Thanks to our latest partner, Learn21/CoSN Ohio, we’ve formulated a comprehensive resource for best practices with student data. Whether you're considering FinalForms or investigating online student data in general, we believe the following information will provide a good foundation for your research.
The following is derived from: https://cosn.org/sites/default/files/03_SecurityQuestions.pdf and our answers are noted in red.
- - - - -
FinalForms' security practices ensure that data shared with and collected within FinalForms remains private and protected. FinalForms can provide documentation to your security point of contact to confirm security practices comply both with school system policies and applicable laws. While neither FERPA nor COPPA prescribes specific security standards, school systems should look to industry suggested practices when assessing any online service provider.
The following is a non-exhaustive list of key security questions to discuss with your provider. A service level agreement (SLA) should include as many of these considerations as possible.
- What data does the provider collect?
- What, if any, data is collected by third parties (e.g., via cookies, plug-ins, ad networks, web beacons etc.)?
- FinalForms only collects data specifically required, requested, and approved by the customer.
- FinalForms does not sell any data in any format, period.
- FinalForms does not currently hold any, or enter into any, partnerships that let other applications leech data.
- FinalForms does not allow third-party cookies, include advertisements, engage in ad networks, or utilize web beacons.
Network Operations Center Management and Security
- Does the provider perform regular penetration testing, vulnerability management, and intrusion prevention?
- Are all network devices located in secure facilities and under controlled circumstances (e.g. ID cards, entry logs)?
Developers access data via key-based SSH.
- Are backups performed and tested regularly and stored off-site?
- How are these backups secured? Disposed of?
- Are software vulnerabilities patched routinely or automatically on all servers?
FinalForms understands the legal and ethical issues surrounding data security. FinalForms employs FERPA and HIPAA compliant, military grade Amazon Web Servers. AWS provides the industry's most reliable, redundant, and secure servers.
- AWS performs backups nightly and stores backups offsite.
- FinalForms developers access data via key-based SSH.
- FinalForms rigorously maintains up-to-date frameworks and languages.
- FinalForms routinely monitors and evaluates its service at every level of the stack.
Data Storage and Data Access
- Where will the information be stored and how is data "at rest" protected (i.e. data in the data center)?
- Will any data be stored outside the United States?
- Is all or some data at rest encrypted (e.g. just passwords, passwords and sensitive data, all data) and what encryption method is used?
- How will the information be stored?
- If the cloud application is multitenant (several districts on one server/instance) hosting, how is data and access separated from other customers?
- FERPA requires that records for a school be maintained separately, and not be mingled with data from other school systems or users.
- Are the physical server(s) in a secured, locked and monitored environment to prevent unauthorized entry and/or theft?
- How does the provider protect data in transit? e.g. SSL, hashing?
- Who has access to information stored or processed by the provider?
- Under FERPA, individuals employed by the provider may only access school records when necessary to provide the service to the School System.
- Does the provider perform background checks on personnel with administrative access to servers, applications and customer data?
- Does the provider subcontract any functions, such as analytics?
- What is the provider's process for authenticating callers and resetting access controls, as well as establishing and deleting accounts?
- If student or other sensitive data is transferred/uploaded to the provider, are all uploads via SFTP or HTTPS?
FinalForms uses FERPA and HIPAA compliant, military grade Amazon Technology. While there is no FERPA certification for a service provider such as FinalForms. In order to meet the FERPA requirements applicable to our operating model, FinalForms aligns our FERPA risk management program, available here.
- All data is stored within the US.
- FinalForms resides on multi-tenant architecture. Each customer's custom application exists on a unique, secure database.
- AWS hosting facilities meet the highest standards of physical security, redundancy, and monitoring.
- All requests and access to data are executed through HTTPS, SFTP, or SSH.
- Data is encrypted at rest, leveraging SHA 256 encryption.
- Within FinalForms, only Executives, Senior Developers, and Senior Support Staff have access to student data. All FinalForms personnel complete a rigorous, industry standard, background check prior to gaining access to any portion of the FinalForms application.
