Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cheng Tang | Dec 2015 U.S. Department of Education 2015 FSA Training Conference for Financial Aid Professionals What FAAs Need to Know about Cybersecurity.

Published byScott Henderson Modified over 8 years ago

Similar presentations

Presentation on theme: "Cheng Tang | Dec 2015 U.S. Department of Education 2015 FSA Training Conference for Financial Aid Professionals What FAAs Need to Know about Cybersecurity."— Presentation transcript:

1 Cheng Tang | Dec 2015 U.S. Department of Education 2015 FSA Training Conference for Financial Aid Professionals What FAAs Need to Know about Cybersecurity Initiatives, Data Protection, and Identity Theft Session 43

2 Agenda FSA Technology Office Security Initiatives Recent Incidents and Breaches Cybersecurity Initiatives FAA Guidance 2

3 FSA Security Initiatives Two-factor authentication More schools enabling TFA Privileged users especially at risk Security Operations Center Coordinated Government and Industry threat identification Real-time threat analysis and mitigation Improved breach and incident response FSA ID Reducing PII High availability, usage, high reliability Mission Statement Deliver efficient and cost effective, and secure technology to enable the business of FSA 3

4 Why Should I Care as an FAA? Security Reputation Comply with laws and regulations 4

5 Definition of a Breach Privacy breach - when PII is lost or stolen, or is disclosed or otherwise exposed to unauthorized people for unauthorized purposes.  This includes PII in any format, and whether or not it is a suspected or confirmed loss  Examples of PII breaches:  PII left on the printer or scanner  PII e-mailed without encryption or other protection  PII mailed to the wrong recipient  PII stored on a stolen laptop or thumb drive  PII posted to a public-facing website, etc. 5

6 Is It An Incident? Security incident – any event that compromised the confidentiality, integrity, or availability of an information asset. Example: Suspicious e-mail with links 6

7 Types of Incidents 7

8 …Or a Breach? Data Breach – An incident that resulted in confirmed disclosure, not just exposure, to an unauthorized party, often used interchangeably with data compromise. Following links and being redirected to a malicious site 8

9 What Happens During a Breach $3.79M average cost of a data breach $154 cost per lost record ($217 in the U.S.) Costs keep going up 17 malicious codes hacks, 12 sustained probes/month Reissue cards, consumer protection, insurance, liability Loss of reputation Source: Ponemon 2015 9

10 Data Breach Investigations Report  60% cases: attackers compromise org within minutes.  Nearly 50% of the people open e-mails and click on phishing links within the first hour.  A campaign of only10 e-mails yields >90% chance that at least one person click.  99.9% of the exploited vulnerabilities had been compromised more than a year after the vulnerability was published.  Half of vulnerabilities were exploited within two weeks of posted.  Malware events focus on: financial services, insurance, retail, utilities, and education. Source: DBIR 2015 10

11 Recent Examples of Data Loss Source: https://www.privacyrights.org/data-breach/new April 2015 Office of Personnel Management (OPM) breached and personally identifiable information for ALL federal employees, past, present, contractors (21.5 million) stolen May 15, 2015 College servers breached in two different intrusions, potential exposure for at least 18,000 people October 1, 2014 District-wide phishing attack allowed access to employees email accounts containing files with personally identifiable information, potential exposure 1,400 Target, Home Depot, IRS, Sony 11

12 Profiling the Attacker / Threat Vectors 12 86% perpetrated by outsiders 14% committed by insiders 1% business partners 7% multiple parties 19% state-affiliated actors 12

13 Potential Breach Sources 13 Informative files Phone numbers Passwords? Leave information Unlocked screen

14 Laptop Risks February 2015 – University laptop was stolen with student roster information including social security numbers and grade data, potentially impacting 941 students. July 2014 – College unencrypted laptop was stolen from a staff member’s office with personal information of approximately 20,000 current and former students and faculty members. https://www.privacyrights.org/data-breach/new 14

15 Laptop Loss Examples 15 July 8, 2010 – Employee downloaded files onto a hard drive, connected to their home network and the files went onto the internet with information of current and former students personnel files and social security numbers June 9, 2014 – Employee sent an attachment unencrypted to 78 employees containing personal information of college employees, impacting approximately 1,900 employees Top Mobile Threats: 1.Mobile Malware 2.Loss/Theft 3.Social Media 4.Cloud Storage 5.Wi-Fi https://www.privacyrights.org/data-breach/new 15

