{"id":13026,"date":"2018-08-12T13:32:07","date_gmt":"2018-08-12T18:32:07","guid":{"rendered":"http:\/\/home.lps.org\/cs2\/?page_id=13026"},"modified":"2019-09-09T15:31:37","modified_gmt":"2019-09-09T20:31:37","slug":"itr004","status":"publish","type":"page","link":"https:\/\/home.lps.org\/cs\/itr004\/","title":{"rendered":"ITR004 – Digital Identity Information Sharing Rule"},"content":{"rendered":"
\n

ITR004 – Digital Identity Information Sharing Rule<\/h1>\n
Purpose<\/b>This document specifies Lincoln Public Schools\u2019 methods of identity-information sharing with outside organizations. It also specifies methods to provision user access to services provided by operators of the service.<\/p>\n

Prior to providing sensitive or confidential information to an outside organization, permission must be given by the data owner at Lincoln Public Schools and the Data Services Coordinator.<\/p>\n

The methods specified in this document are to be used when integrating with external services if at all possible. If the specified methods are not used, a waiver will be required from the CTO\/ISO, which is intended to allow the outside organization time to comply with Lincoln Public Schools\u2019 preferred methods. A waiver of requirements is temporary, and is not a permanent license to operate outside of standards.<\/p>\n

Approved Identity Information Sharing Methods<\/b><\/h4>\n

Common Parameters<\/b><\/p>\n

The minimum amount of data required should be sent to outside organizations.<\/p>\n

Data must be encrypted in transit using standard protocols such as https and sftp. If the information classification requires the data to be encrypted at rest on Lincoln Public Schools\u2019 systems, the data must be encrypted at rest on the outside organization\u2019s systems. Applications that require student data to be accessed, processed, or stored by an outside organization must go through the ITT approval process.<\/p>\n

SAML Assertions<\/b><\/p>\n

Data may be passed to outside organizations through SAML assertions using Lincoln Public Schools\u2019 identity provider.<\/p>\n

Google API<\/b><\/p>\n

Identity information may be passed to outside organizations via an information exchange authorized via the Google API. This allows individual users to authorize their information to be sent to an outside organization or, in some cases, for the district to authorize this access at the Google Domain level.<\/p>\n

Clever<\/b><\/p>\n

Lincoln Public Schools has integrated with Clever to act as a repository for class rostering data. This allows Clever to act as an authorized access point for the exchange of rostering data with outside organizations that use their data exchange model.<\/p>\n

Active Directory<\/b><\/p>\n

Some applications can integrate directly with Lincoln Public Schools\u2019 Active Directory. This integration should be used only with applications that have on premise installations, as the amount of data that can be accessed with this method is difficult to control.<\/p>\n

Direct Data Transfer<\/b><\/p>\n

In some cases, the only available method of information sharing is through a specially crafted data file extracted from Lincoln Public Schools\u2019 SIS or HRIS. Computing Services is solely authorized to extract data for this use and instantiate\/maintain transfers of these data. Data must be encrypted in transit. If the information exchange is to be ongoing, the process must be able to be entirely scripted.<\/p>\n

Other<\/b><\/p>\n

In rare cases, another method not listed here may be required. Generally, any variance from the listed options will require a waiver. However, other data sharing may be authorized at the sole discretion of the CTO\/ISO if extraordinary circumstances exist.<\/p>\n

Approved Authentication\/Authorization Methods<\/b><\/h4>\n

Common Parameters<\/b><\/p>\n

All authentication must be controlled by Lincoln Public Schools. This ensures that access to services begins and ends according to account management parameters. All accounts must be assigned to an individual and not shared. An exception to both of the above provisions is made for service administration accounts, which frequently are locally provisioned for an application.<\/p>\n

It is never acceptable to duplicate password information to outside organizations; e.g. hand-entering or sending a spreadsheet of student IDs and passwords. All authentication must take place through encrypted connections.<\/p>\n

SAML Assertions<\/b><\/p>\n

Authentication and authorization information may be passed to outside organizations through SAML assertions using Lincoln Public Schools\u2019 identity provider.<\/p>\n

Google API<\/b><\/p>\n

Authentication and authorization information may be passed to outside organizations through information authorized via the Google API. \u00a0Lincoln Public Schools users sign in to Google Apps by using the district\u2019s SAML identity provider.<\/p>\n

Clever<\/b><\/p>\n

Clever can act to provide authentication and authorization information to outside organizations. Lincoln Public Schools users sign in to Clever by using the district\u2019s SAML identity provider.<\/p>\n

Active Directory<\/b><\/p>\n

Authentication and authorization can be performed directly with Lincoln Public Schools\u2019 Active Directory. This should be used exclusively by applications operated on premise.<\/p>\n

Other<\/b><\/p>\n

In rare cases, another method not listed here may be required. Generally, any variance from the listed options will require a waiver. However, other authentication and authorization methods may be authorized at the sole discretion of the CTO\/ISO if extraordinary circumstances exist.<\/p>\n<\/div>\n

\n
\n

What does this mean to me?<\/b><\/h2>\n

LPS has processes in place for integrating data with other companies. This is usually done so that user accounts can be created in tools that are used by LPS staff and students. For example, think of tools like Google Docs, Hapara, Reading Wonders, Go Math, etc. In these situations, an agreement is signed that identifies the lengths a vendor will go to to protect our sensitive user data. LPS will not send any more user data to outside organizations than is absolutely necessary, and that data will be encrypted when being shared.<\/p>\n

All account names and passwords must be controlled by Lincoln Public Schools, and no accounts may be shared between users.<\/p>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

ITR004 – Digital Identity Information Sharing Rule PurposeThis document specifies Lincoln Public Schools\u2019 methods of identity-information sharing with outside organizations. It also specifies methods to provision user access to services provided by operators of the service. Prior to providing sensitive or confidential information to an outside organization, permission must be given by the data owner […]<\/p>\n","protected":false},"author":13,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"elementor_header_footer","meta":{"footnotes":""},"class_list":["post-13026","page","type-page","status-publish","hentry"],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/home.lps.org\/cs\/wp-json\/wp\/v2\/pages\/13026","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/home.lps.org\/cs\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/home.lps.org\/cs\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/home.lps.org\/cs\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/home.lps.org\/cs\/wp-json\/wp\/v2\/comments?post=13026"}],"version-history":[{"count":12,"href":"https:\/\/home.lps.org\/cs\/wp-json\/wp\/v2\/pages\/13026\/revisions"}],"predecessor-version":[{"id":15692,"href":"https:\/\/home.lps.org\/cs\/wp-json\/wp\/v2\/pages\/13026\/revisions\/15692"}],"wp:attachment":[{"href":"https:\/\/home.lps.org\/cs\/wp-json\/wp\/v2\/media?parent=13026"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}