Transcript Cyber Security Session 59 Karen Sefton Brian Fuller

Session 59
Cyber Security
Karen Sefton
Brian Fuller
Cyber Security at Federal Student Aid
• How Federal Student Aid Protects Sensitive Data
– Current State
• How Federal Student Aid Protects Sensitive Data
– On the Horizon
• Developing an Enterprise Security Program at
your Institution
2
Recent Press Shows Consequences of
Security Breaches
ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil
Penalties, $5 Million for Consumer Redress At Least 800 Cases of Identity Theft
Arose From Company’s Data Breach
MasterCard International Identifies Security Breach at CardSystems Solutions, A
Third Party Processor of Payment Card Data Purchase, NY, June 17, 2005 MasterCard International reported today that it is notifying its member financial
institutions of a breach of payment card data, which potentially exposed more than 40
million cards of all brands to fraud, of which approximately 13.9 million are
MasterCard-branded cards.
Federal student aid site exposes borrowers’ data. The U.S. Department of Education has
disabled the online payment feature for its Federal Student Aid site, following a security
breach that could affect up to 21,000 borrowers.
3
What Data is At Risk?
Name?
Account Number?
Date of Birth?
SSN?
Address?
4
Data Security Focus is PII
• Personally Identifiable Information or Personally
Identifying Information (PII)
• PII definitions vary
• Common definition:
PII is any piece of information which can potentially be
used to uniquely identify, contact, or locate a single
person. PII can be used to expose individuals to
identity theft, robbery, murder, or other crimes.
5
Federal Student Aid Systems
Containing PII
• Common Origination and Disbursement (COD)
• Central Processing System (CPS)
• Free Application for Federal Student Aid (FAFSA)
• Direct Loan Servicing System (DLSS)
• National Student Loan Data System (NSLDS)
• Conditional Disability Tracking System (CDDTS)
• Debt Management Collection System (DMCS)
• Direct Loan Consolidation System (DLCS)
• Ombudsman Case Tracking System (OCTS)
6
Drivers For Protecting PII
7
Drivers For Protecting PII
• Responsible Stewardship
• Laws and regulations
governing treatment of PII
– FISMA
• NIST
– OMB
– GLB
8
Responsible Stewardship
• Government has a responsibility to protect the privacy of
the very personal data it collects from its citizens
• Contractors and Trading Partners share the responsibility
to protect citizen data.
9
Laws and Regulations
Federal Information Security Management
Act of 2002 - FISMA
– Bolsters computer and network security within the
Federal Government and affiliated parties, such as
government contractors, by mandating yearly audits.
– Directs compliance with NIST standards
– Requires all federal agencies to report security incidents
to the federal incident response center (US Cert) at the
Department of Homeland Security
10
Laws and Regulations
OMB Circulars and Memoranda
New directives resulting from Veterans Affairs laptop breach.
All government agencies required to:
– conduct assessments of their mobile data and network
remote-access provisions to ensure full compliance
with NIST regulations
– report all suspected or confirmed security incidents to
US Cert within one hour of discovering the incident
– establish core management group to respond to loss of
PII to mitigate the risk of identity theft
11
Laws and Regulations
Gramm-Leach Bliley Act
• Includes provisions to protect consumers’ personal financial
information held by financial institutions
• Defines financial institutions as “companies providing many types of
financial products and services to consumers including lending,
brokering or servicing any type of consumer loan, transferring or
safeguarding money, preparing individual tax returns, providing
financial advice or credit counseling, providing residential real estate
settlement services, collecting consumer debts and an array of other
activities
• Post-secondary institutions are financial institutions under GLB
12
How Federal Student Aid Protects
Sensitive Data - Current State
13
Current State – Enterprise Controls
• Contractual requirements for internal controls, incident
reporting, corrective action
• Security Operations Centers within data centers provides
intrusion detection, reporting, and vulnerability
assessments
• Self-assessments and government audits
• Policies and procedures for Federal Student Aid employees
and partners accessing application systems
• Strong controls around application user access and “need
to know”
14
Current State – Data at Rest
• Laptops and other portable devices
• All PII data must be stored on encrypted thumb drives,
password protected files on CD ROM/DVD when employees
must access PII to accomplish their work
• Laptops must accompany the employee on travel in carry-on
baggage
• Hardcopy documents and reports
• Ready access to shredders and secure disposal containers in the
workplace
• Policies require safeguarding reports transported off-site; i.e.
