1. Know Where Your Data Resides
One of the major benefits of cloud platforms is that they are simple to adopt. With a few keystrokes, teachers get immediate access to cutting-edge tools that improve the classroom experience. However, they often do so after clicking through legal agreements that may impact the ownership, privacy and security of student records.
That’s why it’s imperative for administrators and IT leaders to understand the diverse set of solutions used in classrooms and the data implications of those choices. Teachers should know the importance of clearing new cloud solutions with technology and legal experts before using them to store or process student records.
This is a delicate balancing act and requires prompt attention to faculty requests. Teachers who find themselves facing a bureaucratic approval process will either abandon the use of innovative technology or simply bypass administrative review, possibly putting student privacy at risk.
2. Understand Vendor Security Mechanisms
When reviewing a cloud service, IT leaders should explore the security mechanisms put in place by the vendor. At a minimum, the vendor should be implementing the same level of security controls around student data that the school would implement itself if it were building the same system onsite.
This process usually begins with a review of security materials prepared by the cloud vendor. Most vendors are now used to answering questions about their security controls and often have white papers explaining them. These documents serve as an excellent starting point for a security review and the basis for follow-up conversations to probe specific details.
One of the best ways to conduct these reviews is to use a standardized checklist, such as the one offered by the Cloud Security Alliance. This checklist covers the major security controls that vendors should implement and provides a structured approach for covering your security bases.
3. Require Periodic Security Assessments
The initial review that you perform when engaging a new vendor lets you establish a security relationship with them. It ensures that they meet your security requirements and creates a baseline for ongoing compliance monitoring.
That’s crucial to maintaining the security of student information — it verifies that the vendor continues to live up to their security and privacy obligations. However, control effectiveness may fade over time, and ongoing security requires a continuous improvement process. Security assessments offer a point-in-time verification that the vendor is adequately protecting confidential information.
There’s also the Systems and Organization Controls (SOC) program, which allows cloud vendors to engage independent auditors to verify their security controls and then share the reporting with their clients. Check with your cloud vendors to see if they conduct SOC assessments and then ask for updated reports on an annual basis.
4. Remain Compliant with Regulatory Obligations
Questions about compliance with the Family Educational Rights and Privacy Act frequently stymie cloud efforts. Administrators worry that moving data to the cloud might bring new regulatory issues and often ask, “Is this vendor FERPA-compliant?”
The reality is that there’s no official seal of approval for FERPA compliance. Instead, educators are responsible for ensuring that they have reasonable security mechanisms in place to protect student records. Conducting initial and periodic reviews of vendor security controls should satisfy this requirement.
The remaining hurdle is making sure a contractual relationship is in place that ensures the cloud partnership meets FERPA requirements. Specifically, the contract must designate the cloud provider as a “school official” under FERPA to allow the transfer of student educational records. You’ll find more information on this topic in the FERPA cloud guidance available from the Department of Education.