As part of a 30-day study period into its security controls, the public school district was testing new extrusion prevention software that monitors and potentially blocks anomalous outbound traffic that traditional packet-based technologies cannot detect.
Soon after logging events, such as the email exchange between the two students, administrators chose to permanently deploy Fidelis XPS, an extrusion prevention system solution from Bethesda, Md.-based Fidelis Security Systems.
"The superintendent looked at the transcript of that particular email session and said, ‘Get this thing in here as soon as possible so we could say we're doing due diligence, if nothing else,'" recalls Joseph Renard, deputy CIO of the District of Columbia Public Schools.
The 56,000-student, 10,000-faculty school system mainly depends on the software, which sits next to the network firewall, to monitor word strings that could signal improper communications taking place among students and staff.
"We've picked up incidents of staff writing [sexually explicit] things back and forth to each other," Renard says. "We consider that a misuse of resources. The network is an instructional tool and we want to treat it that way. It's an extension of the classroom."
But the district also employs the solution to track potentially dangerous disclosures of student personal information, protected under the federal Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA), Renard says. While the city controls the district's financial records, the school system is accountable for protecting the identities of its pupils.
This responsibility is further compounded by the school district's Beltway surroundings, he says. Its 143 schools and learning centers contain a number of children of congressional and embassy aides. If a data leak occurred here, it surely would not be long before federal and international lawmakers found out.
David Etue, vice president of product management at Fidelis, says safeguarding students is part of any teacher's or school administrator's job description. Their commitment to children is part of the reason they pursued such jobs in the first place, and many take notice that technology exists to help them further their nurturing efforts.
"They genuinely want to protect students," he says. "Teachers and administrators really view protecting students as a core mission of what they do as part of the education process."
While corporations typically deploy the Fidelis solution to protect intellectual property, schools should employ leak prevention software to prevent a breach that requires notification, and could cost millions, Etue says.
"It's a real budget issue," he explains. "You're D.C. public schools. You've got 50,000+ students. You could have millions of student identities in your computer. Sending out a couple of hundred thousand [breach notification] letters, that could be a significant detriment to a school system."
For schools, much of the data placed at risk is done by individuals not realizing they are violating state and federal privacy laws. Etue cites an example of a guidance counselor who was sending unencrypted plain text emails containing student records to colleges. He also knows of teachers who email student grades to themselve over using uncontrolled Webmail servers, such as Hotmail.
While much of the threat is related to this potential accidental exposure of sensitive data, a malicious insider conceivably could cash in on the much coveted teenage demographic by stealing their personal information and then selling it to marketers, Etue says.
Schools can also use the Fidelis solution to block unauthorized channels of communication. Inside corporations, that mainly means preventing data leaks over email and instant messenging (IM) systems. But for schools, the component can be used to enforce acceptable use policies by restricting students — who install a proxy connection between their home and school computers — from viewing forbidden websites.
Back in Washington, D.C., where the 52-person IT staff is comprised of only one body dedicated to security, the product's use is less expansive, Renard says. For now, the solution primarily is used to monitor email, IM and MP3 traffic for obscene content and messages that are marked "confidential" or "graphic."
For instance, the solution recently identified a staff member who emailed a classified audit report, containing the district's plans for spending grant money, to a local newspaper reporter. "As it turned out, it was not the person that everyone thought it was," Renard says. "It helped us avoid an allegation."
The district, as it awaits additional security personnel, expected to arrive in the fall, has implemented such measures as preventing teachers from saving files that contain student Social Security numbers, and restricting certain IP addresses from mailing out sensitive information.
"We would love to use [the Fidelis solution] much more than we do," Renard says. "Our problem is we only have one [security-specific] person who handles a whole lot of things."
What the rules state
Many IT security professionals likely are familiar with the Sarbanes-Oxley and Gramm-Leach-Bliley acts, but there is a lesser known federal compliance mandate that covers the protection of personal information inside educational facilities: the Family Educational Rights and Privacy Act (FERPA).
The law applies to all schools that receive funds from the U.S. Department of Education.
Among the security-related guidelines in FERPA, schools "must have written permission from the parent or eligible student in order to release any information from a student's education record," according to the U.S. Department of Education website.
There are, however, some parties who may receive student records, without pupil or parent consent, including schools to which the student is transferring and financial aid organizations.
Schools are required by FERPA to:
- Provide a student with an opportunity to review their education records within 45 days of the receipt of a request;
- Make student records available upon request of the student;
- Redact the names of other students included in the student's education records.