For those who care about the privacy of student information, it is equally important to address issues of IT security – for even the best privacy policies and laws are meaningless if student data is left exposed to unauthorized personnel on school computers or out on the internet. As I’ve noted previously, I think there is an abundance of evidence to suggest that school district practice represents the weakest link in protecting student data privacy and that we need to do more to build school district capacity to manage student data.
Every school district should be able to answer three very simple questions about their IT and student data security practices:
1. What are school district password policies to protect private student data from access by unauthorized personnel?
Good policies will require that default accounts and passwords are disabled, that passwords and accounts not be shared by authorized users, that passwords follow minimum standards in terms of length and use of special characters, that passwords are changed periodically, that authorized logins time out after a period of inactivity, and that unsuccessful login attempts are automatically logged by the IT system for audit purposes.
2. When private student data is accessed on a network, are those connections secure and encrypted to prevent access by unauthorized personnel?
Encrypted connections should be the standard for accessing student data on internal and external networks.
3. How is the technology that hosts private student data physically protected from access by unauthorized personnel?
Servers, routers, and switches that host or communicate with external services that use student data should be secured from access by unauthorized personnel.
What might we find when we ask these questions of school districts? Well, thanks to the Department of Audit in the State of Wyoming we have some idea. It turns out they ask these questions and more of school districts as part of their audit process of Wyoming districts’ student information systems, since these systems provide data to the state with respect to the state education funding formula. Their bottom line finding: school district “security tends to be on the weaker side.” For instance, they found school district:
- passwords tended to be short and were generally not required to be changed on a regular basis;
- too many incorrect login attempts to student data systems were allowed before users were locked out, if they ever were;
- there were extended sessions timeouts, which allowed computers to be connected to student data systems for long periods of inactivity;
- accounts with administrative access were shared; and
- default accounts and passwords remained active.
Their assessment of the root cause for these basic IT security failings was two-fold: (1) school district personnel were unaware of security issues and lacked IT expertise to address them (or even understand why they were an issue at all); and, (2) school districts’ prioritize their convenience over good security practices, because – for example – changing passwords often or re-logging into systems after extended inactivity was inconvenient. In fact, the auditors noted that most school districts did not even have comprehensive IT policies and procedures in place that could guide them in making good decisions.
Finally, the auditors made recommendations on how to shore up school district IT security practice. First, they noted that school districts should institute comprehensive IT policies and procedures that include issues of IT security. Second, they called for increased IT security training resources for school districts. And, third, the auditors felt that minimum security guidelines should be established by the state and required of all school districts (via statute or state department of education rule).
I have no reason to believe that school districts in the other 49 states (and DC and the territories) are in any better place. The auditors in the state of Wyoming have merely shed important light on school district IT security practices and offer – to my read – some good, common sense recommendations on how their state leaders could respond. This advice and approach could and should be modeled in other states and is pertinent, as well, to national conversations about how we work to shore up student data privacy practices in every state and for every student.
For those interested in more, you can read the public memorandum (delivered to the Wyoming Task Force on Digital Information Privacy) here: