Session 59
Sponsored Links
This presentation is the property of its rightful owner.
1 / 37

Session 59 PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Session 59. Cyber Security Karen Sefton Brian Fuller. Cyber Security at Federal Student Aid. How Federal Student Aid Protects Sensitive Data – Current State How Federal Student Aid Protects Sensitive Data – On the Horizon Developing an Enterprise Security Program at your Institution.

Download Presentation

Session 59

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Session 59

Session 59

Cyber Security

Karen Sefton

Brian Fuller

Cyber security at federal student aid

Cyber Security at Federal Student Aid

  • How Federal Student Aid Protects Sensitive Data – Current State

  • How Federal Student Aid Protects Sensitive Data

    – On the Horizon

  • Developing an Enterprise Security Program at your Institution

Recent press shows consequences of security breaches

Recent Press Shows Consequences of Security Breaches

ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress At Least 800 Cases of Identity Theft Arose From Company’s Data Breach

MasterCard International Identifies Security Breach at CardSystems Solutions, A Third Party Processor of Payment Card Data Purchase, NY, June 17, 2005 - MasterCard International reported today that it is notifying its member financial institutions of a breach of payment card data, which potentially exposed more than 40 million cards of all brands to fraud, of which approximately 13.9 million are MasterCard-branded cards.

Federal student aid site exposes borrowers’ data. The U.S. Department of Education has disabled the online payment feature for its Federal Student Aid site, following a security breach that could affect up to 21,000 borrowers.

What data is at risk

What Data is At Risk?


Data in the Public Domain?

Account Number?

Privacy Act Data?

Sensitive Data?

Date of Birth?

Personally Identifiable Information?



Data security focus is pii

Data Security Focus is PII

  • Personally Identifiable Information or Personally Identifying Information (PII)

  • PII definitions vary

  • Common definition:

    PII is any piece of information which can potentially be used to uniquely identify, contact, or locate a single person. PII can be used to expose individuals to identity theft, robbery, murder, or other crimes.

Federal student aid systems containing pii

Federal Student Aid Systems Containing PII

  • Common Origination and Disbursement (COD)

  • Central Processing System (CPS)

  • Free Application for Federal Student Aid (FAFSA)

  • Direct Loan Servicing System (DLSS)

  • National Student Loan Data System (NSLDS)

  • Conditional Disability Tracking System (CDDTS)

  • Debt Management Collection System (DMCS)

  • Direct Loan Consolidation System (DLCS)

  • Ombudsman Case Tracking System (OCTS)

Drivers for protecting pii

Drivers For Protecting PII

Drivers for protecting pii1

Drivers For Protecting PII

  • Responsible Stewardship

  • Laws and regulations

    governing treatment of PII

    • FISMA

      • NIST

    • OMB

    • GLB

Responsible stewardship

Responsible Stewardship

  • Government has a responsibility to protect the privacy of the very personal data it collects from its citizens

  • Contractors and Trading Partners share the responsibility to protect citizen data.

Laws and regulations

Laws and Regulations

Federal Information Security Management

Act of 2002- FISMA

  • Bolsters computer and network security within the Federal Government and affiliated parties, such as government contractors, by mandating yearly audits.

  • Directs compliance with NIST standards

  • Requires all federal agencies to report security incidents to the federal incident response center (US Cert) at the Department of Homeland Security

Laws and regulations1

Laws and Regulations

OMB Circulars and Memoranda

New directives resulting from Veterans Affairs laptop breach. All government agencies required to:

  • conduct assessments of their mobile data and network remote-access provisions to ensure full compliance with NIST regulations

  • report all suspected or confirmed security incidents to US Cert within one hour of discovering the incident

  • establish core management group to respond to loss of PII to mitigate the risk of identity theft

Laws and regulations2

Laws and Regulations

Gramm-Leach Bliley Act

  • Includes provisions to protect consumers’ personal financial information held by financial institutions

  • Defines financial institutions as “companies providing many types of financial products and services to consumers including lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and an array of other activities

  • Post-secondary institutions are financial institutions under GLB

How federal student aid protects sensitive data current state

How Federal Student Aid Protects Sensitive Data - Current State

Current state enterprise controls

Current State – Enterprise Controls

  • Contractual requirements for internal controls, incident reporting, corrective action

  • Security Operations Centers within data centers provides intrusion detection, reporting, and vulnerability assessments

  • Self-assessments and government audits

  • Policies and procedures for Federal Student Aid employees and partners accessing application systems

  • Strong controls around application user access and “need to know”

Current state data at rest

Current State – Data at Rest

  • Laptops and other portable devices

    • All PII data must be stored on encrypted thumb drives, password protected files on CD ROM/DVD when employees must access PII to accomplish their work

    • Laptops must accompany the employee on travel in carry-on baggage

  • Hardcopy documents and reports

    • Ready access to shredders and secure disposal containers in the workplace

    • Policies require safeguarding reports transported off-site; i.e. no PII in checked baggage

