As more data is stored in the cloud or transferred to third parties, how can you protect your data? Is it better to self-host your data or partner with third parties? If you self-host, do you have the manpower, policies, and procedures in place to protect the data? If you partner with third parties, how can you ensure your data is being protected? Every district is unique in their operations and there is always some level of risk that is assumed.
Due to recent third-party data breaches, below are tips on how to protect yourself and ways to mitigate the risk.
- Maintain an inventory of products sharing PII with third parties and the data being shared.
- Data Minimization – only share what is necessary. If using an SSO, confirm what rostering information is automatically sent to the vendor.
- Data Deletion – on a scheduled basis, remove all data no longer required to maintain and receive confirmation that the data was deleted from the vendor. If you have local backups, ensure they are being deleted on a scheduled basis.
- Service/instance disabled – Confirm when you no longer use the service that the instance was closed/no longer live.
- Post your list of applications and associated data privacy agreements behind a parent portal – not public.
- If self-hosted, have firewall rules that prevent authentication from non-US IP ranges.
- Confirm the vendor requires SSL and MFA including their third-party processors.
- Incorporate data loss prevention tools and implement Just Enough Access (JEA) and Just In Time (JIT).
- Follow Privacy Best Practices
- Share “ How to Protect Your Child From Identity Theft” with parents.
- Advise parents to check children’s credit before high school graduation and lock their credit Now.
- Join MOSPA (Missouri Student Privacy Alliance) – https://www.more.net/solutions/security-data-privacy/student-privacy/
For specific questions about MOSPA, please email dataprivacy@more.net