1 / 12

Comprehensive Cybersecurity Initiatives for FAAs: Protecting Data and Reporting Breaches

Learn how to recognize, prevent, and report breaches in this session by Dan Commons, FSA Chief Information Security Officer. Topics include breach definitions, compliance requirements, common threats, best practices, and incident reporting steps. Gain insights on safeguarding personal and financial information, cybersecurity protocols, response procedures, and available resources.

annemcdonald
Download Presentation

Comprehensive Cybersecurity Initiatives for FAAs: Protecting Data and Reporting Breaches

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Session #29 What FAAs need to know about Cybersecurity Initiatives, Data Protection, Identity Theft, and School Breach Reporting Dan Commons, FSA Chief Information Security Officer U.S. Department of Education 2018 FSA Training Conference for Financial Aid Professionals November 2018

  2. Agenda • What constitutes a breach • Compliance • Common causes and cybersecurity threats • Cybersecurity best practices • How to report an incident • FSA’s response process • Resources • Q&A

  3. What is a breach? • A breach is any unauthorized disclosure, misuse, alteration, destruction or other compromise of sensitive • information

  4. Compliance • FSA Program Participation Agreement (PPA) & Student Aid Internet Gateway (SAIG) agreement • Title IV schools are responsible for protecting personal and financial information • Develop, implement, & maintain documented data security (info-sec) program and designate an employee(s) to coordinate the program • Gramm-Leach-Bliley Act (GLBA, 2002) • GEN 15-18 and GEN 16-12 • Family Educational Rights and Privacy Act (FERPA)

  5. Breaches are a global problem

  6. Common causes and cybersecurity threats • Human error • Ransomware • Identity theft • Malware • Phishing schemes

  7. Cybersecurity best practices • Document your cybersecurity policies • Educate employees and students • Segregate networks • Enforce safe password practices • Install anti-malware software • Use multifactor identification

  8. How to report an incident • Send an email • Or call the Education Security Operations Center (EDSOC) at 202-245-6550 (24 hours a day) • Include: • Date of breach (suspected or known) • Impact of breach (# of records, etc.) • Method of breach (hack, accidental disclosure, etc.) • Information Security Program Point of Contact (email and phone) • Remediation Status (complete, in process – with detail) • Next steps (as needed) To… FSASchoolCyberSafety@ed.gov; cpssaig@ed.gov • Your data breach team, executives, etc. per your policy Cc…

  9. FSA’s process for responding to incident reports • Receives report from PSI, media, or other source • Conducts analysis to determine likelihood of impact on FSA data and severity (if likely) • Unlikely impact? Incident usually closed • Likely impact? Next steps depend on severity but may include: • Requesting additional information • Working with the PSI to determine a course of action

  10. Resources • Use the Cybersecurity Assessment Tool (CAT) • https://ifap.ed.gov/eannouncements/attachments/FFIEC_CAT_form.pdf • Automated self-assessment tool helps establish current risk profile and cybersecurity maturity • Built for financial institutions by Federal Financial Institution Examiners’ Council (FFIEC), https://www.ffiec.gov/ • Pertains to policy, people, and process issues • Visit the Cybersecurity Compliance pagehttps://ifap.ed.gov/eannouncements/Cyber.html • Links to useful sites, documents, resources, regulations, POCs

  11. Resources continued • Visit the Department of Education, Protecting Student Privacy Website • https://studentprivacy.ed.gov/training/ferpa-101-colleges-universities • Web-based training, videos, webinars

  12. Questions and Answers

More Related