What is FERPA?

The Family Educational Rights and Privacy Act (FERPA) of 1974 (20 U.S.C. § 1232g; 34 CFR Part 99) is a U.S. federal privacy law that enables parents and eligible students to inspect and review education records, seek to have them amended, and have certain types of control over the disclosure of personally identifiable information from the records.

FERPA Regulations

FERPA applies to all educational agencies and institutions that receive federal funds from the U.S. Department of Education, and FERPA law prohibits the disclosure of personally identifiable information in students' education records. The Family Policy Compliance Office (FPCO) administers FERPA compliance by reviewing and investigating complaints of FERPA violations based on 34 CFR Part 99. Failure to comply with FERPA regulations may result in termination of federal funding.

Capabilities of Netwrix Auditor

Ensure strong data security and prove your adherence to FERPA regulations with Netwrix Auditor

To maintain a FERPA compliant IT environment, educational agencies and institutions must implement physical, technological and administrative controls to protect students' education records. Netwrix Auditor helps prove technological controls are in place and delivers visibility into all activity in the hybrid cloud IT infrastructure, enabling your organization meet FERPA requirements and pass FERPA compliance audits.

Control access to education records to guard students' privacy

Get complete visibility into who has permissions to access files and folders with education records and who actually uses these permissions in order to comply with FERPA policy.

Prove your FERPA compliance with out-of-the-box reports

Use predefined compliance reports mapped to the specific FERPA requirements as evidence to prove that appropriate security controls are in place.

Investigate suspicious data access attempts that may violate FERPA law

When questions about access to education records go beyond the predefined reports, use the Interactive Search feature to dig deeper into the incident and determine how you can prevent FERPA violations in the future.

Securely preserve audit trail for as long as required for FERPA compliance

Safely keep your audit trail in a two-tiered storage as long as needed and use it to prove your history of compliance with FERPA privacy regulations.

See which FERPA compliance requirements Netwrix Auditor helps you meet

Although the U.S. Department of Education enforces the regulations listed in the FERPA law (34 CFR part 99), it doesn't provide any specific framework for securing students' education records against disclosure. Instead, it's recommended that each educational agency or institution should develop its own model based on a generally accepted IT framework such as ISO, COBIT 5 or NIST.

By delivering complete visibility into what's going on in the IT infrastructure, Netwrix Auditor helps educational agencies, institutions, and state and local educational agencies establish proper audit controls in line with the following FERPA guidelines in 34 CFR Part 99 Subpart D:

FERPA Requirements for Educational Agencies or Institutions

§ 99.31 (a)(ii)

"An educational agency or institution must use reasonable methods to ensure that school officials obtain access to only those education records in which they have legitimate educational interests..."

Netwrix Auditor capabilities:

  • Provides cross-system visibility into all user activity, including access to information systems where education records are stored. Dashboards deliver high-level overviews of which users perform suspicious actions, what systems are affected most, how often files containing students' personally identifiable information are changed, and how often group membership changes are made that could affect access to that information.
  • Includes predefined audit reports showing all access events, including who has access to what files and folders, when and where each access attempt occurred, and who tried to access data without any legitimate educational interest — ensuring no unauthorized access takes place and privacy regulations are being followed.
  • Facilitates access control over all user access rights and file and folder permissions by enabling you to review state-in-time reports and make sure your security policy is not violated.
  • Helps you keep an eye on how permissions are granted with detailed reports on all changes to permissions or reports on effective permissions for infrequently accessed files and folders with sensitive data, and be continuously compliant with FERPA guidelines. You run these reports on demand or schedule them to be generated and delivered automatically so you can stay on top on access rights.
  • Utilize file analysis reports, provided by Netwrix Auditor to further lock down students' education records by detecting excessive access rights, stale data and duplicate files; and ensure conformance with all relevant privacy regulations.

§ 99.31 (c)

"An educational agency or institution must use reasonable methods to identify and authenticate the identity of parents, students, school officials, and any other parties to whom the agency or institution discloses personally identifiable information from education records."

Netwrix Auditor capabilities:

  • Reports on user account creation and deletion, password resets, and changes to group memberships.
  • Provides customizable alerts on critical changes to Active Directory sent via email and enables you to subscribe on specific reports and have them delivered to your mailbox according to the schedule you set.
  • Helps you detect insider threats and prevent data exfiltration by tracking and reporting on how access rights were assigned, current and historical group membership, changes to group membership and permissions, and data access attempts — enabling you to proactively protect data in accordance with FERPA requirements.

§ 99.32 (a)(1)

"An educational agency or institution must maintain a record of each request for access to and each disclosure of personally identifiable information from the education records of each student..."

Netwrix Auditor capabilities:

  • Ensures that your audit trail is continuously collected, consolidated and archived in a reliable two-tiered AuditArchive™. The storage securely keeps important audit information about all change and access events occurring within the IT environment for as long as required and enables easy access to it at any time for security investigations and proof of compliance.
  • Empowers you with security analytics that help you promptly spot anomalies in user behavior and investigate threat patterns at early stages of a potential threat.

FERPA Requirements for State or Local Educational Authorities or Agencies

§ 99.35 (a)(2)

"The State or local educational authority or agency headed by an official listed in §99.31(a)(3) is responsible for using reasonable methods to ensure to the greatest extent practicable that any entity or individual designated as its authorized representative — (v) Establish policies and procedures ... to protect personally identifiable information from education records from further disclosure (except back to the disclosing entity) and unauthorized use..."

Netwrix Auditor capabilities:

  • Helps you ensure the traceability of all data access to individual users by providing lists of all user accounts with current or historical permissions granted on files and folders (directly or through group membership). This capability enables you to keeps tabs on current and past group membership, see object permissions granted to user accounts, review excessive access permissions and more — helping you to ensure your security controls are fully aligned with FERPA compliance standards.
  • Delivers full-featured auditing and reporting that provide complete visibility into all user access rights and permissions to file and folders with education records across all audited systems in the IT environment, enabling you to quickly spot unauthorized access to data. Pre-configured audit reports, alerts on critical changes, dashboards and the interactive audit data search capability deliver actionable intelligence with who-what-when details on everything going on in your IT environment.
  • Audits all file activity, including both successful and failed attempts to access files containing education records so you can keep an eye on who has access to what files and folder and mitigate the risk of data exfiltration.
  • Keep audit records for as long as necessary in the two-tiered storage and access audit trail any time to quickly reconstruct access attempts and other activities upon request.
  • Captures the screen activity of privileged users and enables you to search and replay the recordings to determine what actions were performed and verify during FERPA compliance audits that data was used in accordance with existing policies.
Please note that Netwrix Auditor can facilitate the ongoing evaluation of security controls in addition to those listed above, helping you achieve continuous compliance with the security provisions of other regulations.
Learn more about which FERPA compliance requirements can be addressed using Netwrix Auditor.
Download Netwrix Auditor Report Mapping (.pdf)

Educational institutions and agencies of all sizes rely on Netwrix Auditor to protect education records and prove FERPA compliance

"With the granular control over Active Directory changes provided by Netwrix Auditor, we can now make sure that nobody is giving any privileges that weren't meant to be given, and no one is making changes that could potentially compromise our IT infrastructure."

Jeff Gardea,

Systems Administrator,

Soka University of America