Dept. of Ed's EDExpress

[Guy Pace <gpace () SBCTC EDU>]

I received a note from a tech at one of our campuses with some serious security concerns about the US Dept. of Ed.'s 
EDExpress software for managing student financial aid. In my previous life, I had concerns about this tool, since it 
required the user to have local admin rights and used older, insecure (swiss cheese) versions of Access. Turns out, the 
current version isn't much better, still uses an old version of Access database. One consolation is that the user now 
can be a Power User on the local system (at least that is what the documentation says).

1. So, what is the deal? Doesn't DoEd understand that the information processed in these apps is very sensitive and 
much desired by the criminal element? Do they hire out the development for this tool out to Win95 programmers?

2. Do any of y'all use this on your campuses and what mitigations do you put in place to protect the data and make the 
desktop systems at least marginally stable and secure?

Yes, I'm trying to steer that campus away from this product and to a more (marginally) secure product.

TIA for your help in this.

Guy L. Pace, CISSP 
Security Administrator
Information Technology Division
WA State Board for Community and Technical Colleges (SBCTC) 
3101 Northup Way, Suite 100 
Bellevue, WA 98004 
425-803-9724 
gpace () sbctc edu