Session 59. Cyber Security Karen Sefton Brian Fuller. Cyber Security at Federal Student Aid. How Federal Student Aid Protects Sensitive Data – Current State How Federal Student Aid Protects Sensitive Data – On the Horizon Developing an Enterprise Security Program at your Institution.
– On the Horizon
ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress At Least 800 Cases of Identity Theft Arose From Company’s Data Breach
MasterCard International Identifies Security Breach at CardSystems Solutions, A Third Party Processor of Payment Card Data Purchase, NY, June 17, 2005 - MasterCard International reported today that it is notifying its member financial institutions of a breach of payment card data, which potentially exposed more than 40 million cards of all brands to fraud, of which approximately 13.9 million are MasterCard-branded cards.
Federal student aid site exposes borrowers’ data. The U.S. Department of Education has disabled the online payment feature for its Federal Student Aid site, following a security breach that could affect up to 21,000 borrowers.
Data in the Public Domain?
Privacy Act Data?
Date of Birth?
Personally Identifiable Information?
PII is any piece of information which can potentially be used to uniquely identify, contact, or locate a single person. PII can be used to expose individuals to identity theft, robbery, murder, or other crimes.
governing treatment of PII
Federal Information Security Management
Act of 2002- FISMA
OMB Circulars and Memoranda
New directives resulting from Veterans Affairs laptop breach. All government agencies required to:
Gramm-Leach Bliley Act
Policies discourage emailing PII. If necessary to conduct business, emailed text and attachments must be password protected or encrypted
lenders, Guaranty Agencies:
over dedicated or secure lines
for transit and degaussed after use
“We’re an academic institution dependent upon the open and free exchange of ideas. Security requirements will stifle our creativity!”
“We just don’t have the money to protect our IT Investments.”
Drivers of Change
Information is the target
Data Loss Notification Laws
PCI data security standard
Defining an Enterprise Security Program
It is critical to build a security program, containing repeatable processes, that is integrated into the day-to-day business processes of the organization.
Implementing an Enterprise Security Program in Higher ED
Steps to Implementing an Enterprise Security Program
Obtaining Support from an Existing Knowledge Base
Info Security Governance
System Development Lifestyle
Awareness and Training
Certification and Accreditation
Security Services & Acquisition
NIST 800-100 – Quick guide to all relevant areas
Establish a common baseline of understanding
Read NIST 800-100!