Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Security Julie D. Wilson Sr

Similar presentations


Presentation on theme: "Data Security Julie D. Wilson Sr"— Presentation transcript:

1 Data Security Julie D. Wilson Sr
Data Security Julie D. Wilson Sr. ERP Financial Aid Analyst Dynamic Campus TASFAA 2019

2 AGENDA Overview of Graham-Leach-Bliley Act (GLBA 2002) and General Data Protection Regulation (GDPR, May 2018) Who needs to be concerned about data security? What data needs protecting and where is it? What are the requirements? Why is this coming up now? What constitutes a data breach and how to handle them? Planning and Implementation Resources. TASFAA 2019

3 Graham-Leach-Bliley Act (GLBA 2002)
Because FA administers the Direct Loans, IHEs are subject to the GLBA. The GLBA requires the following: Designated person or group to coordinate security program. Identify reasonably foreseeable internal/external risks to data security. Control risks identified and regular testing of controls. Take reasonable steps to select service providers who adhere to security safeguards. TASFAA 2019

4 General Data Protection Regulation (GDPR)
GDPR is NOT required for compliance here. However, if you have international students from European countries, compliance is required beginning May 2018. Encryption methods on servers, storage, media, networks. Strong key management Adhere to the students’ ‘right to be forgotten’ Verify legitimacy of user identities and transactions. Ensure data accuracy. Minimize student identity exposure. Implement data security measures. TASFAA 2019

5 Who Needs to be Concerned About Data Security?
President, VP, Senior Administration, Board CIO/CISO Registrar, Financial Aid, Finance Faculty, Staff, Students EVERYONE! Your president and everyone with access to COD, NSLDS, FAA, and CPS agrees to adhere to GLBA on the PPA and every time you log in to these systems. TASFAA 2019

6 What data needs to be protected?
Personally Identifiable Information (PII) Full Name Date of Birth (DOB) Social Security Numbers (SSN) Bank Accounts Any data elements that when combined can be linked back to a specific person. TASFAA 2019

7 Where is data that needs protecting?
Systems: SIS, ERP, Data Management Paper and Imaged Files Forms and Applications Reports Transmissions Identification Cards Paper checks, credit cards, statements Check Stubs, W2s, 1098s Desks, phones, s, etc. TASFAA 2019

8 Why Now? At the 2017 FSA Conference it was announced that as part of the annual A133 audit for 2018, IHEs must include the Data Security Assessment Report. The report must include the following: Identify the person/group responsible for data security program. Identify reasonably foreseeable internal/external risks to data security via formal documented risk assessments of employee training/management; information systems, storage, transmission, and disposal; detection, preventing, and responding to attacks. Control risks identified and regularly test/monitor effectiveness. Ensure that servicers have a security program. TASFAA 2019

9 Identify the Person/Group for Data Security Program
GDPR requires that ONE person at the senior administration level be responsible for Data Security. Group/Team should include: Financial Aid, Records/Registrar, Institutional Research, Information Technology, AR, HR. Whoever has access to sensitive data. Produce Data Security Assessment Report of issues found. Enforce data security protocols. TASFAA 2019

10 Identify Risks to Data Security
Common risks: Community printers: Can items be printed from the history? Personal devices with institutional , data, reports, etc. Insufficient security classes in Colleague, imaging, etc. Insufficient controls for internal/external networks. Password sharing. Paper files. TASFAA 2019

11 Control Risks Identified
Perform penetration tests and correct issues identified. Training to reduce and eliminate user scams (phishing attacks, password sharing, etc.) Develop security classes to make data ‘need to know.’ Employ automatic log out on campus computers. Develop policies and procedures to address personal devices, institutional information, document destruction, etc. Employ mandatory training for all users. Include students in any data security plan. TASFAA 2019

12 Ensure Servicers Have a Security Program
Third party services must be GLBA compliant. Shred companies, debit cards, bookstore, cafeteria, etc. Review the contract: Does it address data security protections. Are they insured for breaches? How will they notify you of a breach? If they have a breach, you’ve had a breach! Report it! TASFAA 2019

13 Reminder about ‘Red Flag’ rules?
FTC Identity Theft Red Flag Rules (2007) Detection of Identity Fraud/Theft Prevention of Identity Fraud/Theft Response to suspected Identity Fraud/Theft TASFAA 2019

14 What is a Data Security Breach?
GLBA defines a breach as data: Disclosure Misuse Alteration Destruction Other compromise of data/information No minimum record count. Applies to all records, electronic and paper. Storage, transit, and processing. Your third party vendors (if they had a breach, you had a breach). TASFAA 2019

15 TASFAA 2019 Breach Reporting
SAIG agreement requires breaches be reported ON THE DAY OF DETECTION or SUSPICION. No minimum number of files. Not just electronic files. Report first, investigate further after. DOE can levy fines of up to $54,789 per violation if the IHE does not comply with self-reporting requirements. Million dollar liability insurance covers approximately 18 compromised records not reported. TASFAA 2019

16 TASFAA 2019 Resources FTC Red Flag Rules
flags-rule-how-guide-business Federal Student Aid Cybersecurity Compliance Information FSA Postsecondary Institution Data Security Overview & Requirements 16 CFR (b) sec314-4.pdf TASFAA 2019

17 Questions TASFAA 2019

18 Thank you. Julie D. Wilson Sr
Thank you! Julie D. Wilson Sr. ERP Financial Aid Analyst Dynamic Campus TASFAA 2019


Download ppt "Data Security Julie D. Wilson Sr"

Similar presentations


Ads by Google