Federal Student Aid Conference - PowerPoint PPT Presentation

1 / 39
About This Presentation
Title:

Federal Student Aid Conference

Description:

How Federal Student Aid Protects Sensitive Data Current State ... Data Security Breach Charges; to Pay $10 ... Eliminating SSN in borrower-facing products ... – PowerPoint PPT presentation

Number of Views:100
Avg rating:3.0/5.0
Slides: 40
Provided by: andrew46
Category:

less

Transcript and Presenter's Notes

Title: Federal Student Aid Conference


1
Federal Student Aid Conference
  • Orlando, FL

2
Session 59
  • Cyber Security
  • Karen Sefton
  • Brian Fuller

3
Cyber Security at Federal Student Aid
  • How Federal Student Aid Protects Sensitive Data
    Current State
  • How Federal Student Aid Protects Sensitive Data
  • On the Horizon
  • Developing an Enterprise Security Program at your
    Institution

4
Recent Press Shows Consequences of Security
Breaches
  • ChoicePoint Settles Data Security Breach Charges
    to Pay 10 Million in Civil Penalties, 5 Million
    for Consumer Redress At Least 800 Cases of
    Identity Theft Arose From Companys Data Breach
  • MasterCard International Identifies Security
    Breach at CardSystems Solutions, A Third Party
    Processor of Payment Card Data Purchase, NY, June
    17, 2005 - MasterCard International reported
    today that it is notifying its member financial
    institutions of a breach of payment card data,
    which potentially exposed more than 40 million
    cards of all brands to fraud, of which
    approximately 13.9 million are MasterCard-branded
    cards.
  • Federal student aid site exposes borrowers data.
    The U.S. Department of Education has disabled the
    online payment feature for its Federal Student
    Aid site, following a security breach that could
    affect up to 21,000 borrowers.

5
What Data is At Risk?
Name?
Data in the Public Domain?
Account Number?
Privacy Act Data?
Sensitive Data?
Date of Birth?
Personally Identifiable Information?
Address?
SSN?
6
Data Security Focus is PII
  • Personally Identifiable Information or Personally
    Identifying Information (PII)
  • PII definitions vary
  • Common definition
  • PII is any piece of information which can
    potentially be used to uniquely identify,
    contact, or locate a single person. PII can be
    used to expose individuals to identity theft,
    robbery, murder, or other crimes.

7
Federal Student Aid Systems Containing PII
  • Common Origination and Disbursement (COD)
  • Central Processing System (CPS)
  • Free Application for Federal Student Aid (FAFSA)
  • Direct Loan Servicing System (DLSS)
  • National Student Loan Data System (NSLDS)
  • Conditional Disability Tracking System (CDDTS)
  • Debt Management Collection System (DMCS)
  • Direct Loan Consolidation System (DLCS)
  • Ombudsman Case Tracking System (OCTS)

8
Drivers For Protecting PII
9
Drivers For Protecting PII
  • Responsible Stewardship
  • Laws and regulations
  • governing treatment of PII
  • FISMA
  • NIST
  • OMB
  • GLB

10
Responsible Stewardship
  • Government has a responsibility to protect the
    privacy of the very personal data it collects
    from its citizens
  • Contractors and Trading Partners share the
    responsibility to protect citizen data.

11
Laws and Regulations
  • Federal Information Security Management
  • Act of 2002 - FISMA
  • Bolsters computer and network security within the
    Federal Government and affiliated parties, such
    as government contractors, by mandating yearly
    audits.
  • Directs compliance with NIST standards
  • Requires all federal agencies to report security
    incidents to the federal incident response center
    (US Cert) at the Department of Homeland Security

12
Laws and Regulations
  • OMB Circulars and Memoranda
  • New directives resulting from Veterans Affairs
    laptop breach. All government agencies required
    to
  • conduct assessments of their mobile data and
    network remote-access provisions to ensure full
    compliance with NIST regulations
  • report all suspected or confirmed security
    incidents to US Cert within one hour of
    discovering the incident
  • establish core management group to respond to
    loss of PII to mitigate the risk of identity
    theft

13
Laws and Regulations
  • Gramm-Leach Bliley Act
  • Includes provisions to protect consumers
    personal financial information held by financial
    institutions
  • Defines financial institutions as companies
    providing many types of financial products and
    services to consumers including lending,
    brokering or servicing any type of consumer loan,
    transferring or safeguarding money, preparing
    individual tax returns, providing financial
    advice or credit counseling, providing
    residential real estate settlement services,
    collecting consumer debts and an array of other
    activities
  • Post-secondary schools are included in the
    financial institutions definition of GLB

14
How Federal Student Aid Protects Sensitive Data -
Current State
15
Current State Enterprise Controls
  • Contractual requirements for internal controls,
    incident reporting, corrective action
  • Security Operations Centers within data centers
    provides intrusion detection, reporting, and
    vulnerability assessments
  • Self-assessments and government audits
  • Policies and procedures for Federal Student Aid
    employees and partners accessing application
    systems
  • Strong controls around application user access
    and need to know

