SHEEO/NCES Network Conference and IPEDS Workshop

May 3, 2011

Kathleen Styles, Chief Privacy Officer, U.S. Department of EducationEmily Anthony, National Center for Education Statistics Tod Massa, State Council of Higher Education for VirginiaBaron Rodriguez, PTACMark Hall, PTACTom Szuba, PTAC

It Really Happens: Cyber attacks in the news . . .

“Hacked: Data breach costly for

Ohio State, victims of compromised info

- Breach affects 760,000 people, expected to cost

university $4 million” – The Lantern

December 2010

“Hackers broke into the computer

system at a New Jersey school

district - gained access to student

records system used by 160 schools

across the state.” – Info SecurityJanuary 2011

“UC-Berkeley records hacked -

thieves able to access social security

numbers, health files dating back to 1999, over 160,000 records

stolen” – San Jose Mercury News

May 2009

“The hackers were able to capture keystrokes from district computers and determine district passwords for the state systems that store the district’s student and employee information” Lancaster, SC School District Website, April 2011

3

• The Privacy Technical Assistance Center (PTAC) is one component of USED’s comprehensive privacy initiative, which also includes:

- Chief Privacy Officer

- Technical Briefs

- FERPA Notice of Proposed Rulemaking (NPRM)

Privacy, Security, and Confidentiality at USED

• Run in conjunction with the NCES SLDS program as an extension of technical assistance efforts:

- Webinars, best practice briefs

- Site Visits, Technical Assistance Experts, Personnel Exchange Network

Background: NCES

• The National Center for Education Statistics (NCES) is the primary federal entity for collecting and analyzing data related to education in the U.S. and other nations.

• NCES is located within the U.S. Department of Education and the Institute of Education Sciences.

• http://nces.ed.gov

4

Background: SLDS

• The Statewide Longitudinal Data Systems (SLDS) Grant Program is designed to aid state education agencies in developing and implementing longitudinal data systems.

• The data systems developed with these grants are intended to help states, districts, schools, and teachers make data-driven decisions to improve student learning, as well as facilitate research to increase student achievement and close achievement gaps.

• The focus of the grant program has evolved over the four rounds of SLDS awards (2006-2010), with an early emphasis on K-12 systems expanding to more holistic P-20-WF (pre-kindergarten through workforce).

• http://nces.ed.gov/programs/slds

5

74 grants to 41 states and DC.  As of 2010, total awards of $514 million.

74 grants to 41 states and DC.  As of 2010, total awards of $514 million.

What is PTAC?

The Privacy Technical Assistance Center at USED…

• A “one-stop” shop for technical assistance related to best practices on privacy and data security

• Provides stakeholders with: A set of tools, resources, and other opportunities to receive assistance with privacy,

security, and confidentiality of longitudinal data systems.

A means for stakeholders to share their best practices, documents, and other relevant resources in the areas of privacy, security, and confidentiality.

A focal point for queries and responses to the privacy-related needs of state education agencies (SEAs), local education agencies (LEAs), and institutions of higher education (IHEs) in a confidential, safe environment.

A set of resources to promote compliance with FERPA and summarize best practices for ensuring the confidentiality and security of personally identifiable information.

6

PTAC Resources

7

The SLDS Technical Briefs

• This series of Technical Briefs focuses on privacy, confidentiality, and security considerations related to data in student record systems, especially longitudinal data systems.

• The briefs are intended to inform practitioners responsible for the development, maintenance, protection, or use of student record data.

• Author: Marilyn Seastrom, Chief Statistician and Acting Deputy Commissioner, NCES.

• NCES is seeking input and comments on these briefs. If you have any comments or suggestions, please send them to SLDStechbrief@ed.gov.

8

The SLDS Technical Briefs

SLDS Technical Brief #1: Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records

Discusses basic concepts and definitions that establish a common set of terms related to the protection of personally identifiable information, especially in education records in the Statewide Longitudinal Data Systems (SLDS).

This Brief also outlines a privacy framework that is tied to Fair Information Practice Principles that have been promulgated in both the United States and international privacy work.

9

The SLDS Technical Briefs

1. Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records.

2. Data Stewardship: Managing Personally Identifiable Information in Electronic Student Education Records.

3. Statistical Methods for Protecting Personally Identifiable Information in Aggregate Reporting.

10

Now AVAILABLE at http://nces.ed.gov/programs/ptac/TechnicalBriefs.aspx

The SLDS Technical Briefs

4. Data Access for External Researchers.

5. Electronic Data Security, Protecting PII, and Electronic Student Education Records.

6. Privacy Training: Increasing Awareness of Protections for PII in Student Education Records.

7. Sharing Data Across Sectors.

11

To be released later in 2011/12 (topics subject to change)

Frequently Asked Questions

• ED recognizes that SEAs, LEAs, and IHEs engaged in building SLDSs are asking similar questions about privacy, confidentiality, and security issues.

• What is needed? Technical assistance that includes responses to frequently asked questions (FAQs) that are:

• Accurate• Consistent• Timely• User-friendly (clear, concise, and actionable)• Trusted

12

Example FAQ – Ensuring Privacy

Q) What is personally identifiable information?

 A) Personally identifiable information, as defined in FERPA, includes, but is not limited to:

• a student's name;

• the name of the student's parent or other family members;

• the address of the student or student's family;

• a personal identifier, such as the student's Social Security number, student number, or biometric record;

• other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name;

• other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; and

• information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.

13

Glossary of Terms

• Biometric Record

FERPA regulations define a biometric record as one or more measurable biological or behavioral characteristics that can be used for automated recognition of an individual. Examples include fingerprints; retina and iris patterns; voiceprints; DNA sequence; facial characteristics; and handwriting. For more information, see the Family Educational Rights and Privacy Act Regulations, 34 CFR §99.3, available at http://www2.ed.gov/policy/gen/guid/fpco/pdf/ferparegs.pdf.

• Indirect Identifier

Indirect identifiers include information that can be combined with other information to identify specific individuals, including, for example, a combination of gender, birth date, geographic indicator and other descriptors. Other examples of indirect identifiers include place of birth, race, religion, weight, activities, employment information, medical information, education information, and financial information. See also Direct Identifier. For more information, see the SLDS Technical Brief: Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records, available at http://nces.ed.gov/pubsearch/pubsinfo.asp?pubid=2011601.

14

Example of Templates/Tools (coming soon to web site)

• Security Checklists

• Sample Memorandums of Understanding

• Sample Acceptable Use Policies

• Glossary of Terms

• Webinar Series (2011)

o Summer: NCES Brief – Data Stewardshipo Summer: Threats to your data, what you should knowo Fall: NPRM – Finalized – Latest Newso Winter: FERPA & Interagency data exchange

15

Regional Meetings (2011)

• South: AERA, New Orleans – April 9• Technical Brief 1: Concepts and Definitions• Technical Brief 2: Data Stewardship• Technical Brief 3: Statistical Methods for Protecting PII• Technical Brief 4: Data Access for External Researchers

• Northeast: EIMAC, Washington, DC – April 18• FERPA/NPRM News• Guest speaker: Kathleen Styles, ED Chief Privacy Officer• Cyber Security Session • Security Audit Panel

• West: SHEEO/NCES Network Conference & IPEDS Workshop – May 3 • Intro to PTAC• Workshop on Security Data Exchanges: Federated Models• USED Privacy Update• Discussion: Postsecondary perspectives on data sharing, security, and partnership

• Midwest: Education Information Council – August

NCES Events Summer Data

Conference

Annual MIS Conference

SLDS Grantee Conferences

National Forum on Education Statistics

16

Site Visits

• Voluntary!

• No cost!!

• Designed to assist states with their privacy and security needs.

• Not an audit of security or compliance.

• Can provide independent, objective, third party assistance in the areas of SLDS and Cyber Security.

17

Site Visit Expert Help

• Audit response assistance.

• Independent validation of implementation recommendations as a result of security review.

• Security policy reviews.

• Governance assistance (multi-agency).

• Facilitation of multi-agency privacy/security discussions.

• If interested, send request to PrivacyTA@ed.gov

18

PTAC Help Desk

Contact• Phone, email, or use the form on the PTAC website (see contact info at the end

of the presentation).

• Submit a question, suggest a topic for regional meeting, request a site visit or document review.

Issues are logged, clarified, and reviewed by subject matter experts (SMEs)• Expect to have any contact with PTAC acknowledged within one business day.

If appropriate, the SMEs’ draft responses are forwarded to ED for review.• If the PTAC SMEs cannot answer the question, the issue is immediately

forwarded to ED for internal review.

Issues are reviewed at ED by the Privacy Advisory Committee (PAC).

19

Privacy TA Team

ED/NCES Program Manager: Emily Anthony

Project Director: Baron Rodriguez

Subject Matter Experts:

Mark Hall, Anthony Bargar, Tom Szuba,

Alexandra Henning, Allison Camara

Help Desk Support: Dan Boland

20

Types of Resources Available from Privacy TA Center

• ED Expertise

• Chief Privacy Officer• Family Policy Compliance Office• Office of General Council• Office of Planning, Evaluation and Policy

Development• NCES Chief Statistician

21

PTAC Role

• PTAC and FPCO

PTAC: Technical Assistance

FPCO: Administers FERPA, authority over FERPA violations & regulations

22

Shrinking Budgets?

Limited resources for security?

Use the Privacy TA Center!!

23

24

Many Ways to Protect Data

Cyberspace - 2008

CYBERSPACE is defined as the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries. Common usage of the term also refers to the virtual environment of information and interactions between people.

25

US National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/HSPD23)

“It's now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation.”

President Barak Obama, May 2009

25

26

Advanced & Persistent Cyber Threats & Consequences

Threats to your data:

•It’s happening

•It’s focused

•It’s sophisticated

• Social Security Numbers/Identity• Education Records• Employee Data• Financial Records

• Disciplinary Actions• Internal Memo’s and E-mail• Medical Information• Personal Documents

27

Top Data Protection Issues in Education’s Cyberspace 

•Protecting Personally Identifiable Information (PII)• As we strive towards a “digital nation,” exposure to risk increases• More records online & accessible• Identity Theft (10% Children)

•Keeping pace with Network & Systems Security• Protective measures are outpaced by the “bad-guy”• Traditional “wack-a-mole” patching doesn’t work anymore

•Maintaining the foundation of Strategy, Policy, Governance & People

• Training, Education & Awareness is key• Cloud computing complicates traditional security architecture

approaches

Principles for Data Protection & Cyber Security

Data Protection Act 1998

• “Eight enforceable principles of good practice”

• Data must be:• Fairly and lawfully processed• Processed for limited purposes• Adequate, relevant and not

excessive• Accurate• Not kept longer than necessary• Processed in accordance with the

data subject's rights• Secure• Not transferred to other countries

without adequate protection

28

Cyber Security Principles

• Data should:• Be confidential• Maintain Integrity• Be available• Be authenticated

• Systems that process data should be:

• Designed from the start with security in-mind

• Resilient and recoverable from attacks

• Maintained regularly

28

29

Best Practices – NIST Selected PII Security Controls  

• Access Enforcement (ACLs, RBACs, encryption)

• Separation of Duties• Least Privilege (read, write, edit)• Remote Access (limit or deny)• Access Control for Mobile Devices

(deny or limit)• Auditable events and Audit Reviews

(policy that monitors certain events)• Identification and Authentication• Media Access, Marking, Storage,

Transport, and Sanitization• Transmission Confidentiality

(encryption)• Protection of Information at Rest• Information System Monitoring

(automated tools to detect suspicious transfers)

NIST Special Pub 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information,

Best Practices – Multi-Factor Authentication

1. Be reliable, scalable, and available

2. Be compatible and interoperable with your Technology and Policy

3. Seamlessly integrate with existing architectures and infrastructure

4. Support web applications and should not require client-side software

5. Be compliant with NIST, FIPS and other federal standards

6. Be based on mature technology and should be commercially available with a broad installed market base

30

If you have remote access users (especially those with super user access), MFA should be a high priority capability

Current Examples of Cyber Security Support from PTAC

• Review and comment on network security portion of RFPs.

• Review audit results and recommendations.

• Site visits to review security architecture, capabilities and plans.

• Best practice and security guidance documents.

• Future: more technically-focused documents and training.

31

For more information…• Website

• http://nces.ed.gov/programs/PTAC/

• Help Desk• PrivacyTA@ed.gov• Toll Free Phone: 855-249-3072• Toll Free FAX: 855-249-3073

• NCES• Emily.Anthony@ed.gov

• Request assistance• Upcoming events• Subscribe to email list• Recently released relevant ED publications • Privacy TA Center publications• Best practice guidelines• Frequently Asked Questions• Latest FERPA news• Other on-line recommended resources

32