Bridget-Anne Hampden

U.S. Department of Education

Guaranty Agency Security Reviews

Why We Did It… How We Did It…What We Did…What We Found… Next Steps…

2

Guaranty Agency Reviews

Why We Did It…

• PII Breach reported in March 2010• 2010 Guaranty Agency (GA)

Security and Privacy Conference in Washington, DC

• Focus on Privacy, Data Security, and Critical Infrastructure Protection

• GA’s asked to prepare and submit Self-Assessment Forms

3

Why We Did It…(cont’d.)

• Assessment of results• Creation of an FSA Report

• Summary of findings based on risk category• Highlight key focus areas

4

How We Did It…• Used a risk-based approach

• Outstanding loan balance• Risk profile• Size

• Outstanding Loan Balance (75%)• Result was an assessment of 15 Guaranty

Agencies visited in FY 2011• Remaining 16 Guaranty Agency visits were

conducted in FY 2012

5

How We Did It… (cont’d.)

• Preparation and Distribution of Pre-Visit Questionnaire

• Perform Market Research on each GA• Review 10K Reports• Google and Blog Searches• Recent Audit and SAS70 Reports

• Review System Security Plans (SSP’s)

6

What We Did…

• FSA Team performed a day long visit at each site• Senior Management opening briefing• Review of information submitted in pre-visit package• Engage Guaranty Agency technical team (CIO,

CISO, Audit Manager, etc)• In depth discussions/questions based on risk

categories/groupings

7

What We Did… (cont’d)

• Focus on privacy and records management• Review Guaranty Agency’s processes, policies, and

procedures• Data Center visit • Operational Unit tour (vault, call center, etc.)• Management out brief • Prepare and distribute report – observations and

recommendations • Receive and record GA management responses

8

What We Found…

Overall observations (SWOT analysis)• Strengths

• Logical Access Control• Critical Infrastructure Protection• Governance

• Weaknesses • Strategy• Incident Breach Response

9

What We Found…

• Opportunities• Update and embellish policies/processes • Improve communication between GA’s and service partners

• Improve certification of technical staff• Create and expand on the trusted relationship between FSA and the GA’s

• Threats• Monitoring• Revalidating user accounts

10

Summary of FY 11 Reviews

11

Summary of FY12 Reviews

12

Logical Access Control

13

?JKL

Role Based Access Revalidating user accounts Passwords/authentication Privileged vs. non-privileged accounts

0

5

10

15

20

25

Critical Infrastructure Protection

14

?JKL

Visitor badges/sign-in Business resumption plan DR site DR/BR tests0

5

10

15

20

25

30

Strategy

15

?JKL

Dedicated privacy staff/officer

Encryption PII segregation Network perimeter/boundary

protection

Tracking/Destruction of expired records

0

5

10

15

20

25

30

Incident/Breach Response

16

?JKL

Automation and tracking Periodic test Notification/escalation tree0

5

10

15

20

25

Monitoring (Vulnerability Management)

17

Vulnerability identification Continuous monitoring Log reviews0

5

10

15

20

25

?JKL

Governance

18

?JKL

Personnel security Policies/procedures Training Knowledgeable staff

Risk assessment Risk tracking Risk acceptance0

5

10

15

20

25

30

Next Steps…

• Populate the OVMS database• Liaising with GA’s on remediation plans – quarterly

reporting• Continuing Dialogue – explore ways for continued

collaboration with the GA community

19

Contact Information

20

We appreciate your feedback & comments.

Bridget-Anne HampdenDeputy CIO

• E-mail: Bridget-Anne.Hampden@ed.gov • Phone: 202-377-3508