Educause Security Discussion mailing list archives
Re: Dept of Edu Letters
From: Jarret Cummings <jcummings () EDUCAUSE EDU>
Date: Thu, 7 Dec 2017 20:39:18 +0000
Hi, Ed – EDUCAUSE has initiated direct discussions with the Federal Student Aid senior advisor for cybersecurity about problems with the guidance that FSA both has and hasn’t provided on this topic, and how to expand the dialogue with our members to address both the way compliance obligations are being defined and interpreted as well as the lack of documented principles and processes for meeting them. That, of course, is going to take some time to pull together. Given the need for institutional response in the near term, I would recommend asking university counsel to take a look at the single provision in the FSA Program Participation Agreement that speaks to the GLBA Safeguards Rule, as well as the two provisions in the Student Aid Internet Gateway Agreement that address breach issues. It is important that the institution review its copy of those agreements, since versions of the agreements vary across institutions depending on when they’ve been signed. What is actually in your version of each bears on your compliance obligations, although you can access generic versions of the docs. as well as other docs. I’ll mention at: https://ifap.ed.gov/eannouncements/Cyber.html. In addition to the PPA and SAIG Agreement, there are two “Dear Colleague Letters” relevant to FSA’s cybersecurity guidance: https://ifap.ed.gov/dpcletters/GEN1518.html and https://ifap.ed.gov/dpcletters/GEN1612.html. The most important for this discussion is the first one, because it’s the letter in which FSA asserts that the SAIG Agreement requires institution to report “suspected” breaches. You will want your institutional/system legal counsel to compare the statement in GEN 15-18 with what the SAIG Agreement actually says; the provision that talks about institutions reporting a breach immediately is distinct from the provision that talks about what ED can do in sharing information with other federal agencies if it suspects an institution has had a breach. Thus far, we have yet to see formal documentation that connects the two in the way FSA appears to be asserting, or even formal documentation that establishes the definition of breach and related processes (i.e., “immediately”) that have been raised in presentations and the FAQs on the FSA Cybersecurity Compliance page (see link above). Finally, as relates to the Safeguards Rule audit objective, which we expect will be included in the FY18 federal single audit process although that is not yet officially confirmed, the actual text of the objective (https://ifap.ed.gov/eannouncements/attachments/FY18DraftLanguageSecuringStudentInformation.pdf) limits the auditor to seeing if the institution has a few key elements of the Rule in place (information security coordinator, a risk assessment, documented safeguards for identified risks). The auditor is not charged with or empowered to evaluate the nature of what the institution has implemented in those areas, just that it has addressed them (and documented that). We will have more to say as the engagement with FSA takes shape. In the meantime, I have also informed the presidential and other higher education leadership associations about the problems emerging in this space. As a result of those discussions, I have every expectation that we can count on their support in trying to get FSA and ED to work with us effectively in this area. - Jarret _______________________________________________ Jarret S. Cummings Director of Policy and Government Relations EDUCAUSE Uncommon Thinking for the Common Good direct: 202.331.5372 | main: 202.872.4200 | educause.edu<http://www.educause.edu/> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Hudson, Edward Sent: Thursday, December 7, 2017 2:33 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Dept of Edu Letters Interested in institutions response to the DoE taking an increasingly broad interpretation of breach reporting obligations around any security breach of PII. At a recent conference the DoE lead presentation reportedly includes insistence that 1-ALL (broadly defined) “breaches” be reported “immediately” (i.e. within a day ) 2- an announcement that GLBA audits of institutions will begin in 2018 with fines consistent with Clery fines (up to 54,789) for each violation. A read of those Dear Colleague letters, the obligation (especially under GLBA, which regulates in the financial sector) is to ensure the security and confidentiality of student financial aid records/information only, and that the data breach notification requirements relate to that subset of information only, not all PII. But it sounds like the DoE is now interpreting their mandate and authority much more broadly. A review of one of their recent letters was, in my view, very heavy handed and threatening and stemmed from a random media post, not from an actual incident. Would like to talk to anyone off line that has had to go through this process with DoE. Best Ed Hudson Interim CISO [cid:image001.png@01D36F6A.60E67990] 401 Golden Shore Long Beach, CA 90802 Tel 562-951-8431 ehudson () calstate edu<mailto:ehudson () calstate edu> I subscribe to e-mail classification: i=Information, a=Action, u=Urgent
Current thread:
- Dept of Edu Letters Hudson, Edward (Dec 07)
- Re: Dept of Edu Letters David Escalante (Dec 07)
- Re: Dept of Edu Letters Greg Jackson (Dec 07)
- Re: Dept of Edu Letters Jarret Cummings (Dec 07)
- Re: Dept of Edu Letters Aube, Jane M. (Dec 09)
- Re: Dept of Edu Letters David Escalante (Dec 07)