1 / 18

Comprehensive Guide to Higher Education Data Security

This guide covers the essentials of data security in higher education, including GLBA and GDPR regulations, data protection requirements, breach handling, risk identification, and control measures. Learn who needs to be concerned, what data to protect, and why compliance is crucial.

dbecky
Download Presentation

Comprehensive Guide to Higher Education Data Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data SecurityJulie D. WilsonSr. ERP Financial Aid AnalystDynamic Campus TASFAA 2019

  2. AGENDA • Overview of Graham-Leach-Bliley Act (GLBA 2002) and General Data Protection Regulation (GDPR, May 2018) • Who needs to be concerned about data security? • What data needs protecting and where is it? • What are the requirements? • Why is this coming up now? • What constitutes a data breach and how to handle them? • Planning and Implementation • Resources. TASFAA 2019

  3. Graham-Leach-Bliley Act (GLBA 2002) • Because FA administers the Direct Loans, IHEs are subject to the GLBA. • The GLBA requires the following: • Designated person or group to coordinate security program. • Identify reasonably foreseeable internal/external risks to data security. • Control risks identified and regular testing of controls. • Take reasonable steps to select service providers who adhere to security safeguards. TASFAA 2019

  4. General Data Protection Regulation (GDPR) • GDPR is NOT required for compliance here. However, if you have international students from European countries, compliance is required beginning May 2018. • Encryption methods on servers, storage, media, networks. • Strong key management • Adhere to the students’ ‘right to be forgotten’ • Verify legitimacy of user identities and transactions. • Ensure data accuracy. • Minimize student identity exposure. • Implement data security measures. TASFAA 2019

  5. Who Needs to be Concerned About Data Security? • President, VP, Senior Administration, Board • CIO/CISO • Registrar, Financial Aid, Finance • Faculty, Staff, Students • EVERYONE! Your president and everyone with access to COD, NSLDS, FAA, and CPS agrees to adhere to GLBA on the PPA and every time you log in to these systems. TASFAA 2019

  6. What data needs to be protected? • Personally Identifiable Information (PII) • Full Name • Date of Birth (DOB) • Social Security Numbers (SSN) • Bank Accounts • Any data elements that when combined can be linked back to a specific person. TASFAA 2019

  7. Where is data that needs protecting? • Systems: SIS, ERP, Data Management • Paper and Imaged Files • Forms and Applications • Reports • Transmissions • Identification Cards • Paper checks, credit cards, statements • Check Stubs, W2s, 1098s • Desks, phones, emails, etc. TASFAA 2019

  8. Why Now? • At the 2017 FSA Conference it was announced that as part of the annual A133 audit for 2018, IHEs must include the Data Security Assessment Report. The report must include the following: • Identify the person/group responsible for data security program. • Identify reasonably foreseeable internal/external risks to data security via formal documented risk assessments of employee training/management; information systems, storage, transmission, and disposal; detection, preventing, and responding to attacks. • Control risks identified and regularly test/monitor effectiveness. • Ensure that servicers have a security program. TASFAA 2019

  9. Identify the Person/Group for Data Security Program • GDPR requires that ONE person at the senior administration level be responsible for Data Security. • Group/Team should include: Financial Aid, Records/Registrar, Institutional Research, Information Technology, AR, HR. Whoever has access to sensitive data. • Produce Data Security Assessment Report of issues found. • Enforce data security protocols. TASFAA 2019

  10. Identify Risks to Data Security • Common risks: • Community printers: Can items be printed from the history? • Personal devices with institutional email, data, reports, etc. • Insufficient security classes in Colleague, imaging, etc. • Insufficient controls for internal/external networks. • Password sharing. • Paper files. TASFAA 2019

  11. Control Risks Identified • Perform penetration tests and correct issues identified. • Training to reduce and eliminate user scams (phishing attacks, password sharing, etc.) • Develop security classes to make data ‘need to know.’ • Employ automatic log out on campus computers. • Develop policies and procedures to address personal devices, institutional information, document destruction, etc. • Employ mandatory training for all users. • Include students in any data security plan. TASFAA 2019

  12. Ensure Servicers Have a Security Program • Third party services must be GLBA compliant. • Shred companies, debit cards, bookstore, cafeteria, etc. • Review the contract: Does it address data security protections. • Are they insured for breaches? • How will they notify you of a breach? • If they have a breach, you’ve had a breach! Report it! TASFAA 2019

  13. Reminder about ‘Red Flag’ rules? • FTC Identity Theft Red Flag Rules (2007) • Detection of Identity Fraud/Theft • Prevention of Identity Fraud/Theft • Response to suspected Identity Fraud/Theft TASFAA 2019

  14. What is a Data Security Breach? • GLBA defines a breach as data: • Disclosure • Misuse • Alteration • Destruction • Other compromise of data/information • No minimum record count. • Applies to all records, electronic and paper. • Storage, transit, and processing. • Your third party vendors (if they had a breach, you had a breach). TASFAA 2019

  15. Breach Reporting • SAIG agreement requires breaches be reported ON THE DAY OF DETECTION or SUSPICION. • No minimum number of files. • Not just electronic files. • Report first, investigate further after. • DOE can levy fines of up to $54,789 per violation if the IHE does not comply with self-reporting requirements. Million dollar liability insurance covers approximately 18 compromised records not reported. TASFAA 2019

  16. Resources • FTC Red Flag Rules • https://www.ftc.gov/tips-advice/business-center/guidance/fighting-identity-theft-red-flags-rule-how-guide-business • Federal Student Aid Cybersecurity Compliance Information https://ifap.ed.gov/eannouncements/Cyber.html • FSA Postsecondary Institution Data Security Overview & Requirements https://fsaconferences.ed.gov/conferences/library/2017/2017FSAConfSession37.ppt • 16 CFR 314.4 (b) • https://www.gpo.gov/fdsys/pkg/CFR-2003-title16-vol1/pdf/CFR-2003-title16-vol1-sec314-4.pdf TASFAA 2019

  17. Questions TASFAA 2019

  18. Thank you!Julie D. WilsonSr. ERP Financial Aid AnalystDynamic CampusJulie.Wilson@dynamiccampus.com TASFAA 2019

More Related