CLOUD COMPUTING AND PRIVACY CURRENT PRACTICES IN FAIRFAX COUNTY PUBLIC SCHOOLS



Similar documents
WHAT YOU DON T KNOW CAN HURT YOU

Contracting with a Cloud Service Provider DATA PROTECTION WORKSHOP NJERI OLWENY, MICROSOFT

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

New York State Education Department Instructional technology plan survey

On Premise Vs Cloud: Selection Approach & Implementation Strategies

Enterprise App Stores: An idea whose time has come?!

Cyberprivacy and Cybersecurity for Health Data

1. Understanding Big Data

WILLSBORO CSD Instructional Technology Plan - Annually

Enterprise Mobility Management -

The Business Case for Cloud: Critical Legal, Business & Diligence Considerations

Bring Your Own Device (BYOD) and Mobile Device Management. tekniqueit.com

Bring Your Own Device (BYOD) and Mobile Device Management.

Department of Technology Services

Data Privacy & Security: Essential Questions Every Business Must Ask

The SparkWeave Private Cloud & Secure Collaboration Suite. Core Features

POLICIES AND REGULATIONS Policy #78

Data Security and Identity Management

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

ETHICAL ELECTRIC PRIVACY POLICY. Last Revised: December 15, 2015

Subject: Overview of Information Technology Services and the Strategic Technology Plan. Proposed Committee Action No Action Required Information Only.

Recommendations for the PIA. Process for Enterprise Services Bus. Development

Utilizing big data to bring about innovative offerings and new revenue streams DATA-DERIVED GROWTH

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Using AWS in the context of Australian Privacy Considerations October 2015

Cloud Computing & Health Care Organizations: Critical Privacy & Security Issues - December 16, 2015

PRIVACY MANAGEMENT ACTIVITIES

Section 4 MANAGEMENT CONTROLS AND PROCESSES. Section 4

BRING YOUR OWN DEVICES:

2015 NMSBA SCHOOL LAW CONFERENCE

NANUET UFSD Instructional Technology Plan - Annually

Bring Your Own Device (BYOD) and Mobile Device Management

BRING YOUR OWN DEVICE (BYOD) AND MOBILE DEVICE MANAGEMENT

Mobile App Developer Agreements

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

FY15 ITC Continuous Improvement Plan Narrative

Mobile Device Management. Simplified centralised Mobile Device Management solutions for the UK education sector.

The Connected Enterprise Driving Business Value with Mobility Collaboration and Trust

CGS Technology Outsourcing

Technology in the Boston Public Schools

IBM EXAM QUESTIONS & ANSWERS

BRING YOUR OWN DEVICE (BYOD)

Texas Transportation Institute Information Resources Strategic Plan

Whether information is on paper or online, the basic privacy rights for students and parents remain the

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

Background. Liwei Ren. Trend Micro

Hot Topics in IT. CUAV Conference May 2012

Small Business. Leveraging SBA IT resources to support America s small businesses

MORIAH CSD Instructional Technology Plan - Annually

IT Strategic Planning at Princeton University. Nadine Stern Associate CIO for Operations and Planning December, 2013

IT Self Service and BYOD Markku A Suistola

DATA IN THE CLOUD. A Legal and Policy Guide for School Boards on Student Data Privacy in the Cloud Computing Era APRIL 2014 VERSION 1.

2009 NASCIO Recognition Awards Nomination. A. Title: Sensitive Data Protection with Endpoint Encryption. Category: Information Security and Privacy

Federal CIO: Cloud Selection Toolkit. Georgetown University: Chris Radich Dana Christiansen Doyle Zhang India Donald

03/06/2014. Bring Your Own Device: A Framework for Audit. Acknowledgement

The SparkWeave Private Cloud & Secure Collaboration Suite. Core Features

ios Education Deployment Overview

1. The information we collect and how we collect it.

Thank you for visiting this website, which is owned by Essendant Co.

How To Understand Cloud Computing

Wireless Networking Solutions for Schools. Assisting schools with the implementation of a trusted safe and secure wireless network.

NSW Government. Wireless services (WiFi) Standard

Transcription:

CLOUD COMPUTING AND PRIVACY CURRENT PRACTICES IN FAIRFAX COUNTY PUBLIC SCHOOLS JCOTS Committee Meeting November 18, 2014 Jim Siegl Technology Architect Fairfax County Public Schools

AGENDA Cloud Computing in FCPS Assuring Privacy, Security and Safety in FCPS FCPS Technical Assessment Process Lessons Learned and Challenges Potential Policy Issues Questions

FAIRFAX COUNTY PUBLIC SCHOOLS District Profile 2014-15 enrollment of 186,785 (10th largest in U.S.) 14.4% of Virginia students are enrolled in FCPS Student/Computer Ratio (2:1) Enterprise-wide Wireless Infrastructure Award Winning Technology Management 2013 CIO 100 Award for its Bring Your Own Device (BYOD) Program, in CIO Magazine s top 100 IT organizations in 2011 2012 Excellence.gov award finalists in the category Excellence in Enhancing the Customer Experience 2009 Virginia Governor s Technology Award for Innovative Use of Technology in K-12 Education

CLOUD COMPUTING IN FCPS Instruction Online Textbooks, Research Database and Library ebooks, IB Program Tracking, Learning Management and Assessment, Guidance, Personal Learning Plans, Document Collaboration Community Outreach School Board CMS, Emergency Notification, Surveys, Social Media Finance, Facilities and Transportation Lunch Payments, Booster Club Management, Facilities Scheduling Human Resources Applicant Tracking and Virtual Interviews, Substitute Scheduling, Professional Development and Online Training Information Technology Mobile Device Management, Streaming Video and Web Conferencing

