6 Things to Consider When Designing a Safe Space for Student Data

Building a safe environment for school district information shares similarities with building a family home. It’s about providing a reliable shelter against inclement weather and unwanted intruders. It’s about creating a space for group discussions and focused activity. It’s about defining special-purpose areas — and securing your valued belongings. Starting with a blueprint that conforms to building code constraints, you lay the foundation, construct the framework according to the floor plan, and develop an options package for design features. And now for the walk-through:

1. The Blueprint: Compliance Data Security and Privacy Plan‍

LinkIt’s plan captures decisions to guide the construction of an information environment that aligns with school district strategies, needs, and concerns. An abbreviated version is posted to our Trust Center as LinkIt’s Privacy Policy. Building a data warehousing, MTSS , assessment, and analytics platform for the K-12 sector is subject to a patchwork of federal, state, and local regulations, much like building codes.

2. The Building Codes: FERPA, COPPA, IDEA, HITECH, etc.

LinkIt’s compliance data security and privacy plan captures details about how we conform to applicable federal, state, and local regulations. Because states and school districts have the power to define K-12-related requirements more strictly than those contained in federal legislation, we also confirm our commitment to these requirements in responses to questions like those related to New York’s EdLaw 2-d, Ohio’s SB 29, California’s Consumer Privacy Act, and Colorado’s Student Data Transparency and Security Act. The Student Data Privacy Consortium (SDPC) and affiliated state and regional alliances have developed standardized agreements that help school districts streamline vetting activities for technology service providers like LinkIt. Other organizations that offer tools related to laying a solid foundation are the Ed-Fi Alliance and 1EdTech.

3. The Foundation: Design Principles

LinkIt incorporates the following foundational design principles to build in security and privacy: transparency; accessibility; limited data purpose, collection, and use; data quality and integrity; security accountability and auditing; and lastly, resiliency. On top of this foundation, we construct the walls that guide how data flows. Guidelines for implementing these design principles are contained in the security and privacy frameworks relevant to the K-12 and LinkIt environments: NIST SP 800-171, Cybersecurity Framework (CSF), ISO/IEC 27001, CIS, and CoSN, for example. These frameworks incorporate standard safety features, but their emphasis and target audience vary. The US government maintains the first two through the National Institute of Standards and Technology (NIST), which invites comments and reviews from all interested parties. The third is an international, nongovernmental effort recommending comprehensive documentation of IT systems and practices. The Center for Internet Security (CIS) advocates for assured global interconnectedness applicable to all vertical economic sectors. The Consortium for School Networking (CoSN) focuses on issues specific to the K-12 community and EdTech leadership. 

4. The Framework: Design Constraints

LinkIt uses the security controls and privacy practices recommended in these frameworks to enable access control, audit trails, boundary protection, configuration management, encryption, file backup, media protection, secure software development, and training. These design constraints inform the floor plan. An open floor plan design is conducive to shared activities; meanwhile, a more traditional floor plan allows greater privacy, and network architecture performs a similar function. LinkIt uses a common entry point—known to many of our customers as “the portal” —for district staff and students to access nonprivileged or public information (e.g., blogs). Non-public activities and privileged information like testing, however, are partitioned into individual rooms and secured behind locked doors. This network segmentation enforces important restrictions so only those with specific authorization can access those locked rooms. Permission to see, use, change, print, share, or remove certain information objects within those spaces is further restricted by role-based access control rules defined by school districts. 

5. The Options Package: Design Features

As with new homes, LinkIt offers options for school districts to certain design features so that product selections align with district strategy and educational support needs. Such design features include the ability for districts to determine individual datasets for collection (e.g., specific demographic, guardian, or attendance information) and define user roles with their associated privileges. LinkIt configures each school district’s platform environment with its preferences. 

6. Certificate of Occupancy: Inspections

Anyone who has lived through an extensive remodeling, new construction, or home-buying project knows that a third-party inspection delivers peace of mind for all involved parties: occupants, insurance companies, and financial partners. LinkIt’s information systems environment receives periodic third-party penetration tests and monthly vulnerability assessments by the Cybersecurity and Infrastructure Security Agency (CISA, which operates under the US Department of Homeland Security). LinkIt also agrees in its contracts to third-party audits performed–and paid for–by school districts. As part of ongoing maintenance, LinkIt works with schools to audit customer accounts to ensure that access privileges remain valid and current.

Conclusion

As with building a family home, building a well-architected data environment like LinkIt’s is just the beginning. Protecting your data is a 24/7 responsibility, wherefore our SOC2-compliant cloud services provider (CSP) monitors system activity and technical infrastructure assets around the clock. SOC 2 compliance is a cybersecurity framework, developed by the American Institute of Certified Public Accountants (AICPA), that ensures Software as a Service (SaaS) service providers (like LinkIt or AWS) securely manage and protect customer data, focusing on security, availability, processing integrity, confidentiality, and privacy. Our CSP patches software and updates anti-malware programs regularly. System anomalies are addressed and mitigated quickly. The remaining issues are escalated to LinkIt’s IT team for further action. Remodeling plans are always on the drawing board to accommodate changes in the legal/regulatory, emerging technology, and threat environments. 

Please check back for updates about our activities and policies related to the CISA Secure by Design Pledge, digital accessibility, and artificial intelligence.

‍

Jennifer's focus is on ensuring the privacy and confidentiality of student, parent, teacher, and company data. She brings extensive experience in maintaining compliance with security frameworks like FERPA, COPPA, NIST SP 800-171, and ISO 27001. She previously served as the cybersecurity director for the Colorado NIST MEP center and was the designated security resource for the six-state Rocky Mountain region. Jennifer is an award-winning director of e-commerce for the State of Indiana, and managed technology implementation projects and telecommunications at Delco Remy International. She is the author of Hacking Wireless Access Points: Cracking, Tracking, and Signal Jacking (Elsevier/Syngress: 2016) and contributor to The Data Breach and Encryption Handbook (ABA: 2011). She holds a B.A. from The American University and an MBA.

‍

‍