16 FSA Electronic Data Transfer Points Federal Partners – FSA Shares Data with: Social Security Administration (SSA) Internal Review Service (IRS) Veterans Administration VA) Department of Justice (DOJ) Department of Homeland Security (DHS) Health & Human Services (HHS) Department of Education FSA Security follows Department policies and information roles up for Reporting FSA External Partners – Loan & Grant Disbursement and Management Guarantee Agencies (GA) - 29 Private Collection Agencies (PCA) - 30 Title IV Servicers (TIVAS) - 5 Not for Profit (NFP) - 8 FSA Major Applications and Interfaces Business Solutions ~12 Supporting Applications ~6 Web Applications ~6 IT Infrastructure ~6 Customers Parents and Students Schools and Universities Financial Assistance Requests & Determination Financial Assistance & Debt Collection Eligibility & Verification 16

17 Networks At Risk 17 Records of student and loan information Wireless networks Widely distributed networks Admissions Registrar’s Office Student Assistance College Book Store Health Clinic Websites Hackers seek diverse information and diverse paths

18 18 Intranet – Internal information, non-public distribution Facebook = share everything (Security questions?) Very mobile = laptop, iPhone, iPad everywhere Very trusting = limited password usage, write passwords down Not organized = often do not track credit cards, “junk” mail High debt = attractive to foreign actors Your Data At Risk

19 Breach Responsibility YOU (and your organization) assume the risk for the loss of data Cyber Security protects the data to the identified risk level Data protection, breach prevention MUST be a joint operation for success 19

20 Dear Colleague Letter Publication Date: July 29, 2015 Subject: Protecting Student Information Data breaches proliferating Cooperation of FSA Partners to implement strong security policies, controls, and monitoring is critical to protecting personally identifiable information and ensuring the confidentiality, security, and integrity of Title IV financial aid information 20

21 Legal Obligation to Protect (1 of 2) Student Aid Internet Gateway (SAIG) Enrollment Agreement The institution “[m]ust ensure that all Federal Student Aid applicant information is protected from access by or disclosure to unauthorized personnel.” Privacy Act of 1974 (Federal Agencies) Gramm-Leach-Bliley Act Safeguards Rule Applies to financial institutions and those that receive information about the customers of financial institutions Requires institutions to secure customer information and create a written information security plan that describes program to protect customer information State data breach and privacy laws and potentially other laws 21

22 Legal Obligation to Protect (2 of 2) HEA (Higher Education Act) Requires institutions to maintain appropriate institutional capability for the sound administration of the Title IV programs and would include satisfactory policies, safeguards, monitoring and management practices related to information security FERPA (Family Educational Rights and Privacy Act) Generally prohibits institutions from having policies or practices that permit the disclosure of education records or PII contained therein without the written consent of the student, unless an exception applies. Any data breach resulting from a failure of an institution to maintain appropriate and reasonable information security policies and safeguards could also constitute a FERPA violation Contractual Agreements per 34 CFR §668.25 The institution remains liable for any action by its third party servicers 22

23 Moral Obligation to Protect Online Predators Identity Theft Social Media 23

24 Passwords are Insecure 99.9% of all user-generated passwords are insecure Word-number-punctuation most commonly cracked ‘complex’ password Solutions are based on two-factor authentication The myth of privacy and security Password cracking by security experts: Six characters: 12 seconds Seven characters: 5 minutes Eight characters: 4 hours https://www.privacyrights.org/data-breach/new Password Trivia: Joshua I solemnly swear I am up to no good Akagi Setec Astronomy God, Sex, Love, and Secret xyzzy Shibboleth 24

25 Reduce Data Exposure 25 Enforce a clean desk policy Conduct PII “amnesty” days (shred paper PII/eliminate PII from local and shared drives) Protect data at the endpoints o USB drives, paper, laptops, smartphones, printers Destroy your data securely Do not keep records forever Limit access to only those with a need to know Practice breach prevention o Analyze breaches from other organizations o Learn from their mistakes o Adjust your policies and procedures accordingly Please - THINK before you post/send/tweet!

