Learning Analytics Documentation

Learning Analytics Security FAQs version 1.1

This document answers frequently asked questions relating to the technical and organisational security measures for the Learning Analytics Service. It is intended to help organisations complete internal security assessment processes.

The document will be updated as new questions arise.

1. Service Overview

1.1 Describe the system or service to be acquired.

Learning Data Hub (previously called the Learning Records Warehouse): the core service to receive and store data required for learning analytics in a standard format. It is based on the open source LearningLocker, developed by HT2 Labs. HT2Labs are contracted by Jisc to provide this service, which is hosted in Amazon Web Services.

Data Explorer: a tool to view student learning analytics data held in the Learning Data Hub component, developed by Jisc. The service is hosted by Jisc in AWS.

OpenLAP: an optional tool which made predictions of student success, based on data in the Learning Data Hub. This was based on an open source solution, managed by the Apero Foundation. Core contributors were Unicon and Marist College. The service is now deprecated.

Learning Analytics Predictor: an optional tool which will make predictions of student success, based on data in the Learning Data Hub. This has been developed, and is hosted by, Jisc.

Student Insight an optional tool which will make predictions of student success, based on data in the Learning Data Hub. This is a commercial solution managed and hosted by Tribal.

Study Goal: an optional mobile app to view and collect student learning analytics data, aimed at students, developed by TherapyBox and Jisc. The service is hosted by Jisc in AWS.

1.2 What is the Supplier name?

Jisc Services Ltd

1.3 Will the project require vendor systems or services including ongoing support service (such as the provision of software/hardware infrastructure, application hosting, data storage and backup support, staffing and other IT related services)?

Support is documented in the Learning Analytics Service Agreement.

1.4 What Information Security certifications cover the service?

Jisc holds ISO 27001:2013 certification for a number of production services, and is currently extending this to cover our learning analytics service.

2: Data Protection

2.1 Does this service require the use of personal or individuals' sensitive data?

In order for the learning analytics processor to produce meaningful analysis and predictive analytics, individualised student data needs to be supplied to Jisc in a granular format– to include student personal data (protected characteristics, demographic data etc) and learning activity data. This is covered in the Service Agreement clause 7.2

2.2 Will this project require the use of business sensitive and/or confidential data?

Other than 2.1, no.

2.3 Will data be shared/transmitted outside the University?

Yes

2.4 Will there be a data sharing agreement prior to sharing the data?

Data sharing with Jisc is covered by the Service Agreement. Data sharing between the institution and any third parties with whom they which to engage should be covered in the institution's service contract with the third party.

3 General Security

3.1 Please provide a high-level diagram which shows the servers/entities involved, and the traffic flows between them.

Learning Analytics Service Data Flows

3.2 Will this system/service integrate with other University systems/services?

Yes, Jisc provides a secure process for transferring data from Virtual Learning Environments, student record systems and any other systems providing student record or activity data.

3.3 Will this system/service be accessible from the internet?

Yes, as follows:

Learning Locker Learning Data Hub: https://jiscv2.learninglocker.net

Data Explorer: https://datax.jisc.ac.uk

Study Goal: the mobile app is openly available on both the Apple and Google Play stores.

Student Insight: institutions taking advantage of Student Insight will receive a URL for the service which will be publicly available over the internet.

3.4 Will Jisc share the results of penetration tests with customers

No, these are internal documents for Jisc use only. Jisc’s processes for performing penetration tests and the resolution of any vulnerabilities discovered, are subject to external review as part of our ISO 27001 certification.

3.5 Can customers carry out their own penetration tests?

No, due to the number of expected numbers of Users of the service it would not be possible to manage the conflicts in scheduling and requirements of different tests. It could also put the availability of the service at risk. Jisc’s processes for performing penetration tests and the resolution of any vulnerabilities discovered, are subject to external review as part of our ISO 27001 certification.

4. Users, Authentication and Authorisation

4.1 What type of authentication methods will the system/service use at Infrastructure level?

Users who require access, and systems are authenticated to the Learning Data Hub via a key and secret obtained securely from the Jisc SFTP server.

UDD data is submitted via secure SFTP upload performed via an openSSH public key created and submitted by the institution. The institution is responsible for ensuring that the corresponding private key is kept secure.

4.2 What type of authentication method will the system/service use at Application level?

Data Explorer, Study Goal and Student Insight

University users are authenticated by the UK Access Federation and theUniversity’s own Identity Provider (IdP).

4.3 Which University staff and students will use/access the system or service?

University staff in faculties and students will be able to access services showing them data relevant to themselves / students they are responsible for. Staff involved in the set-up and maintenance will have access to underlying data to ensure data quality etc. It is the responsibility of the university to ensure that this access is allocatedcorrectly and reviewed, amended and removed as appropriate when a member of staff leaves or changes role.

4.4 Which Jisc staff and Suppliers will use/access the system or service?

The project/service team at Jisc will have access to individualised data that is made available to them via the learning data hub in order to provide the service:

Learning Data Hub: HT2Labs are contracted by Jisc to provide this service, which is hosted in AWS, and the technical team at HT2 working on the project have access to data in order to provide the service.

Data Explorer, Study Goal, Jisc Learning Analytics Predictor: only Jisc staff have access to data in order to support these components.

Student Insight will be developed and provided by Tribal, who require access to the data to build models. This will transition to a service directly provided to the institution by Tribal via the learning records store in 2017.

4.5 What user authorisation is in place at Infrastructure level?

Learning Data Hub & SFTP

University system administrators submitting student records data via SFTP will necessarily have access to that data, as will administrators of other systems which submit data such as VLEs and Library systems (see Jisc's Learning Analytics Architecture diagram ).

Jisc will configure the ID of a nominated university staff member(s) to have administrative powers. Role-based (and potentially organisation unit/ department-specific) permissions will be controlled by them. It is the responsibility of the university to ensure that these permissions are allocated correctly and reviewed, amended and removed as appropriate when a member of staff leaves or changes role.

4.6 What user authorisation is in place at Application level?

Data Explorer, Study Goal and Student Insight

User identifiers will be extracted by the institution from their central systems and and loaded into the learning records warehouse.

Based on these identifiers, application users will only be able to see data relevant to themselves. This based on a role based system as follows:

Data Explorer: Site-Admins and Site Explorers can see all data. Staff identified as Tutors according to the data provided in the STAFF entity can see student data.

Study Goal: Students can see their own data by default. In addition they can use the 'friends' functionality to allow other students to view selected data.

4.7 Does the service support account lockout after failed login attempts?

At application level this is a function of the individual university's UK Access Federation Identity Provider (IdP).

4.8 Does the service support two-factor authentication?

At application level this is a function of the individual university's UK Access Federation Identity Provider (IdP).

4.9 How are accounts deactivation/deletion of user accounts when no longer required?

For user access, this is the responsibility of the University via their Identity Provider (IdP).

5 Data Storage, Backup and Destruction

5.1 Describe storage location for data

Data is held in Amazon Web Services, based in Dublin.

5.2 Describe the physical access control to server rooms and/or other physical storage areas

All systems are physically located within datacentres operated by AWS. The information security of AWS is managed in conformance with the requirements of ISO 27001, providing Jisc and our customers with assurances of the security of the datacentre and virtualization aspects of the service. The security of the operating system and application stack is managed by Jisc.

Any transfers of data between Jisc and AWS are conducted over secure, encrypted, connections. Staff at Jisc are subject to Jisc's "Secure Working Practices Policy" that covers the physical security of information when working in a Jisc office or remotely at other locations.

5.3 Describe the data backup and restoration controls

For the Learning Data Hub, full backups of the database are held on a rolling 5 week schedule. At any one point we have the ability to roll back to up to 5 weeks ago, with periods in between available as well. In addition specific Point In Time restoration is available for any period within the last 48 hours.

5.4 Describe the storage location for backup tapes

n/a, not tape based. Backup is in AWS.

