Successful educators in international schools are often both experts and generalists at the same time. We need to be able to do a deep dive into our subject area, while at the same time coming up for air and communicating our findings to teenagers, their parents, our colleagues, and to the wider community of practitioners.
Take Technology Directors, for instance. They have the distinction of being specialists in the jargon-filled, abstract reality that is the land of educational technology. One afternoon they could be discussing the nuances of effective workflow integrations with a keen colleague; the next morning they can be found pouring over the results of a penetration test.
Meanwhile, Technology Directors also have to be generalists in the sense that they can communicate terms and concepts to stakeholders who come with varying degrees of confidence in the area. They at once work alongside fellow practitioners who are equally proficient in the underlying technology, while also reminding users of email campaigns designed to entice clicks. Like all thought leaders, they are generalists in the sense that their expertise needs to be applicable across the full range of their target audience.
At Faria Education Group, we prioritize assisting Technology Directors and their communities in the ongoing efforts to explain the nuances of cybersecurity with keen colleagues, or to increase parent confidence in the privacy of personal data. In our experience in offering a broad range of integrated products, from an integrated Learning Management System, Admissions + CRM, and School-to-Home management suite, we have depended on a strong feedback cycle to inform our product release schedule. Mastery depends on a vibrant discussion.
Together, we can break down the dizzying array of questions surrounding cybersecurity and privacy. What standards are there that set the groundwork for discussing these technologies? Is it the provider or the school who ultimately controls the data? What are the relevant regulations that apply to your school? Do you have a plan in case of a crisis? We can arrive at these answers by ensuring Technology Directors, school leadership, and providers share common knowledge.
For Tech Directors working in an educational context, conversations about compliance with objective standards of cybersecurity first start with the terminology and definitions provided by the ISO/IEC 2700 series of documents.
Just as a curriculum provides the terms and definitions of a subject group, organizations that fully register with these standards are committed to using these objective definitions of terms. That means that it is abundantly clear, for example, how access controls provide for permissions in any system. Instead of getting tangled in semantics in internal deliberations, educational institutions up and down the stack can be singing from the same hymn sheet.
It is also how we know the data is secure, because this international standard spells out “information security” itself — found in 3.28 of the standard — as the “preservation of confidentiality, integrity, and availability of information.” In case anyone thinks the definition itself could use more clarification, that section is embedded with no less than six links to the very concepts it mentions!
Faria publicly reaffirms its adherence — with annual renewals — and the concepts apply throughout. Just like a curriculum and the accompanying accreditation for an international school cements a school’s mission, these standards and processes define objectives and drive compliance. As the document itself states, “[it] gives confidence to interested parties that risks are adequately managed.”
Faria’s gamut of cloud-based services, like all SaaS providers, readily transmit personally identifying information throughout the day. For those who may have doubts about how secure those transmissions are, what can Tech Directors say that helps to reassure them?
In the modern infrastructure, the use of https throughout is a must. Browsers have recently become more verbose about displaying certificates with locks, and rightfully make it harder for users to surf the web without this encryption standard firmly in place. The gold standard for encryption is end-to-end, meaning that there are no back doors — not even available to the company — for someone to eavesdrop and see the data being transmitted.
In Faria’s case, the public guarantee, among others, is that “all data between your computer and our systems is encrypted end-to-end with SSL by default.” Without having to discuss man-in-the-middle attacks, or delve into hashing algorithms, what this means is that only the source and target can actually see the data in its “plain text” form. Even if someone does try to hijack the data stream, which may be rich in personally identifying information, all they would see is gobbledygook.
Schools as the controller
With the advent of sweeping legislation calling for data to be carefully orchestrated by data regions, some may be wondering what this means to a classroom practitioner. Software companies clearly have a need to be able to access the information to build a decent product, but aren’t we limiting what we share?
An often overlooked concept among those who may not be as steeped in the industry, is that GDPR legislation makes it explicit that sharing is done with intention and for clear purposes. It defines boundaries by defining roles, and it is the school as an organization that is the “controller” and other SaaS companies that are the processors.
The core idea behind GDPR that Tech Directors and those using Faria products can rely on, is that the school is in the driver’s seat regarding what can be shared, given that the purpose is relevant and defined. So, while schools are ill-advised to email all parents an attachment with everyone’s activity sign-ups, it might make perfect sense to send this to a consultant who is building a report mechanism. The reason is that, in the former, there is no purpose for sending sign-up information to the entire community in a format that is easily forwarded. In the latter, the consultant has an interest in keeping the data private, and a contract that explicitly discusses how the data is handled.
It is the school’s role to bequeath to the processor the authority to have the data. At Faria and other cloud-based providers, it is best to be as explicit as possible about this relationship.
A sad reality is that data breaches do occur. We are at times inundated with news reports about credit cards being stolen, or notifications about passwords that have been leaked. When fears are raised, it is important the Tech Director can point to transparent crisis management procedures that are in place in case clients need to be informed of security issues.
Cloud-based services, including Faria, need to inform clients ahead of time about the process that will be put into place should the unexpected happen. That way, a sequence is observed and followed, hastening communications and ensuring protective efforts can be enacted.
Nonetheless, the best strategy to prevent disaster is mitigation, for which Tech Directors are the point of contact in a school setting. A key strategy here is to deploy Single Sign-on services throughout the infrastructure, relying on proven technologies built over years of experience. Faria — given our range of products, integration partners, and services — provides an Accounts Portal service which protects users and is a key solution to a school’s mitigation efforts.
Sidebar: Privacy statements per platform
Explicit is better than implicit
In computer science, being explicit means not hiding the magic: Spell it out, cleanly and plainly. This philosophy directly applies when it comes to cybersecurity and privacy. For example, at Faria we publish an extensive guide to cybersecurity and privacy in plain sight, so there is no doubt about our commitment to these standards. Each one of our platforms has every significant detail about privacy as well. Transparency always wins over obscurity.
Technology Directors, meanwhile, are the linchpin between our own efforts such as above and the concurrent effort by schools to hone best practices in technology and pedagogy. Their raison d'etre requires them to remain up-to-date with upcoming developments while also remaining immersed in implementation details. That is why we at Faria launched our professional networking and development opportunity to engage the tech director community in mutually beneficial partnerships. In collaboration with other key members of the international educational technology community, our mutual effort leads us to a feature-rich infrastructure that people can trust.