Colleges and universities employ student workers for a variety of jobs across campus. From dining halls, rec centers, and bookstores to residence life advisors, mail room clerks, and research assistants, these positions often offer flexibility and on-campus convenience so students can work around their class schedules.
If student workers will be working in an office or location where they may have access to sensitive information such as financial aid data, research data, payment card data, etc., it is important that they receive adequate training and understand their responsibilities for protecting and handling that information.
Upon hire, all student workers should be required to go through standard training pertaining to their job role and responsibilities, and acknowledge their understanding of relevant policies and procedures. If they will be accessing university equipment (i.e., laptops, computers, phones, etc.), they should most likely be enrolled in the university’s general security awareness training to receive basic training on information security best practices, email security, passwords, etc. They should also be required to acknowledge their understanding of the university’s acceptable usage policy to ensure they understand how equipment should be used, required and best practices, websites they should not be accessing, etc., as well as access control requirements, such as not sharing accounts and passwords. Training student workers on when and how to report potential or suspicious incidents is also important.
Depending on the type of information the student workers are accessing, it is also important their training includes compliance training. For example:
- PCI DSS (accessing/processing payment card data)
- GLBA (accessing/handing student financial aid data)
- HIPAA (accessing Protected Health Information (PHI))
- FERPA (accessing student records)
Compliance-focused training should review any data classification-based controls that may need to be followed. For example, for PCI, students may be involved in conducting the required payment card device inspections prior to their shift in the bookstore, or for GLBA, students may need to understand how to securely store paper financial aid data and the appropriate data retention standards.
Along with training, there are other compliance requirements that may need to be met. For example, background checks may need to be performed on student workers and interns, who should be vetted as any other worker. If a full-time employee is required to undergo a background check before being allowed to access sensitive information, a student worker with access to that data should also undergo a background check. The key is consistency: if anyone requires qualification before accessing a type of data, then everyone with access to that data should go through the same qualification process.
It will be important to confirm you have adequate procedures in place with your Human Resources department to ensure student workers are meeting those requirements prior to employment. They may also be asked to sign specific confidentiality agreements if they have access to or handle information that is sensitive or confidential in nature.
Offices that employ student workers can generally expect a high turnover rate and will often need to train a new group of student workers each term. It is critical that the onboarding and training process for these workers is clearly defined, so steps are not missed that could lead to a potential compromise of sensitive information. Making security a top priority across the entire organization, from top executives to department heads, faculty members, staff, and student workers is the only way to effectively protect sensitive data and mitigate potential threats.
Additional feedback from our Manager of Security Advisor Services:
[Hobby]: It’s important to understand that from a data security and privacy perspective, student workers are not a special case. Access to data should be controlled holistically. A student worker in a role with access to sensitive data should be treated the same way as a full-time employee in the same role. As an example, if a role requires a background check, then everyone in the role should undergo a background check regardless of their employment status.
