How safe is my student data?

The risks are manageable
The relative difficulty of discovering new zero-day attacks means that these methods fetch a hefty sum in underground trading due to their rarity. Typically those who are purchasing the heretofore unknown exploits are looking to make a return on their investment. Schools, and the services that work with schools, are low priority targets, as frequently the data isn’t valuable to hackers. The most valuable resource schools provide to criminals are the many computers on fast internet connections to create a bot-net—a remotely controlled collection of computers used to send spam or other nefarious data.

Known vulnerabilities are more common and there is extensive information about how to exploit the holes, and protect against them on the internet. Keep up with all of your updates (you have moved on from XP, right?) and follow established good practices and you will have very few vulnerabilities.

What you can do
While you can take steps to secure your own resources, the data you send to online partners is dependent on those companies following best practices as well. The first thing to think about is what data is being sent to your partners. An example might be using an ID which is not confidential. Every site needs a unique ID for each student, and some will ask for the Statewide Student ID, but in many cases other, less sensitive data can be used.

Another consideration is how the services acquire student information. Creating an exemption in the firewall to make a connection, sending information over unencrypted connections (like email), or making a direct connection to the student information or the directory server are all practices that significantly increase your exposure to security breaches.

The last consideration is to check if your online partner has made the appropriate preparations themselves. Here are some questions to ask that will help in determining if they have the right precautions in mind: How do you monitor for data breaches? What is your protocol and notification policy after finding there was a breach? What backup and disaster recovery methods do you have in place?

If you’re doing everything you can do, the remainder of the responsibility is on them. A responsible partner will have answers ready for these questions and will take your concerns seriously. If the response is “That’s not possible,” it may be time to leave your partner—and their vulnerabilities—behind.

Jared Prolo is coordinator of assessment, research, and evaluation services for the San Mateo-Foster City School District in California. Previously he served as IT program specialist and technology facilitator.