16
Current State Data at Rest
  • Laptops and other portable devices
  • All PII data must be stored on encrypted thumb
    drives, password protected files on CD ROM/DVD
    when employees must access PII to accomplish
    their work
  • Laptops must accompany the employee on travel in
    carry-on baggage
  • Hardcopy documents and reports
  • Ready access to shredders and secure disposal
    containers in the workplace
  • Policies require safeguarding reports transported
    off-site i.e. no PII in checked baggage

17
Current State Data in Motion
  • Email
  • Policies discourage emailing PII. If
    necessary to conduct business, emailed text and
    attachments must be password protected or
    encrypted

18
Current State Data in Motion
  • Data exchanges with schools,
  • lenders, Guaranty Agencies
  • encrypted tapes
  • electronic transmissions
  • over dedicated or secure lines
  • Tapes must be double-packaged
  • for transit and degaussed after use

19
Current State Data in Motion
  • Tapes will not be an option after mid-2007
  • NSLDS data submissions via SAIG
  • GA Default assignments via SAIG beginning
    December 2006
  • Credit Bureau updates via VPN beginning fall 2006
  • Private Collection Agency (PCA) updates via VPN

20
How Federal Student Aid Protects Sensitive Data -
On the Horizon
21
On the Horizon
  • Eliminating SSN in borrower-facing products
  • Billing invoices, disclosures, and other
    correspondence
  • Web screens
  • Assessing more frequently the universe of
    internal and external users of systems containing
    PII
  • Tightening access for the student to
    administrator relationship in NSLDS, CPS, COD
  • Increased rigor in activating/deactivating users
    to ensure only system and data access required by
    job duties
  • More communication with exchange partners and
    contacts, including DPAs, on their challenges and
    ideas for improvement

22
Developing an Enterprise Security Program at
your Institution
23
Security in Higher Education The Excuses
  • Were an academic institution dependent upon the
    open and free exchange of ideas. Security
    requirements will stifle our creativity!
  • We just dont have the money to protect our IT
    Investments.

24
No Choice but to Pay Attention
  • These were the same arguments made by the
    Department of Energy, as their nuclear secrets
    were walking out of our national labs.
  • Given the vast amount of Personally Identifiable
    Information (PII) maintained by the higher
    Education community, this industry cant afford
    to ignore information security.
  • Recent exposures underscore the fact that the
    higher Education community is not immune
  • Theft of laptops from countless universities
  • PII exposures throughout the industry and
    government
  • Exposure of data at Federal Student Aid website

25
Agenda
  • Drivers of Change
  • Defining an Enterprise Security Program (ESP)
  • Implementing an Enterprise Security Program
  • Steps to Implementing an Enterprise Security
    Program
  • Obtaining Support from Existing Industry
    Knowledge Base

26
Drivers of Change
27
Drivers of Change
Identity Theft Information is the target
Changing Nature of Threats
FERPA FISMA Sarbanes-Oxley Data Loss Notification
Laws PCI data security standard Customer
Expectations
External Pressure
28
Defining an Enterprise Security Program
29
Defining an ESP
It is critical to build a security program,
containing repeatable processes, that is
integrated into the day-to-day business processes
of the organization.
  • Governance
  • Operations
  • Training
  • Assessment
  • Monitoring Remediation

30
Implementing an Enterprise Security Program in
Higher ED
31
Implementing an ESP in Higher ED
  • Standards-Based
  • Flexible
  • User-Driven
  • Adaptable
  • Simple
  • Measurable

32
Steps to Implementing an Enterprise Security
Program
33
Steps to Implementing an ESP
  • Secure Senior Management Support
  • Implement Governance Structure
  • Establish Communication Program
  • Develop Inventory
  • Perform Risk Assessments
  • Implement Controls
  • Monitor Refine
  • Train the Community

34
Obtaining Support from an Existing Knowledge Base
35
Obtaining Support from Existing Knowledge Base
  • EDUCAUSE/ECAR
  • DISA (Configuration Standards)
  • FISMA
  • NIST Documentation
  • Publications/Associations
  • Government Computer News
  • Federal Computer Week
  • INFOWEEK
  • SecurityFocus.com
  • SANS.ORG

36
National Institute of Standards and Technology
(NIST)
  • Mandated by Congress to provide guidance in
    protecting government IT assets and data
  • Provides security standards and guidelines that
    support an enterprise-wide risk management
    process
  • Plays an integrated part of agencies overall
    security

37
National Institute of Standards and Technology
(NIST)
NIST 800-100 Quick guide to all relevant areas
  • Info Security Governance
  • System Development Lifestyle
  • Awareness and Training
  • Capital Planning
  • Interconnecting Systems
  • Performance Measures
  • Security Planning
  • Contingency Planning
  • Risk Management
  • Certification and Accreditation
  • Security Services Acquisition
  • Incident Response
  • Configuration Management

Establish a common baseline of understanding
Read NIST 800-100!
38
Key Takeaways
  • Build a security program aligned with business
    objectives
  • Leverage existing security knowledgebase

39
Questions?
  • We appreciate your feedback and comments
  • Karen Sefton
  • Phone 202-377-3111
  • Email
    karen.sefton_at_ed.gov
Write a Comment
User Comments (0)
About PowerShow.com