Ensure Privacy and Security

Ensuring that privacy and information security protections are in place is fundamental to the ethical use of data and thus to choosing a vendor. Most CIOs and IT departments have a good handle on what standards vendors should meet to merit access to student data. In fact, in the Higher Education Cloud Vendor Assessment Tool, there are over 300 information security and privacy questions for vendors to answer about their products.¹ However, there are a few things for non-technical decision makers to keep in mind. Vendors should be able to easily answer questions about the administrative, technological, and physical security and privacy safeguards they employ. If they struggle to answer these questions, that could be a signal to dig deeper into their security and privacy practices.

• Administrative safeguards
• Technological safeguards
• Physical safeguards

Administrative safeguards are the management statements that an organization puts into place to protect information security and privacy. Colleges should ask vendors about who can view the institution’s data in the vendor’s product and stored in its IT systems and how the companies control that access. As human error is one of the biggest sources of security breaches, it is important to check that vendors are training all of their staff, including technical staff, on security procedures and ethics. Colleges should ask if the vendor keeps a log of who has access to records so that an audit can be conducted to ensure that employees are not inappropriately viewing records to satisfy their curiosity about a friend or family member. Keeping these logs shows how the vendor views verifying how its staff is handling data and allows for forensic analysis if something goes wrong. Vendors should also meet all appropriate data standards like those from the National Institute of Standards and Technology. The Higher Education Cloud Vendor Assessment Tool shows how all of these standards apply to security practices.

Return to Top

Technological safeguards are the controls implemented in a college’s or vendor’s IT systems that protect those systems and the data located in them. There are a number of good technological practices for ensuring student data security, including industry-standard encryption and secure data connections. Ask if the data are encrypted using an industry-standard encryption both when stored at the vendor and when transferred between the institution and the vendor. Ask whether the vendor has passed an industry-standard security scan and if so, which one. Also ask if the vendor’s employees have remote access to the data and check if the tool can mask certain sensitive data from certain types of users, which allows colleges to present data only to staff members with a compelling need to know.

Return to Top

Physical safeguards are the controls put into place to keep unauthorized individuals out of controlled areas (e.g., data centers) or from accessing IT systems or data. These include controls designed to protect physical media like laptops, servers, storage media, and mobile devices. For example, Washington State University found that a hard drive containing personal information on over 1 million students had been stolen from a locked storage container in spring 2017.² Incidents like this show how securing the location of your data is an important consideration. Ask vendors if data will be stored in a physically secured location. It is also worth asking if employees are allowed to take data home or on travel; both increase chances of theft or carelessness that could lead to a data breach.

Return to Top