Presentation to California Community College Financial Aid Directors 2015 conference about best practices to protect the school from data breaches

1. Student Data Security

2. 2014 – Year of the breach!
Over a billion personal data records were compromised in 2014 - NBCNEWS.com

3. Largest Higher Education Breaches of 2014
University of Maryland - 300k record
North Dakota University – 300k records
Butler University – 200k records
Indiana University – 146k records
Arkansas State University – 50k records
All of these were bigger than the Sony breach!
- Huffington Post

6. Others Costs
• Loss of student trust
• Damage to reputation
• Loss of staff productivity
• Legal action
• Additional audit requirements
• ??
Financial Costs

9. Areas of Focus

10. What is the Weakest Link in Your
Security?

11. Key Awareness Topics
Password Management
Mobile device security
WiFi Security

12. Password Management
Unique passwords for services – Never use your email account
Use combination of words, numbers, symbols using upper- and lower- case letters
Don’t use easily guessed passwords (e.g. password, user)
Don’t use words found in dictionary or sequences
Complexity is nice but length is more import
Never keep a list of passwords around
Use two step or two factor authentication whenever possible
-krebsonsecurity.com

13. Mobile Device Security
Use pin, password or pattern lock your phone
Enable data encryption features
Download apps only from trusted stores
o Install an anti-malware program (e.g. Lookout)
o Install anti-theft software
Don’t root or jailbreak your phone
Keep your operating system and apps updated
Log out of sites after you make a payment
Switch off Wi-Fi and Bluetooth when not in use
- Techradar.com

14. Public WiFi Use
Know that you are never secure!
Use built in tools
 Enable firewall
 Block all incoming traffic
 Disable file sharing
Look for Padlock
Confirm network name with your location
Use common sense
- CNET.com

15. Secure Processes
Don’t leave sensitive information lying around unprotected,
including on printers, fax machines, or copiers
Secure area, files and portable equipment before leaving them
unattended (ask IT to automatically lock unattended computers)
Shred sensitive paper records before disposing of them
Don’t use email to transmit sensitive data including scanned
document attachments
Don’t send paper mail that includes SSN, financial account
information, drivers license etc
Insure that all staff have their own logins and accounts (No sharing)

16. Email is not secure!
“Email was not designed with any privacy or security in mind”
- Geoff Duncan, Digital Trends

17. IT Security Best Practices
Encrypt your data
Use digital certificate to sign all of your sites
Implement a removable media policy
Protect school websites
Network endpoint security
Stay current with patches and upgrades
Establish policy of no PII data on laptops or mobile devices

18. Vendor Checklist
 How is my data transmitted securely?
 What algorithms are used to store my data?
 How will my data be stored and protected?
 How are the various levels of access granted and controlled?
 Who at the vendor has access to my data? Is there background screening?
How are users authenticated? What is the password management functionality
What type of physical security is provided for your data center?
 How are the various levels of access granted and controlled?
 What security audits and/process audits do you comply with?
 Is there explicit contract language for who owns data and how data can be used?

19. Alphabet Soup
Certification Purpose
SSAE 16, SOCC1 and 2 Auditing standard to ensure appropriate controls for your hosting provider.
Certification of controls for privacy and security.
TRUSTe Certification Privacy protection certification
PCI DSS Certifies data security of credit card payment processing
FedRAMP Government program that provides a standard approach to security
assessment, authorization and monitoring of cloud products and services
FIPS 140-2 Federal Information Processing Standard for accrediting data encryption
standards
ISO 27001 Audit and risk assessment framework for information security management
Vendors who are serious about security will certify on multiple of these based on the service.

20. Responding to a Breach
Have a Plan – Key Elements
First 24 Hour Checklist
Notification Requirements
Other Services

21. Elements of a Good Response Plan
Define a response team with clear roles and responsibilities
 Executive Leader, IT, Public Relations, Student Services, Legal, Law Enforcement Liaison
 Assign somebody to maintain a contact list quarterly basis
Have a documented plan and procedure for investigation, notification, support, legal review
Plan for increased call volume to a call center or other support help line
Provide for FAQ and support materials on Institution Website and/or student portals
Have policy for cases that warrant complimentary identity protection and credit monitoring
services
Pre-selection of a data forensic vendor to assist in breach response
Pre-selection and negotiation with a Breach Resolution Vendor who can guide you through
process of planning and support response

22. First 24 Hour Checklist
 Record dates and times – Discovery, Response start
Alert Response Team – Internal and external resources as identified in your plan
Stop additional data loss – Take care to maintain forensic evidence
Secure premise or equipment to preserve evidence
Document Incident Report – Key facts, who discovered and when, scope of breach. Interview individuals who
found breach
Bring in forensics team
Notify law enforcement
Assess priorities and risks
Set response plan in action for notification, PR, call center and execution of support service (Credit Monitoring
- Experian Data Breach Response Guide

23. Notification Requirements
California Civil Code s. 1798.29 and California Civil Code s. 1798.82
DOE Privacy Technical Assistance Center
 Consider notifying Family Policy Compliance Office (FPCO) about the breach. (FERPA does not require that you
notify FPCO of the breach; however, the U.S. Department of Education considers it a best practice.
 FPCO can assist educational agencies and institutions by helping to determine the potential for harm resulting
from the release of the information
California Office of Privacy Protection
 Notify Attorney General for breach > 500
 Notify Credit Agencies if breach > 10,000
-http://oag.ca.gov

24. Notification to Students
 Speed, Openness and transparency are the keys
 Notify individuals within 10 business days of confirming the breach
 The date of the notice. If the notice was delayed as the result of a law enforcement investigation, say so.
 A general description of the breach incident.
 The specific types of personal information that were involved.
 The name and contact information
 The toll-free telephone numbers and addresses of the major credit reporting agencies, but only in a breach
involving Social Security numbers or driver’s license or California ID numbers.
 What you have done to protect the individual’s personal information from further unauthorized acquisition.
 What your organization will do to assist individuals, including providing your toll free contact telephone number for
more information and assistance.
 Information on what individuals can do to protect themselves from identity theft, as appropriate for the specific
type of personal information involved.
- http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/recom_breach_prac.pdf

25. Questions

26. Our cloud-based products help financial aid departments save time, decrease costs,
lower security risk and improve the student experience.
campuslogic.com
Gilbert, AZ
Chris Chumley, COO
chris.chumley@campuslogic.com
Follow on Twitter @cschumley