WeBWorK Main Forum

FERPA compliance, protection of student data

FERPA compliance, protection of student data

by Jan Hlavacek -
Number of replies: 2
Last winter I have obtained a grant for a WeBWorK server here at Saginaw Valley State University. Since then I have been struggling to get the server in place. Now our administration is concerned about FERPA compliance and privacy issues. I was planning to host the server at a cloud provider such as AWS, since apparently there is no way to have the server hosted on campus and have it accessible from outside of the firewall at the same time (according to our IT services).

The administration wants me to come up with some information on how other universities protect their student information on WeBWorK. This is a request for such information:

Does anybody use a hosting provider such as AWS to host their WeBWorK server?

Do you have some sort of security/privacy plan document that you could share with me, that I could provide to our IT and administration?

I will also be thankful for any other advice on this.

Thank you very much.
In reply to Jan Hlavacek

Re: FERPA compliance, protection of student data

by Jeffrey Adler -
We host a WW server on campus. In order to access it from off campus, one must set up a VPN connection to campus. Is this something that your IT sources don't think can be done locally?

Our setup is painless most of the time, but...
  1. It's one more thing that could fail, and
  2. No matter how many times we tell students that they need a VPN connection when they're using WW from off campus, we still will get at least two panicked e-mails during the semester from students who have forgotten, and who think that the WW server is down. Indeed, many students assume that they will never use WW off campus, and so have no incentive to remember.

I'm not aware of any other school that does things this way, and I wish I could convince our IT people not to require VPN. But such a setup might solve your problem.
In reply to Jan Hlavacek

Re: FERPA compliance, protection of student data

by Andras Balogh -
I think it is not an easy task to provide a security/privacy plan. One thing is the WeBWorK application, and the other is that data is stored on an outside server. 
 
We had our own departmental server a long time ago, and it was not taken away, but was taken under IT control on a virtual server. There was a discussion whether or not they have capacity (man power, and even electricity, since initially they were going to house all "confiscated" servers on individual machines in a large room). 

The whole thing turned out to be great, because we don't have to deal with hardware and OS issues anymore. I still update the problem libraries and the application, and set up the courses myself, but IT has a linux expert who deals with the server part and with the OS. 

IT security (which is separate from IT) was willing to open up the firewall only after a long and frustrating security testing cycle, and I had to contact WeBWorK developers several times to get advice or modifications that IT security finally did not flag for vulnerabilities. I guess it is a continuous struggle with security. (for example we had hundreds of false positive vulnerabilities, when for non existing links WeBWorK returned OK status along with the error messages).

I don't know if there is any IT nowadays with no linux expert. Otherwise it is hard to argue why they would not support one more server with an application, which is clearly educational, free software, developed through grants from NSF, has numerous awards, and huge number of universities are using it.  Universities have several servers with FERPA compliance, IT takes care of it. Here is one more to take care and to do their job.

Try to go through the chair, dean and provost, explaining them how great this is and how much money this will save students. 

Be nice to IT people, and especially IT security, no matter how frustrating it is.