Purpose

To give a brief explanation of FERPA data and how COC controls for compliance. This describes how the security controls are in place and not how information is disseminated to others. Please refer to the GT policies and standards when working with FERPA data.

Scope

Anyone using FERPA on COC information systems

What is FERPA

FERPA, Family Educational Rights and Privacy Act, is a federal law that protects the privacy of student education and gives the students and parents (if a student is under 18) the right to request amendments. Note that FERPA data includes whether the student is enrolled and their student IDs. Also, if the information is being shared with, provided by, or collected on behalf of the federal government, then it is classified as CUI. 

FERPA that is not CUI is classified by GT as "Sensitive" and must follow federal regulations. There are no specified requirements for security controls, but NIST 800-53 fulfills the FERPA control requirements.

FERPA Directory Information

Under FERPA, “Directory Information” refers to student information that is not generally considered harmful or an invasion of privacy if disclosed. USG has designated the following categories of information as Directory Information:

  • Student’s name
  • Hometown
  • Institution-assigned email address. Under this category, an institution-assigned email address may be disclosed without consent only to other, current students. In addition, students may not request email listings of the entire student body or segments thereof, except for academic purposes.
  • Major field of study
  • Enrollment status (e.g., full-time, part-time)
  • Participation in officially recognized activities and sports
  • Dates of attendance
  • Degrees, honors, and awards received
  • Thesis/Dissertation title
  • The most recent educational institution attended
  • Height and weight of athletes
  • Class Level

Please note this section is denoting what USG is referring to as directory information and is not implying it can be disclosed. Please refer to GA Tech policies on FERPA.

Data Security Checklist

The following is a checklist of controls for FERPA compliance copied from https://studentprivacy.ed.gov/resources/data-security-checklist

  • Policy and Governance: Develop a comprehensive data governance plan that outlines organizational policies and standards regarding data security and individual privacy protection. The plan should clearly identify staff responsibilities for maintaining data security and empower employees by providing tools they can use to minimize the risks of unauthorized access to PII.
  • Personnel security: Create an Acceptable Use Policy that outlines appropriate and inappropriate uses of Internet, Intranet, and Extranet systems. Incorporate security policies in job descriptions and specify employee responsibilities associated with maintaining compliance with these policies. Conduct regular checks and training to ensure employee understanding of the terms and conditions of their employment. Confirm the trustworthiness of employees through the use of personnel security screenings, policy training, and binding confidentiality agreements.
  • Physical security: Make computing resources physically unavailable to unauthorized users. This includes securing access to any areas where sensitive data (i.e., data that carries the risk for harm from an unauthorized or inadvertent disclosure) is stored and processed, such as buildings and server rooms. An unlocked server room is an invitation for malicious or accidental damage. Monitor access to these areas to prevent intrusion attempts (e.g., by administering identification badges and requiring staff and visitors to log in prior to entering the premises or accessing the resources).
  • Network mapping: Network mapping provides a critical understanding of the enterprise (servers, routers, etc.) and its connections. Furthermore, network mapping can capture applications and associated data. A robust mapping capability will map the dependencies between applications, data, and network layers, and highlight potential vulnerabilities. There are a number of network mapping tools available.
  • Inventory of assets: The inventory should include both authorized and unauthorized devices used in your computing environment. These devices are often scanned and discovered by automated programs (continuously searching the internet for vulnerabilities), and if unsecured devices are discovered, they can be compromised. Inventorying, when used in conjunction with network mapping, will give your organization a better understanding of the security requirements needed to protect your assets.
  • Authentication: The ways in which someone may be authenticated fall into three categories: something you know, something you have, or something you are. Two-factor authentication (TFA) combines two of these elements and is more costly, but provides more security. Consider TFA for remote users or privileged “super users.” Authentication technologies provide assurance that the person is authorized to access network assets, services, and information.
  • Provide a layered defense: Employ a “Defense in Depth” architecture that uses a wide spectrum of tools arrayed in a complementary fashion. The most common layers to protect are hosts (individual computers), applications, network, and perimeter. There are specific security controls that are suited for use at each of these layers. Relying on a firewall alone to protect your network is never adequate.
  • Secure configurations: It is a best practice not to put any hardware or software onto your network until it has been security tested and configured to optimize its security. Continuous scanning to ensure system components remain in a secure state is a critical capability that will enhance data security protection. Proactive management of security risks also involves establishing a comprehensive change management program to analyze and address security and privacy risks introduced by new technology or business processes.
  • Access control: Securing data access includes requiring strong passwords and multiple levels of user authentication, setting limits on the length of data access (e.g., locking access after the session timeout), limiting logical access to sensitive data and resources, and limiting administrative privileges. Role-based access is essential for protecting PII and sensitive data; defining specified roles and privileges for users is a required security procedure. Sensitive data that few personnel have access to should not be stored on the same server as other types of data used by more personnel without additional protections for the data (e.g., encryption).
  • Firewalls and Intrusion Detection/Prevention Systems (IDS/ IPS): A firewall is a device designed to permit or deny network transmissions based on a set of rules. Firewalls are frequently used to protect networks from unauthorized access, while permitting legitimate communications to pass. An IDPS is a monitoring device that is designed to detect malicious activity on the network. Although some automatically take remediation action, most report suspicious activity to a central monitoring point for further analysis.
  • Automated vulnerability scanning: When new vulnerabilities (to hardware, operating systems, applications, and other network devices) are discovered, hackers immediately scan networks for these vulnerabilities. Scanning your network and systems on a regular basis will minimize the time of exposure to known vulnerabilities.
  • Patch management: Patch management is the process of using a strategy and plan for the testing and roll-out of software updates and patches on a regular basis. The plan should address how patches will be applied to which systems at a specified time. A patch is a piece of code that protects computers and applications by updating the security state against new threats or vulnerabilities. Used in conjunction with vulnerability scanning, the enterprise can quickly shut down any vulnerability discovered.
  • Shut down unnecessary services: Each port, protocol, or service is a potential avenue for ingress into your enterprise. A best practice, which should be part of a secure configuration, should include shutting down all services and ports that are not required in your computing environment. A secure enterprise will continually monitor for the use of unapproved ports, protocols, or services.
  • Mobile devices: When sensitive data is stored on servers or on mobile devices, such as laptops or smartphones, the data should be encrypted. There are far too many examples of mobile devices being lost or stolen, and the subsequent exposure of the sensitive information stored on those devices in the public domain.
  • Emailing confidential data: Consider the sensitivity level of the data to be sent over the email. Emailing unprotected PII or sensitive data poses a high security risk. It is recommended that organizations use alternative practices to protect the transmission of this data. These practices include mailing paper copies via secure carrier, de-sensitizing data before transmission, and applying technical solutions for transferring files electronically (e.g., encrypting data files and/or encrypting email transmissions themselves).
  • Incident handling: When an incident does occur, it is critical to have a process in place to both contain and fix the problem. Procedures for users, security personnel, and managers need to be established to define the appropriate roles and actions. Outside experts may be required to do a forensic investigation of the incident, but having the correct procedures in place initially will minimize the impact and damage.
  • Audit and compliance monitoring: Audits are used to provide an independent assessment of your data protection capabilities and procedures

    Related Links

    Protecting Student Privacyhttps://studentprivacy.ed.gov/
    Ga Tech Ferpa educational informationhttps://registrar.gatech.edu/ferpa