January 18, 2019
Thanks to our latest partner, Learn21/CoSN Ohio, we’ve formulated a comprehensive resource for best practices with student data. Whether you’re considering FinalForms or investigating online student data in general, we believe the following information will provide a good foundation for your research.
The following is derived from: https://cosn.org/sites/default/files/03_SecurityQuestions.pdf and our answers are noted in red italics.
- - - - -
It is important to understand your provider’s security practices to ensure that data shared with and collected by the provider remain private and protected. You should work with your school system’s security point of contact to determine whether the security practices of the provider comply both with School System policies and applicable laws. While neither FERPA nor COPPA prescribes specific security standards, school systems should look to industry suggested practices when assessing an online service provider.
The following is a non-exhaustive list of key security questions to discuss with your provider. A service level agreement (SLA) should include as many of these considerations as possible.
What data does the provider collect?
What, if any, data is collected by third parties (e.g., via cookies, plug-ins, ad networks, web beacons etc.)?
FinalForms only collects data specifically requested and approved by the school district.
FinalForms does not sell any data in any format, period. FinalForms does not currently hold any, enter into any, partnerships that let other applications leech data.
Does the provider perform regular penetration testing, vulnerability management, and intrusion prevention?
Are all network devices located in secure facilities and under controlled circumstances (e.g. ID cards, entry logs)?
Are backups performed and tested regularly and stored off-site?
How are these backups secured? Disposed of?
Are software vulnerabilities patched routinely or automatically on all servers?
FinalForms prioritized data security and integrity from day one. We use FERPA and HIPAA compliant military grade Amazon Web Servers, which have proven to be the industry’s most reliable, redundant, and secure servers.
AWS performs backups nightly and stores backups offsite.
Developers access data via key-based SSH.
FinalForms rigorously maintains up-to-date frameworks and languages
FinalForms routinely monitors and evaluates its service at every level of the stack.
Where will the information be stored and how is data “at rest” protected (i.e. data in the data center)?
Will any data be stored outside the United States?
Is all or some data at rest encrypted (e.g. just passwords, passwords and sensitive data, all data) and what encryption method is used?
How will the information be stored?
If the cloud application is multitenant (several districts on one server/instance) hosting, how is data and access separated from other customers?
FERPA requires that records for a school be maintained separately, and not be mingled with data from other school systems or users.
Are the physical server(s) in a secured, locked and monitored environment to prevent unauthorized entry and/or theft?
How does the provider protect data in transit? e.g. SSL, hashing?
Who has access to information stored or processed by the provider?
Under FERPA, individuals employed by the provider may only access school records when necessary to provide the service to the School System.
Does the provider perform background checks on personnel with administrative access to servers, applications and customer data?
Does the provider subcontract any functions, such as analytics?
What is the provider’s process for authenticating callers and resetting access controls, as well as establishing and deleting accounts?
If student or other sensitive data is transferred/uploaded to the provider, are all uploads via SFTP or HTTPS?
Again, FinalForms uses FERPA and HIPAA compliant military grade Amazon Web Servers, which have proven to be the industry’s most reliable, redundant, and secure servers.
All data is stored within the US.
FinalForms is multi-tenant. Each customer’s custom application exists on a unique, secure database.
AWS hosting facilities meet the highest standards of physical security, redundancy, and monitoring.
All requests and access to data are completed through HTTPS, SFTP, or SSH.
Data is encrypted at rest, leveraging SHA 256 encryption.
Within FinalForms, only Executives, Senior Developers, and Senior Support Staff have access to student data. All FinalForms personnel completes a rigorous background check prior to gaining access to sensitive data.
We do not subcontract with any third parties outside of our hosting provider, AWS.
FinalForms holds personal information, including email addresses as confidential. Unauthenticated inquiries from students, parents, or staff are immediately denied.
How does the provider assure the proper management and disposal of data?
The provider should only keep data as long as necessary to perform the services to the School.
How will the provider delete data?
Is data deleted on a specific schedule or only on termination of contract? Can your School request that information be deleted? What is the protocol for such a request?
You should be able to request a copy of the information maintained by the provider at any time.
All data disclosed to the provider or collected by the provider must be disposed of by reasonable means to protect against unauthorized access or use.
Upon termination of the contract, the provider should return all records or data and properly delete any copies still in its possession.
FinalForms retains data for the school district indefinitely, even after termination of services, unless a data purge is requested by the school district. Data purges are permanent and non-reversible.
Schools and Districts may request a copy of the database at any time. This will be encrypted and passed to the client via SFTP.
Does the provider follow standardized and documented procedures for coding, configuration management, patch installation, and change management for all servers involved in delivery of contracted services?
Are practices regularly audited?
Does the provider notify the School System about any changes that will affect the security, storage, usage, or disposal of any information received or collected directly from the School?
FinalForms strictly follows secure procedures when deploying new versions of the application. The deployment process includes audits and logs.
FinalForms painstakingly designed the process for zero downtime.
As FinalForms serves all customers directly, notifications regarding changes in data management practices are sent to all appropriate contacts.
Does the provider offer a guaranteed service level?
What is the backup-and-restore process in case of a disaster?
What is the provider’s protection against denial-of-service attack?
FinalForms not only guarantees industry best 99.99% uptime, but provides record of 99.99+% uptime since inception, in 2012.
Our disaster recovery plan remains in place at all times in order to rapidly respond to seen and unforeseen data disasters. Daily redundant, remote backups guarantee 24 hour protection against disaster scenarios, including DDoS attacks.
FinalForms web service seamlessly scales to handle an indefinite loads.
Does the provider provide the School System the ability to audit the security and privacy of records?
Have the provider’s security operations been reviewed or audited by an outside group?
Does the provider comply with a security standard such as the International Organization for Standardization (ISO), the Payment Card Industry Data Security Standards (PCI DSS)?
FinalForms can provide extensive documentation regarding privacy and/or security inquiries. The FinalForms CTO responds directly, within 24 hours, to any privacy and/or security questions not answered by FinalForms personnel or included in documentation.
FinalForms has passed multiple third party audits, including ISO and PCI Compliance.
Will “live” student data be used in non-production (e.g. test or development, training) environment?
Are these environments secure to the same standard as production data?
FinalForms provisions test databases from real student data for best results during tests and interface development. These local databases reside on the secure computers and are inaccessible remotely.
What happens if your online service provider has a data breach?
Do you have the ability to perform security incident investigations or e-discovery? If not, will the provider assist you? For example, does the provider log end user, administrative and maintenance activity and are these logs available to the School System for incident investigation? COSN.ORG/PRIVACY
FinalForms thoroughly logs all interaction within the application and environment. Should an incident occur, FinalForms will release a statement within 24 hours. The statement would include a description including all relevant details, exposures and courses of action. Furthermore, the statement would include steps to be taken to mitigate exposures and to avoid further incidents.