SQL Server auditing and compliance for FERPA

What is FERPA

The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. It gives students and their parents the right to access their education records, request to amend, and control over the record disclosure

With several exceptions, a school can disclose personal information only if it gets the signed approval of the parent or student (if over 18 years of age). FERPA rights are transferred to the student when he/she reaches the age of 18

Who has to comply with FERPA?

FERPA applies to all federally funded institutions that receive funds from the U.S. Department of Education

What is FERPA meant to ensure?

FERPA is enacted to ensure the confidentiality, integrity, and accuracy of personal student information. It also gives the right to students and their parents to obtain access to the student’s educational records, and challenge the content or release of these records to third parties

The rights that FERPA gives to students and their parents:

Ҥ 99.10 What rights exist for a parent or eligible student to inspect and review education records?
(a) Except as limited under §99.12, a parent or eligible student must be given the opportunity to inspect and review the student’s education records. This provision applies to—
(1) Any educational agency or institution; and
(2) Any State educational agency (SEA) and its components.” [1]

What is an education record?

The records that FERPA is applied to are called education records. An education record is a record:

“(1) directly related to a student; and
(2) maintained by an educational agency or institution, or by a party acting for the agency or institution
This includes any information recorded in any way including, but not limited to, handwriting, print, computer media, video or audio tape, film, microfilm, and microfiche.” [2]

An education record is not a sole possession or private note by a school official that is not accessible to other school personnel, law enforcement or campus security records, records relating to employees, treatment/medical records, or alumni record (a record for an ex-student )

How is it FERPA compliance checked?

FERPA compliance is checked by the Family Policy Compliance Office in the U.S. Department of Education. The same Office is also in charge of processing disclosure complaints

Ҥ 99.60 What functions has the Secretary delegated to the Office and to the Office of Administrative Law Judges?
(a) For the purposes of this subpart, Office means the Family Policy Compliance Office, U.S. Department of Education.
(b) The Secretary designates the Office to:
(1) Investigate, process, and review complaints and violations under the Act and this part; and
(2) Provide technical assistance to ensure compliance with the Act and this part.“[1]

FERPA requirements don’t explicitly address IT or database security, but based on the act requirements to enforce privacy, it’s clear that the steps that can provide compliance with FERPA are:

  • Find all databases/tables containing student education records
  • Determine the permissions needed for each employee
  • Review permission settings on your SQL Server instances and correct access rights as necessary
  • Monitor the SQL Server instances and databases that contain education records
  • Analyze the reports that show database events and take action where needed

The FERPA sections that address information disclosure:

“99.32 What recordkeeping requirements exist concerning requests and disclosures?

“Disclosure means to permit access to or the release, transfer, or other communication of personally identifiable information contained in education records to any party, by any means, including oral, written, or electronic means.” [1]

ApexSQL Audit helps to:

  • Automatically monitor SQL Server instance, database, an object events to make sure compliance rules are met
  • Provide accurate and timely reports for compliance verification
  • Provide reports that identify security risks and vulnerabilities
  • Identify access to personal information and potential data leaks

Reporting

Ҥ 99.62 What information must an educational agency or institution submit to the Office?
The Office may require an educational agency or institution to submit reports, information on policies and procedures, annual notifications, training materials, and other information necessary to carry out its enforcement responsibilities under the Act or this part.” [1]

Although not specific about the reports a FERPA auditor can request for your SQL Server compliance, as the FERPA goal is to protect privacy, the reports that show access, activity, and security entities on your SQL Server are a must

ApexSQL Audit reports that cover these requests are:

The Audit settings history report shows modifications of the auditing settings along with SQL Server instances, operations types and database objects added or removed from auditing. Once the auditing is configured, it shouldn’t be changed. Any change has to be documented and proved to be in accordance with the compliance requirements

Audit settings history report in ApexSQL Audit

The Security configuration history report shows the Create, Drop, Alter, Grant, Deny, and Revoke operations executed on SQL Server users, logins and roles. Any undocumented Create, Grant and Revoke operations should be investigated, as they can lead to education records leak and compliance failure

FERPA compliance - Security Configuration History report

The Complete audit trail report shows all captured events and all data (Select, Insert, Update, Delete, Merge, and Lock table), schema (Create, Drop, Alter, and Truncate), and security (Grant, Deny, and Revoke) operations on all audited SQL Server instances. As the report shows a large number of records, the report is useful for deeper, non-daily analysis:

Complete audit trail report

The Access history report shows who and when has accessed a database object or executed code against it. If you see a user accessing the tables he/she should not, the user permissions must be investigated and denied:

Access history per application report hepls with FERPA compliance

The Permission changes report shows all activities on SQL security entities. Any unexpected permission grants should be investigated:

The Unauthorized access report shows failed login attempts by non-existent users, or using wrong passwords. Any successive failed logins should be investigated, as they indicate potential threats and hacker activity such as SQL injections and brute-force attacks:

The Unauthorized access report

The Logon activity history report shows the failed login attempts (shown also in the Unauthorized access report) and the successful logins:

To protect student records in SQL Server databases and be compliant with FERPA, you must set database security and make sure that the security settings are not changed. Any modification of the security settings, or unexpected access and activity on the tables that contain personal education records must be investigated. To identify these events, use ApexSQL Audit to audit your SQL Server instances and databases and get comprehensive and useful reports

References:
[1] U.S Government Printing Office (GPO) – The Code of Federal Regulations
[2] University of Virginia

Useful resources
U.S. Department of Education – Family Educational Rights and Privacy Act (FERPA)
NACADA The Global Community for Academic Advising – FERPA overview
National Association of Colleges and Employers – FERPA Primer: The Basics and Beyond

October 9, 2013