no PII in checked baggage
15
Current State – Data in Motion
Email
Policies discourage emailing PII. If necessary to
conduct business, emailed text and attachments must be
password protected or encrypted
16
Current State – Data in Motion
• Data exchanges with schools,
lenders, Guaranty Agencies:
– encrypted tapes
– electronic transmissions
over dedicated or secure lines
• Tapes must be double-packaged
for transit and degaussed after use
17
Current State – Data in Motion
• Tapes will not be an option after mid-2007
– NSLDS data submissions via SAIG
– GA Default assignments via SAIG beginning
December 2006
– Credit Bureau updates via VPN beginning fall
2006
– Private Collection Agency (PCA) updates via
VPN
18
How Federal Student Aid Protects
Sensitive Data - On the Horizon
19
On the Horizon
• Eliminating SSN in borrower-facing products
– Billing invoices, disclosures, and other correspondence
– Web screens
• Assessing more frequently the universe of internal and
external users of systems containing PII
– Tightening access for the “student to administrator” relationship in
NSLDS, CPS, COD
– Increased rigor in activating/deactivating users to ensure only
system and data access required by job duties
• More communication with exchange partners and contacts,
including DPAs, on their challenges and ideas for
improvement
20
Security in Higher Education: The Excuses
“We’re an academic institution
dependent upon the open and free
exchange of ideas. Security
requirements will stifle our
creativity!”
“We just don’t have the money to
protect our IT Investments.”
21
No Choice but to Pay Attention
 These were the same arguments made by the Department
of Energy, as their nuclear secrets were walking out of our
national labs.
 Given the vast amount of Personally Identifiable
Information (PII) maintained by the higher Education
community, this industry can’t afford to ignore
information security.
 Recent exposures underscore the fact that the higher
Education community is not immune:
Theft of laptops from countless universities
 PII exposures throughout the industry and government
 Exposure of data at Federal Student Aid website
22
Agenda
• Drivers of Change
• Defining an Enterprise Security Program (ESP)
• Implementing an Enterprise Security Program
• Steps to Implementing an Enterprise Security
Program
• Obtaining Support from Existing Industry
Knowledge Base
23
Drivers of Change
Drivers of Change
Changing Nature
of Threats
External
Pressure
Identity Theft
Information is the target
FERPA
FISMA
Sarbanes-Oxley
Data Loss Notification Laws
PCI data security standard
Customer Expectations
25
Defining an Enterprise
Security Program
Defining an ESP
It is critical to build a security program, containing repeatable
processes, that is integrated into the day-to-day business processes
of the organization.
• Governance
• Operations
• Training
• Assessment
• Monitoring & Remediation
27
Implementing an Enterprise
Security Program in Higher ED
Implementing an ESP in Higher ED
• Standards-Based
• Flexible
• User-Driven
• Adaptable
• Simple
• Measurable
29
Steps to Implementing an
Enterprise Security Program
Steps to Implementing an ESP
1. Secure Senior Management Support
2. Implement Governance Structure
3. Establish Communication Program
4. Develop Inventory
5. Perform Risk Assessments
6. Implement Controls
7. Monitor & Refine
31
Obtaining Support from an Existing
Knowledge Base
Obtaining Support from Existing Knowledge Base
• EDUCAUSE/ECAR
• DISA (Configuration Standards)
• FISMA
– NIST Documentation
• Publications/Associations
– Government Computer News
– Federal Computer Week
– INFOWEEK
– SecurityFocus.com
– SANS.ORG
33
National Institute of Standards
and Technology (NIST)
• Mandated by Congress to provide guidance in
protecting government IT assets and data
• Provides security standards and guidelines that
support an enterprise-wide risk management process
• Plays an integrated part of agencies’ overall
security
34
National Institute of Standards
and Technology (NIST)
NIST 800-100 – Quick guide to all relevant areas
•
•
•
•
•
•
•
Info Security Governance
System Development Lifestyle
Awareness and Training
Capital Planning
Interconnecting Systems
Performance Measures
Security Planning
•
•
•
•
•
•
Contingency Planning
Risk Management
Certification and Accreditation
Security Services & Acquisition
Incident Response
Configuration Management
Establish a common baseline of understanding
Read NIST 800-100!
35
Key Takeaways
• Build a security program aligned
with business objectives
• Leverage existing security
knowledgebase
36
Questions?
We appreciate your feedback and comments
Name:
Karen Sefton
Phone:
202-377-3111
Email:
[email protected]
Name:
Brian Fuller
Phone:
720-493-7146
Email:
[email protected]
37