ITR004 – Digital Identity Information Sharing Rule

PurposeThis document specifies Lincoln Public Schools’ methods of identity-information sharing with outside organizations. It also specifies methods to provision user access to services provided by operators of the service.

Prior to providing sensitive or confidential information to an outside organization, permission must be given by the data owner at Lincoln Public Schools and the Data Services Coordinator.

The methods specified in this document are to be used when integrating with external services if at all possible. If the specified methods are not used, a waiver will be required from the CTO/ISO, which is intended to allow the outside organization time to comply with Lincoln Public Schools’ preferred methods. A waiver of requirements is temporary, and is not a permanent license to operate outside of standards.

Approved Identity Information Sharing Methods

Common Parameters

The minimum amount of data required should be sent to outside organizations.

Data must be encrypted in transit using standard protocols such as https and sftp. If the information classification requires the data to be encrypted at rest on Lincoln Public Schools’ systems, the data must be encrypted at rest on the outside organization’s systems. Applications that require student data to be accessed, processed, or stored by an outside organization must go through the ITT approval process.

SAML Assertions

Data may be passed to outside organizations through SAML assertions using Lincoln Public Schools’ identity provider.

Google API

Identity information may be passed to outside organizations via an information exchange authorized via the Google API. This allows individual users to authorize their information to be sent to an outside organization or, in some cases, for the district to authorize this access at the Google Domain level.

Clever

Lincoln Public Schools has integrated with Clever to act as a repository for class rostering data. This allows Clever to act as an authorized access point for the exchange of rostering data with outside organizations that use their data exchange model.

Active Directory

Some applications can integrate directly with Lincoln Public Schools’ Active Directory. This integration should be used only with applications that have on premise installations, as the amount of data that can be accessed with this method is difficult to control.

Direct Data Transfer

In some cases, the only available method of information sharing is through a specially crafted data file extracted from Lincoln Public Schools’ SIS or HRIS. Computing Services is solely authorized to extract data for this use and instantiate/maintain transfers of these data. Data must be encrypted in transit. If the information exchange is to be ongoing, the process must be able to be entirely scripted.

Other

In rare cases, another method not listed here may be required. Generally, any variance from the listed options will require a waiver. However, other data sharing may be authorized at the sole discretion of the CTO/ISO if extraordinary circumstances exist.

Approved Authentication/Authorization Methods

Common Parameters

All authentication must be controlled by Lincoln Public Schools. This ensures that access to services begins and ends according to account management parameters. All accounts must be assigned to an individual and not shared. An exception to both of the above provisions is made for service administration accounts, which frequently are locally provisioned for an application.

It is never acceptable to duplicate password information to outside organizations; e.g. hand-entering or sending a spreadsheet of student IDs and passwords. All authentication must take place through encrypted connections.

SAML Assertions

Authentication and authorization information may be passed to outside organizations through SAML assertions using Lincoln Public Schools’ identity provider.

Google API

Authentication and authorization information may be passed to outside organizations through information authorized via the Google API.  Lincoln Public Schools users sign in to Google Apps by using the district’s SAML identity provider.

Clever

Clever can act to provide authentication and authorization information to outside organizations. Lincoln Public Schools users sign in to Clever by using the district’s SAML identity provider.

Active Directory

Authentication and authorization can be performed directly with Lincoln Public Schools’ Active Directory. This should be used exclusively by applications operated on premise.

Other

In rare cases, another method not listed here may be required. Generally, any variance from the listed options will require a waiver. However, other authentication and authorization methods may be authorized at the sole discretion of the CTO/ISO if extraordinary circumstances exist.

What does this mean to me?

LPS has processes in place for integrating data with other companies. This is usually done so that user accounts can be created in tools that are used by LPS staff and students. For example, think of tools like Google Docs, Hapara, Reading Wonders, Go Math, etc. In these situations, an agreement is signed that identifies the lengths a vendor will go to to protect our sensitive user data. LPS will not send any more user data to outside organizations than is absolutely necessary, and that data will be encrypted when being shared.

All account names and passwords must be controlled by Lincoln Public Schools, and no accounts may be shared between users.