Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Security Julie D. Wilson Sr

Published byÉ Φιλιππίδης Modified over 5 years ago

Similar presentations

Presentation on theme: "Data Security Julie D. Wilson Sr"— Presentation transcript:

1 Data Security Julie D. Wilson Sr
Data Security Julie D. Wilson Sr. ERP Financial Aid Analyst Dynamic Campus TASFAA 2019

2 AGENDA Overview of Graham-Leach-Bliley Act (GLBA 2002) and General Data Protection Regulation (GDPR, May 2018) Who needs to be concerned about data security? What data needs protecting and where is it? What are the requirements? Why is this coming up now? What constitutes a data breach and how to handle them? Planning and Implementation Resources. TASFAA 2019

3 Graham-Leach-Bliley Act (GLBA 2002)
Because FA administers the Direct Loans, IHEs are subject to the GLBA. The GLBA requires the following: Designated person or group to coordinate security program. Identify reasonably foreseeable internal/external risks to data security. Control risks identified and regular testing of controls. Take reasonable steps to select service providers who adhere to security safeguards. TASFAA 2019

4 General Data Protection Regulation (GDPR)
GDPR is NOT required for compliance here. However, if you have international students from European countries, compliance is required beginning May 2018. Encryption methods on servers, storage, media, networks. Strong key management Adhere to the students’ ‘right to be forgotten’ Verify legitimacy of user identities and transactions. Ensure data accuracy. Minimize student identity exposure. Implement data security measures. TASFAA 2019

5 Who Needs to be Concerned About Data Security?
President, VP, Senior Administration, Board CIO/CISO Registrar, Financial Aid, Finance Faculty, Staff, Students EVERYONE! Your president and everyone with access to COD, NSLDS, FAA, and CPS agrees to adhere to GLBA on the PPA and every time you log in to these systems. TASFAA 2019

6 What data needs to be protected?
Personally Identifiable Information (PII) Full Name Date of Birth (DOB) Social Security Numbers (SSN) Bank Accounts Any data elements that when combined can be linked back to a specific person. TASFAA 2019

7 Where is data that needs protecting?
Systems: SIS, ERP, Data Management Paper and Imaged Files Forms and Applications Reports Transmissions Identification Cards Paper checks, credit cards, statements Check Stubs, W2s, 1098s Desks, phones, s, etc. TASFAA 2019

8 Why Now? At the 2017 FSA Conference it was announced that as part of the annual A133 audit for 2018, IHEs must include the Data Security Assessment Report. The report must include the following: Identify the person/group responsible for data security program. Identify reasonably foreseeable internal/external risks to data security via formal documented risk assessments of employee training/management; information systems, storage, transmission, and disposal; detection, preventing, and responding to attacks. Control risks identified and regularly test/monitor effectiveness. Ensure that servicers have a security program. TASFAA 2019

9 Identify the Person/Group for Data Security Program
GDPR requires that ONE person at the senior administration level be responsible for Data Security. Group/Team should include: Financial Aid, Records/Registrar, Institutional Research, Information Technology, AR, HR. Whoever has access to sensitive data. Produce Data Security Assessment Report of issues found. Enforce data security protocols. TASFAA 2019

10 Identify Risks to Data Security
Common risks: Community printers: Can items be printed from the history? Personal devices with institutional , data, reports, etc. Insufficient security classes in Colleague, imaging, etc. Insufficient controls for internal/external networks. Password sharing. Paper files. TASFAA 2019

11 Control Risks Identified
Perform penetration tests and correct issues identified. Training to reduce and eliminate user scams (phishing attacks, password sharing, etc.) Develop security classes to make data ‘need to know.’ Employ automatic log out on campus computers. Develop policies and procedures to address personal devices, institutional information, document destruction, etc. Employ mandatory training for all users. Include students in any data security plan. TASFAA 2019

12 Ensure Servicers Have a Security Program
Third party services must be GLBA compliant. Shred companies, debit cards, bookstore, cafeteria, etc. Review the contract: Does it address data security protections. Are they insured for breaches? How will they notify you of a breach? If they have a breach, you’ve had a breach! Report it! TASFAA 2019

13 Reminder about ‘Red Flag’ rules?
FTC Identity Theft Red Flag Rules (2007) Detection of Identity Fraud/Theft Prevention of Identity Fraud/Theft Response to suspected Identity Fraud/Theft TASFAA 2019

14 What is a Data Security Breach?
GLBA defines a breach as data: Disclosure Misuse Alteration Destruction Other compromise of data/information No minimum record count. Applies to all records, electronic and paper. Storage, transit, and processing. Your third party vendors (if they had a breach, you had a breach). TASFAA 2019

15 TASFAA 2019 Breach Reporting
SAIG agreement requires breaches be reported ON THE DAY OF DETECTION or SUSPICION. No minimum number of files. Not just electronic files. Report first, investigate further after. DOE can levy fines of up to $54,789 per violation if the IHE does not comply with self-reporting requirements. Million dollar liability insurance covers approximately 18 compromised records not reported. TASFAA 2019

16 TASFAA 2019 Resources FTC Red Flag Rules
flags-rule-how-guide-business Federal Student Aid Cybersecurity Compliance Information FSA Postsecondary Institution Data Security Overview & Requirements 16 CFR (b) sec314-4.pdf TASFAA 2019

17 Questions TASFAA 2019

18 Thank you. Julie D. Wilson Sr
Thank you! Julie D. Wilson Sr. ERP Financial Aid Analyst Dynamic Campus TASFAA 2019

Download ppt "Data Security Julie D. Wilson Sr"

Similar presentations

University of Minnesota

University of Minnesota
ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.

Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
© Chery F. Kendrick & Kendrick Technical Services.

© Chery F. Kendrick & Kendrick Technical Services.
Identity Theft Prevention Program Red Flags Rules Fighting Fraud at Montana Tech.

Identity Theft Prevention Program Red Flags Rules Fighting Fraud at Montana Tech.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
Protecting Personal Information Guidance for Business.

Protecting Personal Information Guidance for Business.
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.

FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A. 2618 Centennial.

Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A Centennial.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Allison Dolan Program Director, Protecting PII Handling Sensitive Data - WISP and PIRN.

Allison Dolan Program Director, Protecting PII Handling Sensitive Data - WISP and PIRN.
© Chery F. Kendrick & Kendrick Technical Services.

© Chery F. Kendrick & Kendrick Technical Services.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

Similar presentations

Ads by Google