11 Feb
2022

The 8 Security Features to Look For in a Student Management System

Cyber security is an important topic for training providers, with cyber attacks having the potential to cause significant and costly issues. It's crucial to use a student management system (SMS) with robust information security measures in place.

If you're assessing your current systems, or looking for a more secure alternative, this guide will help you spot the must-have features to keep your student and training data safe.

1. Secure Cloud-Based Hosting

Cloud-based applications ensure greater flexibility to make quick changes for their clients. By choosing a cloud-based student management system instead of an on-premise one, you’re going to get a service that is constantly innovating.

Cloud-based apps also come with robust security measures like firewalls, SSL data transmission, data encryption, and more. Beyond choosing a cloud-based SMS, you should also consider which hosting service your provider has chosen. A student management system hosted with a robust cloud service like Amazon Web Services (AWS) should give you enough peace of mind knowing your data is in safe and capable hands.

2. ISO Compliance

The International Organisation for Standardisation is an independent non-governmental entity based in Switzerland that sets the standards for processes for countries around the world.

Their standards cover everything from aerospace, medical devices, oil and gas, and more.

There are two standards highly relevant to student and learning management systems: ISO 27001, and ISO 9001.

ISO 27001

Also referred to as ISO/IEC 27001, ISO 27001 is the world’s best-known standard for the requirements an information security management system (ISMS) should meet.

Any student management system conforming to ISO 27001 has implemented processes that will:

  • reduce their vulnerability to cyber-attacks and other security threats
  • maintain security across paper-based, cloud-based, and digital data
  • preserve the confidentiality and availability of student and training organisation data

Being ISO27001:2013 certified means your SMS provider is taking a proactive approach to managing information security, and has confidence that information security risks are managed in line with industry best practices.

ISO 9001

This standard ensures that any compliant organisation can provide customers with good-quality products and services. ISO 9001 has a client-quality focus and ensures continual improvement for the organisation.

If your learning management system is certified for ISO 9001, you can know that the LMS provider has a strong customer focus and is motivated to provide you with a high-quality experience.

Look for ISO badges to confirm your platforms comply with international best-practice

3. A Short Recovery Point Objective

The recovery point objective (RPO) indicates the acceptable amount of time that an operation can tolerate data loss following a disruption.

Let’s say that the RPO for an application like Facebook is 2 hours. If a cyber attack disrupts Facebook at midday, the last backup must have been at least at 10 am earlier that day. The photos you posted at 11:30 might be gone, but at least the rest of your account data is retrievable.

Nobody likes losing their work, even if it’s only 10 minutes of work. Look for a student management system with regular back-ups to ensure that in the event of an unforeseen disruption, the risk to your business is minimal. A good SMS should have an RPO of 5-15 minutes to ensure the smooth running of your training organisation.

4. Regular Third-Party Penetration Testing

Third-party penetration testers act like hackers to find vulnerabilities in a security system. They’re contracted by SMS and LMS providers to look for weaknesses before these are exposed to a cyber attack, and are useful for strengthening the security system of the platform.

Check when your SMS provider last had a TPP test. Ideally, they should do these annually to maintain the integrity of the platform.

5. Database Shards

The process of sharding involves moving data off a single large database into multiple smaller databases. The biggest advantage to data being held in shards, rather than a single database, is that it mitigates the ‘noisy neighbour’ effect.

The noisy neighbour effect occurs when an account in the system executes an operation that requires a lot of server power, such as a large AVETMISS report. This can impact other system users, slowing their accounts.

The best solution to this problem is to evenly separate client data into a number of database subdivisions that will provide a much more reliable and scalable user experience. Once client data is separated in this way, there will be more room to grow.

Other benefits include: 

  • Overnight reporting warehouse job will be quicker. Warehoused reports will be online for longer and available earlier each morning
  • Reporting wait queues will be shorter
  • Workflows reliant on the report queue will be completed closer to the scheduled time
  • Better security for your users

Some SMS providers will give you the option to exist on your own shard, meaning your system performance won't be effected but the activities of other training organisations. At the very least, you want a student management system that places your data within a shard rather than a single database with all of the SMS's clients.

6. Multi-Factor Authentication

While becoming more common, there are still platforms lagging behind when it comes to implementing multi-factor authentication (MFA) to their products.

MFA is a critical extra layer of security that requires more than one piece of evidence to authorise a log in. If a user's password becomes compromised, MFA adds an extra hurdle to their account being unlawfully accessed.

It's very simple for users to set up, often requiring a secondary evidence point in the form of a code sent via text message, to an authenticator app on the user's mobile device, or their email inbox. It combines different types of evidence to increase security: something you know (a password), something you have (a phone), or something you are (such as a fingerprint).

MFA is a key way to protect businesses from the kinds of damaging attacks that can cost millions of dollars.

7. Role-Based Permissions

Your SMS contains a lot of highly sensitive information. By utilising role-based access controls, you can ensure that data is only accessible to relevant people within the organisation.

Look for a student-management system that gives you greater control over user-based permissions so you can control not only who can see data, but also who can update it.

8. A Team You Trust

Your SMS provider needs to be committed to industry standards throughout the software development lifecycle and the incorporation of information security into every part of their business, including their staff.

We conduct screening checks for new staff members to ensure a secure workforce that handles your data with integrity. We provide our employees with privacy and security training, giving them sufficient knowledge to support the data security of our customers.

Does your provider conduct screening check for new staff members? Do they offer privacy and security training? A secure workforce is key to your data being managed with integrity.

To achieve this, your SMS provider should have skilled staff that can deliver information security outcomes that are consistent with industry standards and expectations. This means having an Information Security Management System (ISMS), and continually maintaining and improving the ISMS to meet owners’, clients’ and legal requirements for information security.

aXcelerate is a leading cloud-based training management system. We build products you can trust, offering enterprise-grade protection to users of our student, learning, and on-the-job training management systems.

Learn more about aXcelerate security

Request a demo

VET insights, straight to your inbox

Your go-to source for industy updates and informative thought leadership.