Blogs

A recent internal control article discussed issues related to the multitude of media articles about unauthorized access to or inadvertent disclosure of consumers’ personal and financial information on vendors’ websites and on governmental web sites. As school districts move more components of their computer systems for financial management, human resources, time and effort, staff and students to cloud systems, and contract-out system support, security issues rise to a higher level of importance as increasing amounts of data reside in off-site server farms and off-site technology consultants provide various levels of support for instructional and operational technology systems.

One example of a sleeper data privacy issue are the various platforms where teachers and other staff can drag and drop files to free platforms in the cloud that provide storage up to various size limits. If any one employee does not stop and think about what they are dropping into an electronic filing cabinet in the cloud, they may unknowingly share private protected student or staff data, after bypassing the district’s education technology department or various approval processes. Simply said, limitless omissions in following proper protocols for protected staff, student and financial data can happen after just a couple of clicks.

These issues beg the question what kind of vetting process does your district follow before implementing a cloud system for operating systems, storage or other purposes. Districts need to be attentive and proactive in training all staff, monitoring and in regular communications about the district’s procedures, processes, regulations and policies related to computer systems, and use of any cloud system and everyone’s responsibility to protect the district’s data. Executive management needs to step back and ask the question “How does the district vet potential cloud providers?” because the district is ultimately responsible for protecting student, staff and other protected data even though the physical servers are not housed in the districts’ facilities.

Some questions to ask about vetting new cloud provider vendors include:

• Are district staff prohibited from moving any official district data to new cloud providers or implementing new software systems in the cloud without approval from the instructional technology department and other approval processes?
• Will the district clearly own the data that resides on the cloud provider’s servers?
• Will authorized district staff be able to access your data 24/7 in a functionally ready to use format?
• Is encryption provided?
• What do you know about the cloud provider’s backup processes, technology, location and backup policies? How many generations of backups for what periods of time are provided?
• What do you know about whom in the cloud provider company will be able to access or read your data?
• Have there been any data breaches at the cloud provider’s servers and what system improvements were installed to address the issue(s)?
• How does the cloud provider provide cyber security including background checks on employees? Are employees bonded? What insurance coverage is provided for the cloud provider’s errors and omissions?
• How does the cloud provider manage secure and mandatory updates to passwords for logons?
• Are brute force and dictionary attack controls integrated in authentication controls for log ins?
• Is two-factor authentication provided by the cloud provider?
• What are the cloud provider’s processes for processes clients requests for data destruction (after the required time has passed under data retention compliance requirements)?
• Are certification forms provided to the client entity after destruction of data?
• Does the cloud provider have formal documented processes for data destruction for storage devices in machines that will be sent to the manufacturer for service or replacement?
• Do written agreements cover provisions and processes for client’s request for destruction of data files that are no longer needed that may also reside in system backups, temporary files, or other storage media?
• Has the cloud provider installed "audit proof" systems and processes for cyber security and compliance? Will the cloud provider certify that it engages qualified consultants for periodic consulting engagements known as a "readiness assessment" to help the cloud provider identify where its cybersecurity processes and controls may need to be shored up?
• Will the cloud provider keep a log of all employees and contractors working for the cloud provider, whenever these individuals login or access data in any of the district’s cloud storage or operating systems, in addition to maintenance and service activities.
• Will the cloud provider allow onsite visits and monitoring by the district’s staff to periodically review practices, procedures and processes in addition to the physical location of servers supporting the district’s activities on the cloud provider’s premises?
• Are cloud providers contractually obligated to comply with federal and state security regulations such as FERPA (Family Educational Rights and Privacy Act), HIPAA (Health Insurance Portability and Accountability Act), CJIS (Criminal Justice Information Services) and TAC (Texas Administrative Code)? 

Simply said, your school district’s data assets are too valuable to risk issues related to employees’ lack of awareness of potential pitfalls in using any one of the very convenient options for free storage and software solutions in the cloud. The convenience can result in extensive remediation measures not to mention high legal fees. Districts are advised to always seek legal advice before they finish vetting potential new cloud providers and before signing contracts or agreements.