sheeo/nces network conference and ipeds workshop may 3, 2011 kathleen styles, chief privacy officer,...
TRANSCRIPT
SHEEO/NCES Network Conference and IPEDS Workshop
May 3, 2011
Kathleen Styles, Chief Privacy Officer, U.S. Department of EducationEmily Anthony, National Center for Education Statistics Tod Massa, State Council of Higher Education for VirginiaBaron Rodriguez, PTACMark Hall, PTACTom Szuba, PTAC
It Really Happens: Cyber attacks in the news . . .
“Hacked: Data breach costly for
Ohio State, victims of compromised info
- Breach affects 760,000 people, expected to cost
university $4 million” – The Lantern
December 2010
“Hackers broke into the computer
system at a New Jersey school
district - gained access to student
records system used by 160 schools
across the state.” – Info SecurityJanuary 2011
“UC-Berkeley records hacked -
thieves able to access social security
numbers, health files dating back to 1999, over 160,000 records
stolen” – San Jose Mercury News
May 2009
“The hackers were able to capture keystrokes from district computers and determine district passwords for the state systems that store the district’s student and employee information” Lancaster, SC School District Website, April 2011
3
• The Privacy Technical Assistance Center (PTAC) is one component of USED’s comprehensive privacy initiative, which also includes:
- Chief Privacy Officer
- Technical Briefs
- FERPA Notice of Proposed Rulemaking (NPRM)
Privacy, Security, and Confidentiality at USED
• Run in conjunction with the NCES SLDS program as an extension of technical assistance efforts:
- Webinars, best practice briefs
- Site Visits, Technical Assistance Experts, Personnel Exchange Network
Background: NCES
• The National Center for Education Statistics (NCES) is the primary federal entity for collecting and analyzing data related to education in the U.S. and other nations.
• NCES is located within the U.S. Department of Education and the Institute of Education Sciences.
• http://nces.ed.gov
4
Background: SLDS
• The Statewide Longitudinal Data Systems (SLDS) Grant Program is designed to aid state education agencies in developing and implementing longitudinal data systems.
• The data systems developed with these grants are intended to help states, districts, schools, and teachers make data-driven decisions to improve student learning, as well as facilitate research to increase student achievement and close achievement gaps.
• The focus of the grant program has evolved over the four rounds of SLDS awards (2006-2010), with an early emphasis on K-12 systems expanding to more holistic P-20-WF (pre-kindergarten through workforce).
• http://nces.ed.gov/programs/slds
5
74 grants to 41 states and DC. As of 2010, total awards of $514 million.
74 grants to 41 states and DC. As of 2010, total awards of $514 million.
What is PTAC?
The Privacy Technical Assistance Center at USED…
• A “one-stop” shop for technical assistance related to best practices on privacy and data security
• Provides stakeholders with: A set of tools, resources, and other opportunities to receive assistance with privacy,
security, and confidentiality of longitudinal data systems.
A means for stakeholders to share their best practices, documents, and other relevant resources in the areas of privacy, security, and confidentiality.
A focal point for queries and responses to the privacy-related needs of state education agencies (SEAs), local education agencies (LEAs), and institutions of higher education (IHEs) in a confidential, safe environment.
A set of resources to promote compliance with FERPA and summarize best practices for ensuring the confidentiality and security of personally identifiable information.
6
The SLDS Technical Briefs
• This series of Technical Briefs focuses on privacy, confidentiality, and security considerations related to data in student record systems, especially longitudinal data systems.
• The briefs are intended to inform practitioners responsible for the development, maintenance, protection, or use of student record data.
• Author: Marilyn Seastrom, Chief Statistician and Acting Deputy Commissioner, NCES.
• NCES is seeking input and comments on these briefs. If you have any comments or suggestions, please send them to [email protected].
8
The SLDS Technical Briefs
SLDS Technical Brief #1: Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records
Discusses basic concepts and definitions that establish a common set of terms related to the protection of personally identifiable information, especially in education records in the Statewide Longitudinal Data Systems (SLDS).
This Brief also outlines a privacy framework that is tied to Fair Information Practice Principles that have been promulgated in both the United States and international privacy work.
9
The SLDS Technical Briefs
1. Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records.
2. Data Stewardship: Managing Personally Identifiable Information in Electronic Student Education Records.
3. Statistical Methods for Protecting Personally Identifiable Information in Aggregate Reporting.
10
Now AVAILABLE at http://nces.ed.gov/programs/ptac/TechnicalBriefs.aspx
The SLDS Technical Briefs
4. Data Access for External Researchers.
5. Electronic Data Security, Protecting PII, and Electronic Student Education Records.
6. Privacy Training: Increasing Awareness of Protections for PII in Student Education Records.
7. Sharing Data Across Sectors.
11
To be released later in 2011/12 (topics subject to change)
Frequently Asked Questions
• ED recognizes that SEAs, LEAs, and IHEs engaged in building SLDSs are asking similar questions about privacy, confidentiality, and security issues.
• What is needed? Technical assistance that includes responses to frequently asked questions (FAQs) that are:
• Accurate• Consistent• Timely• User-friendly (clear, concise, and actionable)• Trusted
12
Example FAQ – Ensuring Privacy
Q) What is personally identifiable information?
A) Personally identifiable information, as defined in FERPA, includes, but is not limited to:
• a student's name;
• the name of the student's parent or other family members;
• the address of the student or student's family;
• a personal identifier, such as the student's Social Security number, student number, or biometric record;
• other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name;
• other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; and
• information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.
13
Glossary of Terms
• Biometric Record
FERPA regulations define a biometric record as one or more measurable biological or behavioral characteristics that can be used for automated recognition of an individual. Examples include fingerprints; retina and iris patterns; voiceprints; DNA sequence; facial characteristics; and handwriting. For more information, see the Family Educational Rights and Privacy Act Regulations, 34 CFR §99.3, available at http://www2.ed.gov/policy/gen/guid/fpco/pdf/ferparegs.pdf.
• Indirect Identifier
Indirect identifiers include information that can be combined with other information to identify specific individuals, including, for example, a combination of gender, birth date, geographic indicator and other descriptors. Other examples of indirect identifiers include place of birth, race, religion, weight, activities, employment information, medical information, education information, and financial information. See also Direct Identifier. For more information, see the SLDS Technical Brief: Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records, available at http://nces.ed.gov/pubsearch/pubsinfo.asp?pubid=2011601.
14
Example of Templates/Tools (coming soon to web site)
• Security Checklists
• Sample Memorandums of Understanding
• Sample Acceptable Use Policies
• Glossary of Terms
• Webinar Series (2011)
o Summer: NCES Brief – Data Stewardshipo Summer: Threats to your data, what you should knowo Fall: NPRM – Finalized – Latest Newso Winter: FERPA & Interagency data exchange
15
Regional Meetings (2011)
• South: AERA, New Orleans – April 9• Technical Brief 1: Concepts and Definitions• Technical Brief 2: Data Stewardship• Technical Brief 3: Statistical Methods for Protecting PII• Technical Brief 4: Data Access for External Researchers
• Northeast: EIMAC, Washington, DC – April 18• FERPA/NPRM News• Guest speaker: Kathleen Styles, ED Chief Privacy Officer• Cyber Security Session • Security Audit Panel
• West: SHEEO/NCES Network Conference & IPEDS Workshop – May 3 • Intro to PTAC• Workshop on Security Data Exchanges: Federated Models• USED Privacy Update• Discussion: Postsecondary perspectives on data sharing, security, and partnership
• Midwest: Education Information Council – August
NCES Events Summer Data
Conference
Annual MIS Conference
SLDS Grantee Conferences
National Forum on Education Statistics
16
Site Visits
• Voluntary!
• No cost!!
• Designed to assist states with their privacy and security needs.
• Not an audit of security or compliance.
• Can provide independent, objective, third party assistance in the areas of SLDS and Cyber Security.
17
Site Visit Expert Help
• Audit response assistance.
• Independent validation of implementation recommendations as a result of security review.
• Security policy reviews.
• Governance assistance (multi-agency).
• Facilitation of multi-agency privacy/security discussions.
• If interested, send request to [email protected]
18
PTAC Help Desk
Contact• Phone, email, or use the form on the PTAC website (see contact info at the end
of the presentation).
• Submit a question, suggest a topic for regional meeting, request a site visit or document review.
Issues are logged, clarified, and reviewed by subject matter experts (SMEs)• Expect to have any contact with PTAC acknowledged within one business day.
If appropriate, the SMEs’ draft responses are forwarded to ED for review.• If the PTAC SMEs cannot answer the question, the issue is immediately
forwarded to ED for internal review.
Issues are reviewed at ED by the Privacy Advisory Committee (PAC).
19
Privacy TA Team
ED/NCES Program Manager: Emily Anthony
Project Director: Baron Rodriguez
Subject Matter Experts:
Mark Hall, Anthony Bargar, Tom Szuba,
Alexandra Henning, Allison Camara
Help Desk Support: Dan Boland
20
Types of Resources Available from Privacy TA Center
• ED Expertise
• Chief Privacy Officer• Family Policy Compliance Office• Office of General Council• Office of Planning, Evaluation and Policy
Development• NCES Chief Statistician
21
PTAC Role
• PTAC and FPCO
PTAC: Technical Assistance
FPCO: Administers FERPA, authority over FERPA violations & regulations
22
Cyberspace - 2008
CYBERSPACE is defined as the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries. Common usage of the term also refers to the virtual environment of information and interactions between people.
25
US National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/HSPD23)
“It's now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation.”
President Barak Obama, May 2009
25
26
Advanced & Persistent Cyber Threats & Consequences
Threats to your data:
•It’s happening
•It’s focused
•It’s sophisticated
• Social Security Numbers/Identity• Education Records• Employee Data• Financial Records
• Disciplinary Actions• Internal Memo’s and E-mail• Medical Information• Personal Documents
27
Top Data Protection Issues in Education’s Cyberspace
•Protecting Personally Identifiable Information (PII)• As we strive towards a “digital nation,” exposure to risk increases• More records online & accessible• Identity Theft (10% Children)
•Keeping pace with Network & Systems Security• Protective measures are outpaced by the “bad-guy”• Traditional “wack-a-mole” patching doesn’t work anymore
•Maintaining the foundation of Strategy, Policy, Governance & People
• Training, Education & Awareness is key• Cloud computing complicates traditional security architecture
approaches
Principles for Data Protection & Cyber Security
Data Protection Act 1998
• “Eight enforceable principles of good practice”
• Data must be:• Fairly and lawfully processed• Processed for limited purposes• Adequate, relevant and not
excessive• Accurate• Not kept longer than necessary• Processed in accordance with the
data subject's rights• Secure• Not transferred to other countries
without adequate protection
28
Cyber Security Principles
• Data should:• Be confidential• Maintain Integrity• Be available• Be authenticated
• Systems that process data should be:
• Designed from the start with security in-mind
• Resilient and recoverable from attacks
• Maintained regularly
28
29
Best Practices – NIST Selected PII Security Controls
• Access Enforcement (ACLs, RBACs, encryption)
• Separation of Duties• Least Privilege (read, write, edit)• Remote Access (limit or deny)• Access Control for Mobile Devices
(deny or limit)• Auditable events and Audit Reviews
(policy that monitors certain events)• Identification and Authentication• Media Access, Marking, Storage,
Transport, and Sanitization• Transmission Confidentiality
(encryption)• Protection of Information at Rest• Information System Monitoring
(automated tools to detect suspicious transfers)
NIST Special Pub 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information,
Best Practices – Multi-Factor Authentication
1. Be reliable, scalable, and available
2. Be compatible and interoperable with your Technology and Policy
3. Seamlessly integrate with existing architectures and infrastructure
4. Support web applications and should not require client-side software
5. Be compliant with NIST, FIPS and other federal standards
6. Be based on mature technology and should be commercially available with a broad installed market base
30
If you have remote access users (especially those with super user access), MFA should be a high priority capability
Current Examples of Cyber Security Support from PTAC
• Review and comment on network security portion of RFPs.
• Review audit results and recommendations.
• Site visits to review security architecture, capabilities and plans.
• Best practice and security guidance documents.
• Future: more technically-focused documents and training.
31
For more information…• Website
• http://nces.ed.gov/programs/PTAC/
• Help Desk• [email protected]• Toll Free Phone: 855-249-3072• Toll Free FAX: 855-249-3073
• NCES• [email protected]
• Request assistance• Upcoming events• Subscribe to email list• Recently released relevant ED publications • Privacy TA Center publications• Best practice guidelines• Frequently Asked Questions• Latest FERPA news• Other on-line recommended resources
32