26 Tips to Safeguard PII 26 Minimize PII o Collect only PII that you are authorized to collect, and at the minimum level necessary o Limit number of copies containing PII to the minimum needed Secure PII o Store PII in an appropriate access-controlled environment o Use fictional personal data for presentations or training o Review documents for PII prior to posting o Safeguard PII in any format o Disclose PII only to those authorized Safeguard the transfer of PII o Do not e-mail PII unless it is encrypted or in a password protected attachment o Alert FAX recipients of incoming transmission o Use services that provide tracking and confirmation of delivery when mailing Dispose of PII Properly o Delete/dispose of PII at the end of its retention period or transfer it to the custody of an archives, as specified by its applicable records retention schedule

27 Typical Breach Response Employee received PII for someone else Debated on what to do, shared it with friends and coworker for advise 2-3 days later sent to supervisor Supervisor did not see the e-mail for a few days sent to friend in FSA technology office Friend decided to investigate, called person whose PII it was Person with PII data called FSA management who called CIO 27

28 Call your supervisor, the Help Desk, and Security and tell them exactly what is happening immediately Don’t delete any files or turn off your system unless Security tells you to Don’t send the files/data in question to anyone If you need advice or help, call your Federal Student Aid ISSO or the FSA Security Operations Center or the FSA CISO 28 Correct Breach Process

29 29 Only collect and use information that is absolutely necessary, and only share with those who absolutely need the information “Review and reduce”—inventory your PII and PII data flows, and look for ways to reduce PII Follow FSA and Best practice, policies and procedures Think before you hit the “send” button (E-mail is by far the #1 source of breaches) “Scramble, don’t gamble”- encrypt, encrypt, encrypt Minimize (or eliminate) the use of portable storage devices Protect PII on paper—enforce a clean desk policy, use secure shredding bins, locked cabinets, etc. In closing…

30 30 ht tps://www.privacyrights.org/ http://www.verizonenterprise.com/DBIR/2015/ http://www.ponemon.org Resources

31 National Institute of Standards and Technology (NIST) Special Publications (http://csrc.nist.gov/publications/PubsSPs.html)http://csrc.nist.gov/publications/PubsSPs.html NIST Special Publication 800-37 Rev 1 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach NIST Special Publication 800-53 Rev 4 Security and Privacy Controls for Federal Information Systems and Organizations NIST Special Publication 800-30 Rev 1 Guide for Conducting Risk Assessments NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ISO/IEC 27001 Information Security Management (International Organization for Standardization/International Electrotechnical Commission) http://www.iso.org/iso/home/standards/management-standards/iso27001.htm 31

32 Cyber Resiliency Reviews https://www.us-cert.gov/ccubedvp/self-servicecrr Critical Infrastructure Cyber Community Voluntary Program https://www.uscert.gov/ccubedvp Cybersecurity Information Sharing and Collaboration Program https://www.uscert.gov/sites/default/files/c3vp/CISCP_20140523.pdf Enhanced Cybersecurity Services http://www.dhs.gov/enhancedcybersecurity-services Information Sharing and Analysis Organization Rollout http://www.dhs.gov/isao National Initiative for Cybersecurity Careers and Studies http://niccs.uscert.gov GEN-15-18: Protecting Student Information http://www.ifap.ed.gov/dpcletters/attachments/GEN1518.pdf National Vulnerability Database https://nvd.nist.gov 32 Resources

33 QUESTIONS? 33

Download ppt "Cheng Tang | Dec 2015 U.S. Department of Education 2015 FSA Training Conference for Financial Aid Professionals What FAAs Need to Know about Cybersecurity."

Similar presentations

Protect Our Students Protect Ourselves

Protect Our Students Protect Ourselves
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA.

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.

A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
BUS VIDEO RECORDINGS COLLECTION – PROCESSING - REDACTION - SHARING WHAT IS RIGHT FOR YOUR DISTRICT?

BUS VIDEO RECORDINGS COLLECTION – PROCESSING - REDACTION - SHARING WHAT IS RIGHT FOR YOUR DISTRICT?
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
Protecting Personal Information Guidance for Business.

Protecting Personal Information Guidance for Business.
Information Privacy and Compliance Training For All Brigham Young University– Idaho Employees.

Information Privacy and Compliance Training For All Brigham Young University– Idaho Employees.
Helping you protect your customers against fraud Division of Finance and Corporate Securities.

Helping you protect your customers against fraud Division of Finance and Corporate Securities.
Critical Data Management Indiana University HR Summit April 24, 2014.

Critical Data Management Indiana University HR Summit April 24, 2014.
SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.

SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Information Security Awareness:

Information Security Awareness:
Security Controls – What Works

Security Controls – What Works
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Similar presentations

Ads by Google