Have you ever wondered what would happen if a student’s or teacher’s sensitive data fell into the wrong hands? In today’s digital age, protecting this information is more important than ever. The NIST Cybersecurity Framework requires us to encrypt data both during transmission and while it’s stored. For New York schools, this means ensuring that all student data and teacher or principal Annual Professional Performance Review (APPR) data is encrypted at every stage. Today, we’ll dive into the specific encryption requirements for safeguarding these critical types of data.
Data at Rest
Data at rest refers to data stored on devices or in the cloud. To comply with encryption requirements:
Traditional Hardware
Modern operating systems on desktop computers, laptops, and servers typically encrypt hard drives automatically. The primary challenge lies in ensuring users do not save files to unencrypted boot volumes or disable encryption.
Mobile Devices
Encryption for mobile devices like Chromebooks, tablets, and cell phones has been standard since iOS 3.0 and Android 4.0. The key here is user education: ensuring encryption settings remain enabled and discouraging the sharing of devices containing sensitive data.
Cloud Services
Cloud storage must be encrypted, with access protected by multi-factor authentication (MFA). Educational agencies must ensure their contracts with service providers include data protection agreements (DPA) that mandate encryption. Data can be stored across various platforms, including:
- Google Suite (Gmail, Google Drive, etc.)
- Office 365 (Outlook, OneDrive, etc.)
- EduTech Apps (Blackboard, Kahoot!, etc.)
- Storage Solutions (Barracuda, Cohesity, etc.)
- Social Media Platforms (Facebook, Instagram, etc.)
Data in Transit
Data in transit encompasses data moving across networks or the Internet. Encryption is required for all data movements. Agencies must select suitable encrypted communication products and ensure their use for transmitting confidential information. Examples include:
- Parent Communication: ClassDojo, ParentSquare, Procare
- Teacher/Staff and Student Communication: Bloomz, Remind
- Third-Party Contractor Communication: Gmail, Outlook, Virtru, Zix Mail
- Special Education Communication: Ed Plan, Embrace, Frontline
Unencrypted data, or data in clear text, is highly vulnerable to theft. Ensuring encryption at all stages of data movement and storage is essential to prevent unauthorized access and data breaches.
Data Protection Cheat Sheet
| Data Category | Encryption Requirement | Key Considerations |
|---|---|---|
| Data at Rest | Encrypted hard/flash drive, server, or cloud | Ensure user compliance, disable unencrypted boot volumes, avoid turning off encryption settings |
| Mobile Devices | Standard encryption on iOS and Android | Educate users on maintaining encryption and not sharing devices |
| Cloud Services | Encrypted storage with MFA | Verify third-party encryption, include DPA in contracts, enforce least privilege access |
| Data in Transit | Encrypted during transfer | Use encrypted communication tools, ensure encryption for all data movements, both internal and over the Internet |
Next Steps
Ensuring the security of student and teacher data is a complex but essential task. IKON Edutech Group specializes in providing tailored solutions to enhance data security in educational settings.
CONTACT US to learn more about how we can help you protect your data and comply with NIST Cybersecurity Framework requirements.