Student Data Security

2014 – Year of the breach!

Over a billion personal data records were compromised in 2014 - NBCNEWS.com

Largest Higher Education Breaches of 2014University of Maryland - 300k record

North Dakota University – 300k records

Butler University – 200k records

Indiana University – 146k records

Arkansas State University – 50k records

All of these were bigger than the Sony breach!- Huffington Post

Others Costs• Loss of student trust

• Damage to reputation

• Loss of staff productivity

• Legal action

• Additional audit requirements

• ??

Financial Costs

Areas of Focus

What is the Weakest Link in Your Security?

Key Awareness TopicsPassword Management

Mobile device security

WiFi Security

Password ManagementUnique passwords for services – Never use your email account

Use combination of words, numbers, symbols using upper- and lower- case letters

Don’t use easily guessed passwords (e.g. password, user)

Don’t use words found in dictionary or sequences

Complexity is nice but length is more import

Never keep a list of passwords around

Use two step or two factor authentication whenever possible

-krebsonsecurity.com

Mobile Device SecurityUse pin, password or pattern lock your phone

Enable data encryption features

Download apps only from trusted storeso Install an anti-malware program (e.g. Lookout)

o Install anti-theft software

Don’t root or jailbreak your phone

Keep your operating system and apps updated

Log out of sites after you make a payment

Switch off Wi-Fi and Bluetooth when not in use

- Techradar.com

Public WiFi UseKnow that you are never secure!

Use built in tools Enable firewall

Block all incoming traffic

Disable file sharing

Look for Padlock

Confirm network name with your location

Use common sense

- CNET.com

Secure ProcessesDon’t leave sensitive information lying around unprotected, including on printers, fax machines, or copiers

Secure area, files and portable equipment before leaving them unattended (ask IT to automatically lock unattended computers)

Shred sensitive paper records before disposing of them

Don’t use email to transmit sensitive data including scanned document attachments

Don’t send paper mail that includes SSN, financial account information, drivers license etc

Insure that all staff have their own logins and accounts (No sharing)

Email is not secure!

“Email was not designed with any privacy or security in mind”- Geoff Duncan, Digital Trends

IT Security Best PracticesEncrypt your data

Use digital certificate to sign all of your sites

Implement a removable media policy

Protect school websites

Network endpoint security

Stay current with patches and upgrades

Establish policy of no PII data on laptops or mobile devices

Vendor Checklist How is my data transmitted securely?

What algorithms are used to store my data?

How will my data be stored and protected?

How are the various levels of access granted and controlled?

Who at the vendor has access to my data? Is there background screening?

How are users authenticated? What is the password management functionality

What type of physical security is provided for your data center?

How are the various levels of access granted and controlled?

What security audits and/process audits do you comply with?

Is there explicit contract language for who owns data and how data can be used?

Alphabet SoupCertification Purpose

SSAE 16, SOCC1 and 2 Auditing standard to ensure appropriate controls for your hosting provider. Certification of controls for privacy and security.

TRUSTe Certification Privacy protection certification

PCI DSS Certifies data security of credit card payment processing

FedRAMP Government program that provides a standard approach to security assessment, authorization and monitoring of cloud products and services

FIPS 140-2 Federal Information Processing Standard for accrediting data encryption standards

ISO 27001 Audit and risk assessment framework for information security management

Vendors who are serious about security will certify on multiple of these based on the service.

Responding to a BreachHave a Plan – Key Elements

First 24 Hour Checklist

Notification Requirements

Other Services

Elements of a Good Response Plan Define a response team with clear roles and responsibilities Executive Leader, IT, Public Relations, Student Services, Legal, Law Enforcement Liaison

Assign somebody to maintain a contact list quarterly basis

Have a documented plan and procedure for investigation, notification, support, legal review

Plan for increased call volume to a call center or other support help line

Provide for FAQ and support materials on Institution Website and/or student portals

Have policy for cases that warrant complimentary identity protection and credit monitoring services

Pre-selection of a data forensic vendor to assist in breach response

Pre-selection and negotiation with a Breach Resolution Vendor who can guide you through process of planning and support response

First 24 Hour Checklist Record dates and times – Discovery, Response start

Alert Response Team – Internal and external resources as identified in your plan

Stop additional data loss – Take care to maintain forensic evidence

Secure premise or equipment to preserve evidence

Document Incident Report – Key facts, who discovered and when, scope of breach. Interview individuals who found breach

Bring in forensics team

Notify law enforcement

Assess priorities and risks

Set response plan in action for notification, PR, call center and execution of support service (Credit Monitoring

- Experian Data Breach Response Guide

Notification RequirementsCalifornia Civil Code s. 1798.29 and California Civil Code s. 1798.82

DOE Privacy Technical Assistance Center Consider notifying Family Policy Compliance Office (FPCO) about the breach. (FERPA does not require that you

notify FPCO of the breach; however, the U.S. Department of Education considers it a best practice.

FPCO can assist educational agencies and institutions by helping to determine the potential for harm resulting from the release of the information

California Office of Privacy Protection Notify Attorney General for breach > 500

Notify Credit Agencies if breach > 10,000

-http://oag.ca.gov

Notification to Students Speed, Openness and transparency are the keys

Notify individuals within 10 business days of confirming the breach The date of the notice. If the notice was delayed as the result of a law enforcement investigation, say so.

A general description of the breach incident.

The specific types of personal information that were involved.

The name and contact information

The toll-free telephone numbers and addresses of the major credit reporting agencies, but only in a breach involving Social Security numbers or driver’s license or California ID numbers.

What you have done to protect the individual’s personal information from further unauthorized acquisition.

What your organization will do to assist individuals, including providing your toll free contact telephone number for more information and assistance.

Information on what individuals can do to protect themselves from identity theft, as appropriate for the specific type of personal information involved.

- http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/recom_breach_prac.pdf

Questions

Our cloud-based products help financial aid departments save time, decrease costs,

lower security risk and improve the student experience.

campuslogic.com

Gilbert, AZ

Chris Chumley, COO

chris.chumley@campuslogic.comFollow on Twitter @cschumley