Security Best Practices
This section provides best practice resources related to data security issues. These materials have been designed to help education stakeholders, such as state and local educational agencies, the postsecondary community, and other parties responsible for safeguarding student records, to improve protection of student records in their care. To assist stakeholders in examining their existing information technology (IT) security policies and practices against the best industry practices, the Privacy Technical Assistance Center (PTAC) developed a variety of resources, including recommendations about the internet and network security, user access security, secure data transfer, risk assessment, data breaches, and staff security training. As more and more student records are stored and accessed electronically, these resources will help education stakeholders to minimize the risk of compromising confidentiality, integrity, and availability of the data through inadequate IT security.
Available resources are listed below in chronological order, with the most recent at the top of the page:
The Privacy Technical Assistance Center, working with the Department of Education’s Family Policy Compliance office, has developed a new checklist document that provides a framework for evaluating online educational tools' Terms of Service Agreements. This document is intended to assist users in understanding how a given online service or app will collect, use and/or transmit user information so that they can then decide whether or not to sign up.
The document is available here and is divided into several sections:
- A checklist for evaluating Terms of Service Agreements to ensure that the app or program will handle data in a safe and secure manner.
- Warning signs and potential illegal practices to look out for when using these applications.
- Recommendations and best practices for what you or your organization can do to protect yourself and your data.
This brief offers best practice recommendations for developing and implementing effective authentication processes to help ensure that only appropriate individuals and entities have access to education records. General suggestions provided in the brief are applicable to all modes of data access, be it in person, over the phone, by mail, or electronically.
This document is designed to assist educational agencies and institutions that are considering using cloud computing solutions for education data. It contains responses to frequently asked questions about meeting necessary data privacy and data security requirements, including compliance with the Family Educational Rights and Privacy Act, to ensure proper protection of education records.
This presentation reviews security threats to education data systems, including common ways in which these systems can be exploited. It also offers suggestions on assessing system vulnerabilities and mitigating the risks.
This checklist is designed to assist stakeholder organizations with developing and maintaining a successful data security program by listing essential components that should be considered when building such a program, with focus on solutions and procedures relevant for supporting data security operations of educational agencies.
This brief provides best practices for data security and data management trainings for educational leaders. The brief discusses key training concepts to follow, content, delivery methods, and possible audiences for these trainings.
This brief outlines critical threats to educational data and information systems. Threats are divided into two categories: technical and non-technical. A brief description of each threat is followed by a suggestion of appropriate risk mitigation measures.
Important Internal Revenue Service (IRS) guidance highlighting ongoing phishing attacks against K-12 schools and school districts. These attacks are targeting HR and critical business functions within organizations to access the Personally Identifiable Information (PII) from the W-2 forms of employees and, in some cases, extracting fraudulent payments from their victims. This document contains a summary of the attacks, tactics of the attackers, potential ramifications and links to the official IRS guidance.