Dara Security

FERPA

Background

No statute affects educational institutions more, but is understood less, than the Family Educational and Privacy Rights Act, or FERPA.  FERPA is the primary federal law that regulates how an educational institution handles student records.  FERPA applies to all student records, whether they are in paper or electronic form.  Institutions commonly have a compliance officer or legal counsel to advise as to when it is appropriate to share student records.  However, there is typically no one to advise educational institutions on how to prevent unauthorized access to data or how to respond if a disclosure occurs.

 

Privacy Statute

FERPA is a privacy statute.  It is not a data protection statute, and therefore it is quite clear regarding the disclosure of student data.  Unlike many data protection statutes like PCI DSS, HIPAA, and state data protection acts, FERPA does not hold educational institutions to specific measures to protect data from disclosure.  Instead, FERPA simply encourages an institution to take steps and implement measures to mitigate risk.  In other words, an institution can select physical, technological, and administrative controls to prevent unauthorized access to education records.  However, the specific risks to guard against are typically not known.  As a result, an educational institution may be simply spending money in the wrong areas while leaving themselves exposed to disclosure in other areas.

 

Holistic Risk Assessment

To quickly identify these areas of potential exposure and firmly establish a plan for compliance, Dara Security created a Holistic Risk Assessment.  Based on years of experience assessing entire security programs, Dara Security has developed a suite of offerings around its risk equation to help clients understand where they truly stand in terms of security risk.

    Our Framework provides clients with a true assessment of their security risk


    A Risk Assessment can help identify exposure points and provide guidance on addressing them


A Risk Assessment will provide an organization with a holistic view of its information security risks and a framework for maintaining security. This provides security with much greater visibility among executive leadership and places security risks in proper context.

 

How We Can Help

Dara Security team members are experts in understanding both the technical aspects and the business components of an organization. Our team members have extensive expertise with a wide variety of Risk Assessment methodologies including FAIR, OCTAVE, NIST, and ISO 27005. We also have years of experience performing HIPAA, PCI, ISO 27002, and many other control assessments, aligning our practice with the CVSS vulnerability rating system.