2014-06-26 Joint Education Committee Meeting






Flint Waters, State Chief Information Officer




Update on the Data Security Plan Required by 2014 Laws, Chapter 125




June 26, 2014




Tony Young, Deputy Chief of Staff

Cindy Hill, State Superintendent of Public Instruction


At the request of chairmen of the the Joint Education Committee, the Wyoming Department of Enterprise Technology Services (ETS) is providing an update on activities related the data security plan required by 2014 Laws, Chapter 125.

Student Data Security Update:

...the state superintendent and the department of enterprise technology services shall develop a data security plan that includes:

(A) Guidelines for authorizing access to student data, including authentication of authorized access;

(B) Privacy compliance standards;

(C) Privacy and security audits;

(D) Breach planning, notification and procedures pertaining thereto;

(E) Data retention and disposition policies;

(F) Data security policies including electronic, physical and administrative safeguards such as data encryption and employee training;

(G) Routine and ongoing compliance with the federal Family Educational Rights and Privacy Act (FERPA) and other privacy laws and policies;

(H) Prohibition of the sale of student data to private entities or organizations; and

(J) All personally identifiable student information being reported to the department of education or the department of enterprise technology by a student's Wyoming student record identification and locator number as issued by the department of education.

  • A Collaborative Workgroup was created on March 13, 2014 that meets weekly and includes the following ETS members:

    • Enterprise Security Architect

    • Enterprise Education Architect

    • Enterprise System Architect

    • IT Governance Program Coordinator

  • ETS has provided the following documentation:

    • 03/21/2014 - High Level Security Documentation Schedule (Item F above)

    • 03/22/2014 - Privacy Impact Assessment Outline (Items C and D above)

    • 05/07/2014 - Data Sharing MOU Rubric - This document provides the requirements as determined by ETS to ensure compliance with FERPA in any future data sharing agreements. (Items E, D and G above)

  • ETS is working on providing the clear language version of the baseline security requirements for WDE and other agencies by the end of July, 2014. (Item F above)

  • ETS does not collect any student data from the school districts, personally identifiable or anonymous. (Item J above)

  • ETS is participating in the Task Force on Digital Information Privacy as directed by the 2014 Legislature.

  • It is important to note technology can assist in enforcing student security and privacy requirements, but the determination of those requirements, beyond items common to all IT users, is determined by the WDE and the Legislature.

The process moving forward:

  • ETS provides clear language explaining the baseline security requirements for all agencies related to data at rest and in transit.

  • Data at rest is data sitting on a storage device somewhere.

  • Data in transit pertains to data as it is traveling across a network.

  • ETS provides minimum privacy and security requirements for data sharing agreements.

  • Agency reviews business requirements based on statute, case law, Federal and State mandates and other impacting factors as determined by the specific business.

  • Agency provides business requirements as finalized by the agency to ETS for consideration.

    • If ETS provides the services in compliance with the requirements, ETS will establish a schedule to implement the requirements.

    • If ETS does not provide the services meeting the requirements, the Agency can contract with external sources to meet these requirements.

  • Agency should periodically verify the compliance with their business requirements through independent audits by competent vendors and/or other personnel.