COMMON MODELS OF CLOUD IN K12 AND THEIR PRIVACY IMPLICATIONS Private: District hosted SIS, LMS School Contracted: Microsoft Office 365, Google Apps, Textbooks, iready, or dedicated hosting Operating Systems, App Stores: Apple, Google, Microsoft Freemium +: Free for user/class use with fee for school/district use, or security (e.g. Edmodo, TypingClub) Free with a catch: Ads or data collection (data brokers) Free (and clear): No non-educational data collection Identity Ecosystems: Sign-in with Facebook, Twitter, Google, Microsoft, Yahoo Extended Social Networks: Like buttons, social commenting End-User

FCPS APPROACHES TO CLOUD PRIVACY, SECURITY AND SAFETY Parental Notice and Choice Annual Notice (FERPA/PPRA) and Comprehensive/Selective Opt-Out www.fcps.edu/cco/pubs/optouts/hsoptout.pdf Student Information System Privacy Notice sisparent.fcps.edu/pvue/privacy_pxp.aspx Transparency and Communication Digital Citizenship and Privacy in FCPS www.fcps.edu/is/instructionaltechnology/privacy/ Internet Safety www.fcps.edu/is/instructionaltechnology/internetsafety/ Google Apps FAQ www.fcps.edu/is/instructionaltechnology/googleapps/ Online Contract Register www.fairfaxcounty.gov/cregister/ Contracting: FCPS Confidentiality Addendum defines: Vendor as School Official under FERPA Data Use, Protection, Destruction and Breach Notification Requirements

FCPS APPROACHES TO CLOUD PRIVACY, SECURITY AND SAFETY Policies and Regulations: Staff and Student Acceptable Use Policies (AUP) Social Networking Guidelines and Best Practices Data Classification and Security Guidelines on the Storage of Sensitive Data Regulations: 3008 - Instructional Technology Identification, Evaluation, Approval 6710 - Software Application Acquisition, Development, and Support 6225 - FCPS Information Security Policy Governance: Major System Project Teams Change Control Board (ITIL) Security Governance Board Training: isafe (for Staff) Processes: Technology Assessment

FCPS TECHNICAL ASSESSMENT PROCESS Goal is to Reduce Risk when Implementing Technology by Considering installation, deployment, and support requirements Analyzing potential impact to resources and infrastructure Identifying K-12 related privacy and security concerns Establishing proof of concept environment and appropriate solution designs Assessing the viability, scalability, sustainability of proposed technologies National Recognition of FCPS Technology Adoption Process Gartner (2006) U.S. D.O.E (Arne Duncan,., 2013) School Efficiency Review of Fairfax County Public Schools (2013) 200-250 Assessments per Year Up 200% in the last 2 years, 68% mobile apps Click-wrap agreements are the norm (5 contracts, 1 RFP)

FCPS TECHNICAL ASSESSMENT PROCESS Pass/Fail Criteria: Privacy Policy, Encryption in Transit Account Creation: Data Collected, Data Minimization Privacy Policies and Terms of Use Student Safety: Boundaries & Privacy Controls Advertising Mobile App Testing Network Bandwidth and Load Testing for Large Systems Security Scanning for Sensitive Data Systems e.g. health, finance, parent portal

FCPS LESSONS LEARNED CLOUD COMPUTING BENEFITS AND PRIVACY RELATED RISKS Benefit Risk Leverage analytics capabilities Without proper (and time consuming) review, student data could be collected and used for inappropriate purposes (e.g. targeted marketing) Users access services over the Internet Potential increased security risk (data breach, or accidental data disclosure by users) Rapid provisioning and deployment of new services; large number of free services Ease of signing up lends itself to unregulated/unapproved use Cloud services are updated regularly No control over changes Changes to privacy policies and terms of service with consent/review Privacy related bugs introduced through new features Economies of scale/shared infrastructure Risks of shared infrastructure/database

CLOUD SECURITY AND PRIVACY CHALLENGES Risk: Actual, Contractual, Perceived Vendors and Online Service Challenges High rate of change Contracts vs. click-wrap Hard to understand, hard to validate and hard to negotiate Regulation Challenges Gaps in interpretation (e.g. Education Record, Student Data) Gaps in coverage (FERPA, COPPA, PPRA, HIPAA, School vs. Vendor) School Practice Challenges Balance between edtech innovation and security Managing opt-outs, parental consent/notification Ease of signup/self disclosure Maintaining a central list of vetted educational online services

POTENTIAL POLICY ISSUES Gaps in Existing Virginia Law and Policy VA data breach notification laws do not appear to cover student data breach notification, accountability and redress Guidance is needed regarding K12 use of consumer services not specifically directed at K12 Majority of cloud tools are not acquired through formal contracts District Guidance and Support State role to help school districts with privacy issues (e.g. Chief Privacy Officer) Provide resources, model policies, tech assistance, guidance Privacy Impact Assessment for state mandated/provided technologies Privacy training, e.g. VA cyber safety training law ( 22.1-70.2, 2006)

POTENTIAL POLICY ISSUES Concerns Related to Potential Policymaking: Unintended Consequences Definitions and scope of any policy must be very clearly defined: e.g. education record, student data, secondary use, contract, click-wrap, online educational service, profile Regulation may eliminate opportunities schools have today under FERPA, COPPA and PPRA by obtaining parental consent Regulation may have fiscal and workload impact on districts Feedback on Legislation in other States FCPS s Confidentiality Addendum aligns with California s AB 1584 California s SB 1177 Student Online Personal Information Protection Act ( SOPIPA ) may help address concerns about online educational services for K12 students from non-contracted vendors

QUESTIONS

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information