How to prepare for a FERPA audit

BROWSE BY TAG Security Management,   Security Audit, Compliance and Standards,   Data Privacy and Protection,   IT Security Audits,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Management Why doesn't the CISSP cover information assurance and DIACAP? Data breach notification legislation: What info must be released? Risk management strategy for an information technology solution provider Are there guidelines to create a HIPAA-compliant data center? HHS HIPAA guidance on encryption requirements and data destruction Writing a patient identifier policy to prevent common HIPAA violations How to write technology outsourcing contracts The requirements for being a PCI DSS-compliant service provider The requirements needed to make an external penetration test legal How to create configuration management plans to install DLP Data Privacy and Protection Strategies for using technology to enable automated compliance How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Compliance in the cloud Researchers predict SSNs, crack algorithm putting identities at risk How to write a risk methodology that blends business, security needs PCI compliance requirement 3: Protect data Mass. Senate seeks to amend, weaken data breach notification law Bruce Schneier and Marcus Ranum Face-Off: Should We Have an Expectation of Online Privacy? Kodak CISO on virtualization, compliance Data Privacy and Protection Research IT Security Audits Standards compliance does not equal sound information security risk management Tony Spinelli: Prioritize Information Security over Compliance MasterCard increases PCI compliance requirements for some merchants How to select a set of network security audit guidelines How to write a risk methodology that blends business, security needs PCI compliance requirement 11: Testing Using IAM tools to improve compliance Forensic accounting success depends on information security support HIPAA compliance: New regulations change the game PCI DSS Q&A: Answering your questions

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cypherpunk  (SearchSecurity.com) Data Encryption Standard  (SearchSecurity.com) P3P  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

The Family Educational Rights and Privacy Act (FERPA) is a privacy law designed to protect student education records. It grants parents (for minors) and students (over the age of 18 or in post-high school education) certain rights with regards to their records.

Specifically, it grants them the ability to review and inspect student records as well as request that errors in those records be corrected. From a security perspective, a school needs written permission to release student records. There are, of course, a number of exceptions to this rule. Some FERPA exceptions, taken straight from the law itself, 34 CFR § 99.31, include:

1. The disclosure of student records to other school officials, including teachers, whom the agency has determined to have legitimate educational interests.
2. The disclosure of records -- subject to the requirements of Sec. 99.34 -- to officials of another school, school system, or institution of postsecondary education where the student seeks or intends to enroll.
3. The disclosure of records -- subject to the requirements of Sec. 99.35 -- to authorized representatives of:
1. The Comptroller General of the United States
2. The Attorney General of the United States
   
3. The Secretary
4. State and local educational authorities

Other possible exceptions include financial aid, improvement of instruction, accreditation institutions and assorted other legal courses to name but a few.

Additionally, FERPA grants educational institutions the ability to publish a student directory of publically available information such as names, addresses, phone numbers and date of birth. However, the institution must give students (or parents in the case of minors) sufficient notice of the intent to publish this information so they have the ability to opt-out of having their data published.

FERPA does not have specific audit log requirements per se, but it does require that institutions maintain logs of who has authorized access to which records; it also mandates that records be stored in such a way that those who shouldn't have access don't, and that records are destroyed when they are no longer necessary. Translation: As an institution, you need policies, procedures and technologies that provide authentication and authorization as well as document retention/destruction capabilities for all student data. Talk to your auditors to see what more specific requirements they'd like you to meet.

For more information:

• Learn how to build a proactive and customized security framework.
• Find out more about building a framework-based compliance program.