Protecting financial aid data: institutions should take extra precautions to ensure student aid records are secure.THEFT OF PERSONAL DATA has made headlines across the country, hitting college campuses particularly hard because of the nature of college networks, which must balance wide network access with data security. Despite data breeches highlighted by the media, thousands of colleges have been successfully protecting personal information. One such campus is the University of South Florida • • [ , where Leonard Gude, director of Financial Aid, continuously looks for ways to increase data security. Compared to other departments, Financial Aid's data security situation is more sensitive, says Gude, who "also serves as a member of the National Association of Student Financial Aid Administrators' (NASFAA NASFAA National Association of Student Financial Aid Administrators ) Technology Initiatives Committee and as the association's representative on the Postsecondary Electronic Standards Council (PESC PESC Politique Etrangère et de Sécurité Commune (European Union) PESC Politica Estera e di Sicurezza Comune (Italian) PESC Politica Estera e di Sicurezza Comune ). "The staffs of Financial Aid offices have tax returns and other financial information regarding the families, so there is an increased need to be more secure in the Financial Aid office than there is with other offices," Gude points out. NASFAA addresses this issue in its statement of ethical principles, which includes a statement that student aid administrators should "protect the privacy of students and assure the confidentiality of student records." This provision is becoming progressively more important as colleges increasingly become targets and sensitive personal data is compromised. DEVELOPING A CONTROL CULTURE Several sessions addressed data security at PESC's third annual Conference on Technology and Standards, held in May in Washington, D.C. Speakers stressed the importance of creating a culture within the office that controls access to sensitive data. In the Financial Aid office, this means an environment where employees and students are highly aware of the importance of protecting sensitive data and the tools available to protect that data. "Managers must ensure that employees and staff are as dedicated to protecting personal information as others are to getting that secured data," said Joe Crouse, legislative counsel for the Consumer Bankers Association. Developing a control culture is the biggest hurdle for most organizations, noted Debbie Cherry, an information security consultant on corporate information security at KeyBank. This culture needs to be implemented from the top down and the bottom up, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. Cherry. At the top, managers must commit to creating this culture, and at the bottom the culture must be developed through education, governance, and frameworks (structures and procedures designed to protect data). The bottom-up process is especially important for Financial Aid offices, where students must be taught the importance of not being careless careless adj., adv. 1) negligent. 2) the opposite of careful. A careless act can result in liability for damages to others. (See: negligent, negligence, care) with personal information. The University of South Florida works to create a control culture among students by increasing financial education through orientation sessions and other financial literacy Financial literacy is the ability of individuals to make appropriate decisions in managing their personal finances. Raising levels of financial literacy is now a focus of government programmes in countries including[1] Australia, Japan, the United States and the UK. presentations offered throughout the year. "In those we try to discuss the importance of protecting their personal information," Gude says. USF USF University of South Florida USF Universal Service Fund (often part of phone bill in US) USF University of San Francisco USF University of Sioux Falls USF University of St. Financial Aid office employees are also trained on the Family Educational Rights and Privacy Act The Family Educational Rights and Privacy Act of 1974 (FERPA or the Buckley Amendment) is a United States federal law codified at 20 U.S.C. 1232g, with implementing regulations in title 34, part 99 of the Code of Federal Regulations. (FERPA FERPA Family Educational Rights and Privacy Act (aka the Buckley Amendment) FERPA Fédération Européenne des Retraités et des Personnes Agées (French) ) and other issues, as well as given educational materials on data security, which are included in their employee handbook An employee handbook (or employee manual) details guidelines, expectations and procedures of a business or company to its employees. Employee handbooks are given to employees on one of the first days of his/her job, in order to acquaint them with their new company and . "We also talk to the staff and others about the dangers of identity theft and protecting themselves and others against it," Gude adds. The control culture at the USF Financial Aid office was coincidentally co·in·ci·den·tal adj. 1. Occurring as or resulting from coincidence. 2. Happening or existing at the same time. co·in heightened after an employee's identity was stolen. "That really brought the matter home for the rest of the staff," says Gude. LIMITING ACCESS Limiting individuals' access to the minimum amount of information needed to perform their job functions effectively is a key part of the control culture. Limiting access to personal information reduces the risk of information being lost or stolen. Determining who has access to what information is an ongoing process that depends on many factors, such as size of staff and customer service. In a small Financial Aid office, where the entire staff must be able to perform every job function, it is impossible to limit access and still function effectively. However, in larger offices it is more likely that some employees do not need access to all information. According to Cherry, larger institutions should have an ongoing process to determine the level of access that should be given for specific job functions. Smaller institutions should review access levels annually, Financial Aid should work closely with the campus Information Technology office to determine various levels of access to information. At USF, a committee of data custodians