  • Current state data in motion

    Current State – Data in Motion


    Policies discourage emailing PII. If necessary to conduct business, emailed text and attachments must be password protected or encrypted

    Current state data in motion1

    Current State – Data in Motion

    • Data exchanges with schools,

      lenders, Guaranty Agencies:

      • encrypted tapes

      • electronic transmissions

        over dedicated or secure lines

    • Tapes must be double-packaged

      for transit and degaussed after use

    Current state data in motion2

    Current State – Data in Motion

    • Tapes will not be an option after mid-2007

      • NSLDS data submissions via SAIG

      • GA Default assignments via SAIG beginning December 2006

      • Credit Bureau updates via VPN beginning fall 2006

      • Private Collection Agency (PCA) updates via VPN

    How federal student aid protects sensitive data on the horizon

    How Federal Student Aid Protects Sensitive Data - On the Horizon

    On the horizon

    On the Horizon

    • Eliminating SSN in borrower-facing products

      • Billing invoices, disclosures, and other correspondence

      • Web screens

    • Assessing more frequently the universe of internal and external users of systems containing PII

      • Tightening access for the “student to administrator” relationship in NSLDS, CPS, COD

      • Increased rigor in activating/deactivating users to ensure only system and data access required by job duties

    • More communication with exchange partners and contacts, including DPAs, on their challenges and ideas for improvement

    Security in higher education the excuses

    Security in Higher Education: The Excuses

    “We’re an academic institution dependent upon the open and free exchange of ideas. Security requirements will stifle our creativity!”

    “We just don’t have the money to protect our IT Investments.”

    No choice but to pay attention

    No Choice but to Pay Attention

    • These were the same arguments made by the Department of Energy, as their nuclear secrets were walking out of our national labs.

    • Given the vast amount of Personally Identifiable Information (PII) maintained by the higher Education community, this industry can’t afford to ignore information security.

    • Recent exposures underscore the fact that the higher Education community is not immune:

      • Theft of laptops from countless universities

      • PII exposures throughout the industry and government

      • Exposure of data at Federal Student Aid website



    • Drivers of Change

    • Defining an Enterprise Security Program (ESP)

    • Implementing an Enterprise Security Program

    • Steps to Implementing an Enterprise Security Program

    • Obtaining Support from Existing Industry Knowledge Base

    Drivers of change

    Drivers of Change

    Drivers of change1

    Drivers of Change

    Identity Theft

    Information is the target

    Changing Nature

    of Threats




    Data Loss Notification Laws

    PCI data security standard

    Customer Expectations



    Defining an enterprise security program

    Defining an Enterprise Security Program

    Defining an esp

    Defining an ESP

    It is critical to build a security program, containing repeatable processes, that is integrated into the day-to-day business processes of the organization.

    • Governance

    • Operations

    • Training

    • Assessment

    • Monitoring & Remediation

    Implementing an enterprise security program in higher ed

    Implementing an Enterprise Security Program in Higher ED

    Implementing an esp in higher ed

    Implementing an ESP in Higher ED

    • Standards-Based

    • Flexible

    • User-Driven

    • Adaptable

    • Simple

    • Measurable

    Steps to implementing an enterprise security program

    Steps to Implementing an Enterprise Security Program

    Steps to implementing an esp

    Steps to Implementing an ESP

    • Secure Senior Management Support

    • Implement Governance Structure

    • Establish Communication Program

    • Develop Inventory

    • Perform Risk Assessments

    • Implement Controls

    • Monitor & Refine

    Obtaining support from an existing knowledge base

    Obtaining Support from an Existing Knowledge Base

    Obtaining support from existing knowledge base

    Obtaining Support from Existing Knowledge Base


    • DISA (Configuration Standards)

    • FISMA

      • NIST Documentation

    • Publications/Associations

      • Government Computer News

      • Federal Computer Week

      • INFOWEEK


      • SANS.ORG

    National institute of standards and technology nist

    National Institute of Standards and Technology (NIST)

    • Mandated by Congress to provide guidance in protecting government IT assets and data

    • Provides security standards and guidelines that support an enterprise-wide risk management process

    • Plays an integrated part of agencies’ overall security

    National institute of standards and technology nist1

    Info Security Governance

    System Development Lifestyle

    Awareness and Training

    Capital Planning

    Interconnecting Systems

    Performance Measures

    Security Planning

    Contingency Planning

    Risk Management

    Certification and Accreditation

    Security Services & Acquisition

    Incident Response

    Configuration Management

    National Institute of Standards and Technology (NIST)

    NIST 800-100 – Quick guide to all relevant areas

    Establish a common baseline of understanding

    Read NIST 800-100!

    Key takeaways

    Key Takeaways

    • Build a security program aligned with business objectives

    • Leverage existing security knowledgebase



    We appreciate your feedback and comments

    Name:Karen Sefton

    Phone: 202-377-3111


    Name:Brian Fuller

    Phone: 720-493-7146


  • Login