Data Protection and Access Controls

By Beth Tomev and contributed to by Ed Snow and Annette Smith, Wisconsin DPI 

The mantra all school leaders should be repeating when protecting their school’s data is, “Back up, back up, back up.” Data privacy is an ever-growing concern and most of the data collected is part of a regulatory requirement. If that data, such as student social security numbers, Individualized Education Plans (IEP) with medical information, or teacher personally identifiable information, is stolen, lost, or accidentally released, the data breach most often needs to be publicly reported. By protecting data upfront and limiting any infrastructure vulnerabilities, a school or district will save itself from the high costs of data retrieval, reparations, and possible legal ramifications.

Last month’s AWSA article laid out how to build an inventory and take control of software assets. A similar approach, with multiple back-ups, should be used for data and access controls. Built around NNT’s CIS Controls, the Department of Public Instruction is sharing some tips to help school and district leaders get started and develop an ongoing process to secure data.

A school or district should start by developing a data management process. During this process, make sure to cover how sensitive is the data, who is the data owner, how data should be handled, how long you are legally required to keep the data, as well as when the data can be disposed. Also, regularly audit to enforce the data retention and disposal timelines.

Once a data management process is in place, establish and maintain a data inventory. At the very least, inventory the most sensitive or critical data. In addition, it may be necessary to house data in separate locations. Review and update the inventory each year, prioritizing sensitive data.

To determine which data is more sensitive than others, establish and maintain a data classification scheme. Decide on categories such as classified, confidential, and public then classify data accordingly. Once again, review and update the classification scheme on a yearly basis.

Another way to keep sensitive data secure is to enable device encryption through features like Windows BitLocker®, Apple FileVault®, and Linux® dm-crypt.

Putting processes in place, inventorying, and classifying data are a good start at protecting data, but you must also control who has access to the data within your school or district. Your IT team should configure a data access control list—who has permission to access certain applications, software, databases, and files appropriate to their role.

Develop and enforce an access granting process, preferably automated. Access might be determined based on need to know, separation of duties, or privacy requirements. Be consistent when creating, assigning, managing access credentials and privileges for users in your school or district.

Just as important is an access revoking process. Accounts should be changed immediately when a user leaves, is terminated, or has a role change. It may be necessary to disable accounts, instead of deleting, to keep the work history and document trails.

And finally, users who have high priority access rights should follow an MFA (multi-factor authentication)—two or more independent credentials. PAM (Privileged Access Management) tools can be used for privileged accounts, which provide a one-time password for each use.

Protecting student and staff data is a large and necessary undertaking. The process is a continuous activity, requiring time, attention, and resources. By establishing and enforcing multiple backup plans through managed processes, inventories, and access controls, your schools or district’s data will be kept safer from potential hackers. For more information, please contact Ed Snow or Dr. Annette Smith with the DPI’s Instructional Technology Services Team or visit for resources and cyber/data announcements.