FERPA Compliance Program

Issue/Question

How does USD manage FERPA compliance

Environment

  • FERPA
  • Compliance
  • DLP
  • Student Records
  • Data Governance

Cause

Required compliance

Resolution

USD STAFF ONLY

FERPA Compliance Program – University of South Dakota (USD)

Overview

The Family Educational Rights and Privacy Act (FERPA) establishes federal requirements for the protection of student education records and grants students specific rights regarding their information.

The University of South Dakota (USD) is subject to FERPA as an institution receiving federal funding and maintaining student education records across academic, administrative, and support systems.

USD is committed to protecting student data and ensuring compliance through data governance, access controls, training, and monitoring practices.


FERPA Governance and Oversight
  • FERPA Compliance Officer: Jennifer Thompson
  • Institutional Oversight: Office of the Registrar, University Counsel, and IT Security
  • Data Governance Oversight: CISO and USD Data Governance Steering Committee
  • Regulatory Oversight: U.S. Department of Education

USD enforces FERPA compliance through institutional policy, technical safeguards, and operational procedures aligned with broader security and privacy frameworks.


FERPA Compliance Status by Requirement

USD has implemented administrative, technical, and physical safeguards to ensure the confidentiality and appropriate use of student education records.

 

  1. Student Rights (Access and Control of Records)
    • Requirement: Students have the right to access, review, and request amendment of their education records
    • USD Status: ✅ Compliant
      • USD provides annual notification to students regarding their rights under FERPA
      • Notification includes procedures for:
      • Inspecting and reviewing education records
      • Requesting amendment of inaccurate or misleading records
      • Requests are managed through established Registrar processes
  2. Consent for Disclosure of Education Records
    • Requirement: Written student consent is required before disclosing education records (with specific exceptions)​​​​​​​
    • USD Status: ✅ Compliant
      • Policies enforce consent requirements prior to disclosure​​​​​​​
      • FERPA exceptions (e.g., school officials with legitimate educational interest) are defined and controlled
      • Institutional policy clearly defines the term “school official” and associated access criteria​​​​​​​
  3. Directory Information Management
    • Requirement: Institutions may designate certain information as “directory information” with opt-out options​​​​​​​
    • USD Status: ✅ Compliant
      • USD defines directory information in accordance with FERPA guidelines
      • Students are provided the ability to opt out of directory information disclosure
      • A confidentiality request form is available to restrict directory information sharing
      • Controls are in place to enforce suppression of directory information where requested
  4. Access Control and Least Privilege
    • Requirement: Limit access to education records to authorized individuals​​​​​​​
    • USD Status: ✅ Compliant
      • Role-based access controls are implemented across systems
      • Identity and access management enforced via Microsoft Entra ID​​​​​​​
      • Multi-factor authentication (MFA) and Conditional Access policies are in place
      • Access is granted based on legitimate educational interest
  5. Data Protection and Classification
    • Requirement: Protect education records from unauthorized access or disclosure​​​​​​​
    • USD Status: ✅ Compliant
      • Data classification framework implemented (Public, Internal, Restricted)
      • Student education records are classified and protected as sensitive data
      • Data Loss Prevention (DLP) policies enforced through Microsoft Purview
      • Secure sharing is enforced through approved platforms (Teams, SharePoint)
  6. Audit Controls and Monitoring
    • Requirement: Monitor access to and use of education records​​​​​​​
    • USD Status: ✅ Compliant
      • ​​​​​​​Centralized logging via Microsoft Sentinel
      • Monitoring and alerting supported by Red Canary MDR
      • Audit logs are retained and reviewed for suspicious or unauthorized activity​​​​​​​
  7. Workforce Training and Awareness
    • Requirement: Ensure personnel understand FERPA responsibilities​​​​​​​
    • USD Status: ✅ Compliant
      • FERPA training is required for faculty, staff, and applicable student workers
      • Training is provided upon onboarding and reinforced regularly
      • Security awareness training supported by KnowBe4
  8. Third-Party and Service Provider Management
    • Requirement: Ensure vendors handling education records comply with FERPA
    • USD Status: ✅ Compliant
      • ​​​​​​​Vendor risk management processes are in place
      • Contracts include data protection and confidentiality requirements
      • Third-party access is limited and monitored
      • Alignment with CIS Control 15 (Service Provider Management)
  9. Incident Response and Data Breach Handling
    • Requirement: Respond to and manage unauthorized disclosures​​​​​​​
    • USD Status: ✅ Compliant
      • Incident response program aligned with institutional and regulatory requirements
      • Security monitoring and response supported by Microsoft Sentinel and Red Canary
      • Established procedures for investigation, containment, and notification
  10. Records Management and Data Minimization
    • Requirement: Maintain appropriate retention and limit unnecessary data exposure​​​​​​​
    • USD Status: ✅ Compliant
      • Data retention policies are defined and enforced
      • Access to historical records is controlled
      • Data minimization practices are applied across systems

Integration with Data Governance Program

FERPA compliance at USD is tightly integrated with the university’s Data Governance Program:

  • Data stewards are assigned across functional domains (Admissions, Registrar, Financial Aid, etc.)
  • Data classification and labeling enforced via Microsoft Purview
  • Policies include:
    • Data Classification Policy
    • Information Security and Data Responsibilities Policy

This ensures FERPA compliance is operationalized across the institution, not isolated to individual departments.


Integration with Cybersecurity Frameworks

USD leverages industry-standard frameworks to strengthen FERPA compliance:

  • CIS Critical Security Controls (v8.1) – Operational cybersecurity baseline
  • NIST Cybersecurity Framework (CSF) – Risk management alignment
  • Microsoft Security Stack – Identity, endpoint, and data protection

This layered approach ensures FERPA protections are enforced through both policy and technology.


Continuous Improvement

USD recognizes FERPA compliance as an ongoing process requiring coordination across academic, administrative, and IT functions.

  • Ongoing efforts include:
    • Enhancing data classification and labeling coverage
    • Expanding monitoring and audit capabilities
    • Strengthening vendor and SaaS oversight
    • Aligning FERPA with broader data governance and AI governance initiatives

Summary

The University of South Dakota:

  • ✅ Provides annual FERPA notifications and clearly defined student rights
  • ✅ Enables student control over records and directory information disclosure
  • ✅ Implements strong identity, monitoring, and data protection controls
  • ✅ Trains faculty, staff, and student workers on FERPA responsibilities
  • ✅ Integrates FERPA into enterprise data governance and security programs
Print Article