Security Best Practices

This section provides best practice resources related to data security issues. These materials have been designed to help education stakeholders, such as state and local educational agencies, the postsecondary community, and other parties responsible for safeguarding student records, to improve protection of student records in their care.

Guidance

Best Practices for Data Destruction

The Data Destruction Document is a best practices guide on properly destroying sensitive student data after it is no longer needed. It details the life cycle of data and discusses various legal requirements relating to the destruction of data under FERPA, and examines a variety of methods for properly destroying data. The guide also discusses best practices for data destruction and provides some real-world examples of how to implement it within your organization.

Guidance

Cyber Advisory - New Type of Cyber Extortion / Threat Attack

Schools have long been targets for cyber thieves and criminals. We are writing to let you know of a new threat, where the criminals are seeking to extort money from school districts and other educational institutions on the threat of releasing sensitive data from student records. In some cases, this has included threats of violence, shaming, or bullying the children unless payment is received.

Guidance

Data Breach Response Training Kit

Any organization with electronic records is vulnerable to security breaches, and education agencies are no exception. The PTAC Data Breach Scenario is one of a series of exercises intended to assist schools, districts, and other educational organizations with internal data security training.

The Password Data Breach interactive exercise is aimed at district management and provides a simulated response to a district-level data breach. Over the course of 1-2 hours, this customizable exercise leads participants through a scenario involving a breach of student information and other personally identifiable information. The exercise focuses on the processes, procedures, and skills needed to respond. The package includes three parts: Facilitator’s Guide, PowerPoint Slides, and Exercise Handouts.

Best Practices

W 2 Phishing Scam

Important Internal Revenue Service (IRS) guidance highlighting ongoing phishing attacks against K-12 schools and school districts. These attacks are targeting HR and critical business functions within organizations to access the Personally Identifiable Information (PII) from the W-2 forms of employees and, in some cases, extracting fraudulent payments from their victims. This document contains a summary of the attacks, tactics of the attackers, potential ramifications and links to the official IRS guidance.

Guidance

Videos

What Parents Need to Know about their Student's Data

This video, intended for parents, provides guidance and information on what questions they might want to ask their schools or districts if they have questions about the data the district collects and/or maintains. The video also provides an overview of the types of questions parents should ask and why.

Guidance

Videos

Developing a Privacy Policy for Your District

This video provides an overview and rationale for why districts need to develop a program to protect student data.

Guidance

Data Security Checklist

This checklist is designed to assist stakeholder organizations with developing and maintaining a successful data security program by listing essential components that should be considered when building such a program, with focus on solutions and procedures relevant for supporting data security operations of educational agencies.

Guidance

Data Security Threats: Education Systems in the Crosshairs

This presentation reviews security threats to education data systems, including common ways in which these systems can be exploited. It also offers suggestions on assessing system vulnerabilities and mitigating the risks.

Guidance

Cloud Computing FAQ

This document is designed to assist educational agencies and institutions that are considering using cloud computing solutions for education data. It contains responses to frequently asked questions about meeting necessary data privacy and data security requirements, including compliance with the Family Educational Rights and Privacy Act, to ensure proper protection of education records.

Guidance

Identity Authentication Best Practices

This brief offers best practice recommendations for developing and implementing effective authentication processes to help ensure that only appropriate individuals and entities have access to education records. General suggestions provided in the brief are applicable to all modes of data access, be it in person, over the phone, by mail, or electronically.

Search form

Search form