- FinalForms does not subcontract with any third parties outside of our hosting provider, AWS.
- FinalForms holds personal information, including email addresses as confidential. Unauthenticated inquiries from students, parents, or staff are immediately denied.
- Authorized Parents/Guardians may, at any time, inspect, review, update, or correct form data which they believe to be inaccurate or obsolete. Authorized Administrators may access time-stamped form data change logs based on Parent/Guardian updates at any time for any purpose deemed necessary by the educational institution in accordance with applicable law.
Data and Metadata Retention
- How does the provider assure the proper management and disposal of data?
- The provider should only keep data as long as necessary to perform the services to the School.
- How will the provider delete data?
- Is data deleted on a specific schedule or only on termination of contract? Can your School request that information be deleted? What is the protocol for such a request?
- You should be able to request a copy of the information maintained by the provider at any time.
- All data disclosed to the provider or collected by the provider must be disposed of by reasonable means to protect against unauthorized access or use.
- Upon termination of the contract, the provider should return all records or data and properly delete any copies still in its possession.
- FinalForms retains data for the school district indefinitely, even after termination of services, unless a data purge or deletion is requested by the school district. Data deletions and purges are permanent and non-reversible.
- Customers may request a copy of their database at any time. The database will be encrypted and passed to the client via SFTP.
Development and Change Management Process
- Does the provider follow standardized and documented procedures for coding, configuration management, patch installation, and change management for all servers involved in delivery of contracted services?
- Are practices regularly audited?
- Does the provider notify the School System about any changes that will affect the security, storage, usage, or disposal of any information received or collected directly from the School?
- FinalForms strictly follows secure procedures when deploying new versions of the application. The deployment process includes audits and logs.
- FinalForms painstakingly designed the process for zero downtime, which has proven to be flawless since inception in 2012.
- As FinalForms serves all customers directly, notifications regarding changes in data management practices are sent to all appropriate authorized users and contacts.
- Does the provider offer a guaranteed service level?
- What is the backup-and-restore process in case of a disaster?
- What is the provider's protection against denial-of-service attack?
- FinalForms not only guarantees industry best 99.99% uptime, but provides record of 99.99+% uptime since inception, in 2012.
- The FinalForms disaster recovery plan remains in place at all times in order to rapidly respond to seen and unforeseen data disasters. Daily redundant, remote backups guarantee 24 hour protection against disaster scenarios, including DDoS attacks.
- FinalForms web service seamlessly scales to handle an indefinite loads.
Audits and Standards
- Does the provider provide the School System the ability to audit the security and privacy of records?
- Have the provider's security operations been reviewed or audited by an outside group?
- Does the provider comply with a security standard such as the International Organization for Standardization (ISO), the Payment Card Industry Data Security Standards (PCI DSS)?
- FinalForms may provide extensive documentation regarding privacy and/or security inquiries. The FinalForms CTO responds directly, within 24 hours, to any privacy and/or security questions not answered by immediately available FinalForms personnel or publicly available documentation.
- FinalForms has passed multiple third party audits, including ISO and PCI Compliance.
Test and Development Environments
- Will "live" student data be used in non-production (e.g. test or development, training) environment?
- Are these environments secure to the same standard as production data?
- FinalForms provisions test databases using applicable student data for best results during tests and interface development. These local databases reside on the secure computers and are inaccessible remotely.
Data Breach, Incident Investigation and Response
- What happens if your online service provider has a data breach?
- Do you have the ability to perform security incident investigations or e-discovery? If not, will the provider assist you? For example, does the provider log end user, administrative and maintenance activity and are these logs available to the School System for incident investigation?
- FinalForms thoroughly logs all interaction within the application and environment. Should any security incident occur, FinalForms will release a statement within 24 hours. The statement would include a description including all relevant details, exposures and courses of action. Furthermore, the statement would include steps to be taken to mitigate exposures and to avoid further incidents.