The Custodians is terminology in the Bahá'í Faith, which refers to nine Hands of the Cause assigned specifically to work at the Bahá'í World Centre in attendance to the Guardian of the Faith. determines various levels of access to information within the database, and an assistant director in the department sits on that committee. If individuals want access to information, the committee reviews their request to find out why they need access and then makes a determination. "There has always been some sort of review of requests for financial aid information, but the formalization for·mal·ize tr.v. for·mal·ized, for·mal·iz·ing, for·mal·iz·es 1. To give a definite form or shape to. 2. a. To make formal. b. through this data access committee has been intact for roughly two years," Gude says. "It is quite important for the university to know who is accessing what to ensure the data is not used for purposes that it was not intended to be used for." The tricky part is balancing good customer service with strict data security. The USF Financial Aid office tried significantly restricting access to data and found it hampered productivity in the office, so system administrators had to back off and provide additional access. "It is really trim and error and it is really something that you develop over time," Gude says. "Once the system is up and running, you can start reducing your risk by tightening up on access in the office." USF is looking into more ways to limit access to specific student information. One new security measure will enable the office to limit access to data elements within a screen of data in addition to limiting access to the entire screen. "Once that is installed, we will see how we can further enhance our data security while continuing to deliver quality customer service," Gude says. USF also limits student access to information provided by e-mail or telephone to ensure information is not given to the wrong person. "The biggest challenge is phone and e-mail inquiries," Gude notes. "How do you know the person you're communicating with at the other end is who they say they are?" To address this issue, the USF Financial Aid office steers students to the self-service page of the website, where they must log in before the office will deliver sensitive information over the phone or via e-mail. OTHER PRECAUTIONS precautions Infectious disease The constellation of activities intended to minimize exposure to an infectious agent; precautions imply that the isolation of an infected Pt is optional, but not mandatory. USF has instituted a number of other precautions to help reduce the risk of sensitive information being lost or stolen, including adopting institutional IDs instead of using Social Security numbers to identify students. "With the concern about identity theft, I think that you'll see more and more institutions using the institutional ID rather than the Social Security number as the primary identifier," Gude says. USF has also adopted an electronic imaging system to reduce the risk of paper with sensitive data getting into the wrong hands. Financial Aid offices using paper records should raise awareness of privacy issues among employees so that papers are not left carelessly care·less adj. 1. Taking insufficient care; negligent: a careless housekeeper; careless proofreading. 2. around the office. Further, these offices must properly dispose of paper containing sensitive data. This can mean ensuring that the company used for secure disposal adheres to strict standards, so that privacy is not compromised after trash has been taken from the office. There have been cases where disposal companies have not done this properly, and data security has been breached. To protect sensitive data, USF also: * Secures operational parts of the office by requiring students and employees to use IDs to gain access. * Escorts any guests in the office to ensure they do not intentionally in·ten·tion·al adj. 1. Done deliberately; intended: an intentional slight. See Synonyms at voluntary. 2. Having to do with intention. or unintentionally compromise data security. * Has installed keypads at counters, so a student can type his or her student ID instead of saying it out loud where others might overhear o·ver·hear v. o·ver·heard , o·ver·hear·ing, o·ver·hears v.tr. To hear (speech or someone speaking) without the speaker's awareness or intent. v.intr. it. * Uses cameras, which are installed throughout the office, as an additional security measure. USF's security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security have been successful in protecting data, but Gude and others remain vigilant and are always looking for Looking for In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. ways to improve data security. "Fortunately we have not had some of the incidents that a few other schools have experienced and hopefully we can avoid that in the future," Gude says. "We are always looking at our business processes and our activities to see how we can improve them and improve the security on them." Haley Chitty Chit´ty a. 1. Full of chits or sprouts. 2. Childish; like a babe. is assistant director of Communications Director of Communications is a position in the private and public sectors. The Director of Communications is responsible for managing and directing an organization's internal and external communications. for NASFAA. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion