Educause Security Discussion mailing list archives
Dept. of Ed's EDExpress
From: Guy Pace <gpace () SBCTC EDU>
Date: Thu, 16 Jul 2009 08:15:45 -0700
I received a note from a tech at one of our campuses with some serious security concerns about the US Dept. of Ed.'s EDExpress software for managing student financial aid. In my previous life, I had concerns about this tool, since it required the user to have local admin rights and used older, insecure (swiss cheese) versions of Access. Turns out, the current version isn't much better, still uses an old version of Access database. One consolation is that the user now can be a Power User on the local system (at least that is what the documentation says). 1. So, what is the deal? Doesn't DoEd understand that the information processed in these apps is very sensitive and much desired by the criminal element? Do they hire out the development for this tool out to Win95 programmers? 2. Do any of y'all use this on your campuses and what mitigations do you put in place to protect the data and make the desktop systems at least marginally stable and secure? Yes, I'm trying to steer that campus away from this product and to a more (marginally) secure product. TIA for your help in this. Guy L. Pace, CISSP Security Administrator Information Technology Division WA State Board for Community and Technical Colleges (SBCTC) 3101 Northup Way, Suite 100 Bellevue, WA 98004 425-803-9724 gpace () sbctc edu
Current thread:
- Dept. of Ed's EDExpress Guy Pace (Jul 16)
- <Possible follow-ups>
- Re: Dept. of Ed's EDExpress Tupker, Mike (Jul 16)