5.5 How will access to backup tapes be monitored?

n/a

5.6 Will additional copies of data be created?

Any temporary copies of data used during processing will be encrypted at rest and securely deleted when no longer required. These copies are typically created during the development of predictive models.

5.7 Describe the procedure for erasure of data when no longer required.

Institutions can request their data be fully removed at any time by submitting a service request to Jisc. Note backup cycle as described in 5.3 for minimum time for removal of all data including backups.

5.8 Will there be any data processing, storage or replication outside the EEA?

If data needs to be processed, stored or replicated outside of the EEA, Jisc undertakes to put in place measures to ensure Institutions comply with data protection legislation.

6.User and Network Security Controls

6.1 Describe Jisc’s process for ensuring appropriate staff work on the service.

All new staff at Jisc, including casual staff, are given a contract of employment containing a confidentiality clause and are made aware of their responsibilities toward personal data as part of their inductionprocess. All staff at Jisc are required to take an online data protection awareness course annually. All staff at Jisc are subject to a "Secure Working Practices Policy" that communicates their responsibilities towards information security, as well as providing advice and guidance on common security threats. All Jisc staff involved with providing the service are provided with additional information security training.

6.2 Describe the preventive, detective and corrective controls against unauthorised activities on the network to safeguard data

Learning Data Hub HT2 are subcontracted to maintain the security of the operating system and application stack used to provide the Learning Data Hub. Vulnerability and patch management is carried out on a regular schedule accordance with our vulnerability management processes.

Data Explorer, Study Goal and Learning Analytics Predictor. Jisc are responsible for maintaining the security of the operating system and application stack used to provide these services. Vulnerability and patch management is carried out on a regular schedule accordance with our vulnerability management processes.

All: Occasionally, critical security patches may require us to take the service offline at short notice. Where possible we will work with customers to minimize any disruption. The system is regularly scanned for vulnerabilities by automated systems, and is subject to periodic penetration testing of both the network environment, operating system, and application. All issues discovered are prioritized and accordingly addressed. Jisc encourages third parties to work with us to resolve any security vulnerabilities discovered – please e-mail information.security@jisc.ac.uk for more information.

6.3 Describe user access and activity monitoring controls (audit trails and logs) in place.

Study Goal user access logging is via xAPI to the Learning Data Hub

Data Explorer maintains its own user logging service.

As user logins are via the UK access federation and therefore should be logged via the Institution's IdP.

7 Incident Management

7. 1 Briefly describe the security/data breach incident management and escalation process

Jisc has an established process for handling information security incidents including data breaches. Should an incident occur, it will be handled according to this process and in line with current dataprotection legislation. If an incident has an impact on the security of information secured in the service then Jisc’s Senior Information Risk Owner will make decisions as to whether and how customers and the Information Commissioner’s Office are notified.

Communications related to breaches will arrive through Jisc’s normal communications channels. Jisc will never ask you to provide passwords and other authentication information by e-mail.

8 Encryption Control

8.1 How will data be encrypted in storage areas either local storage facilities, in the Cloud or on endpoint devices?

Data at rest in the Learning Data Hub is encrypted at the database level.

In addition, historic data is encrypted at a field level, primarily as a means of de-identifying data for users that need to access historic data.

Any Jisc devices that need access to data will be encrypted.

8.2 How will data be encrypted in transit (including user authentication and other confidential/sensitive data)?

Data will be transferred using HTTPS or SFTP secure communication protocols, with security credentials established with nominated institution representatives (in IT)

8.3 If applicable, how will data be protected during physical transportation?

Not applicable. We do not allow for the physical transfer of information into the service as electronic transfer is more secure.

8.4 Describe how any access tokens or passwords used to connect to other systems are encrypted and/or access-controlled.

Applications requiring access to the Learning Data Hub need to store their individual access credentials. Depending on the services an institution has adopted, this may currently include Moodle and Blackboard Plugins, la-tools, Data Explorer, Study Goal, and the Learning Analytics Predictor.

Access control to the respective application servers above limits key access to Jisc staff.