require elaborate monitoring systems; most likely, changes to settings in existing software will be sufficient. For example, Windows file servers include robust auditing capabilities that allow tracking and logging of all successful or unsuccessful attempts to access files.
Any records gathered through user monitoring can also help to identify suspicious activity and also aid in tracking down the source of leaks of sensitive information. For example, if a high-profile student’s educational records are leaked to the media, administrators may look at the access logs to determine who recently viewed those records.
Schools must exercise more caution and discretion to protect students' and families’ information from unauthorized uses. Following a few simple security practices will go a long way toward preserving the public trust in educational institutions.