Home Encyclopedia Standards of Excellence Reauthorization LearnStudentAid.org Parents & Students
 
NASFAA
1101 Connecticut Avenue, NW, Suite 1100
Washington, DC 20036-4303

Phone: 202-785-0453
Fax: 202-785-1487
Web@NASFAA.org

Inspector General Identifies Security Weaknesses in Department of Ed Public Web Sites

The Department of Education's Inspector General has identified "vulnerabilities, weaknesses, and exposure to exploitation on the external infrastructure in network devices, servers, desktops, web applications, and databases" at the Department, according to a report released yesterday.

The audit report, IT Security Controls over Incident Handling and Privacy Act Controls over External Web Sites, has been classified as exempt from public release under the Freedom of Information Act because detailed information about the issues could harm the security posture of the Department. A redacted summary of the report has been posted on the Department's Web site.

The audit found weaknesses in incident handling processes; failure to implement two-factor authentication to protect personally identifiable data; vulnerability to malicious attacks; and failure to properly administer public Web sites including issuance of web site certificates. Because the report is only a summary and is partially redacted, it is not known which web sites were involved, although it seems likely that student aid sites may have been among those at risk. The Department runs multiple public sites that collect personal data from students, including FAFSA on the Web and the Direct Loan site. Until last month, financial aid administrators were required to use personal data to log in to CPS Online and the SAIG Enrollment Web sites.

The report says that the Department "must improve security controls over the incident response and handling program and accelerate two-factor authentication for protecting Privacy Act information to adequately protect the confidentiality, integrity, and availability of the personally identifiable information residing on public web sites."

The Department concurred with the findings and recommendations identified and stated that corrective action plans for the weaknesses will be finalized through the Department's normal audit resolution process.

It is unclear at this time what affect (if any) this will have on financial aid administrators and their students. NASFAA is investigating this issue and will post additional information as it becomes available.

Posted 06/11/09 to www.NASFAA.org. Redistribution to non-NASFAA institutions is prohibited. Please submit Web site questions or comments to Web@NASFAA.org.





Home | Encyclopedia | Standards of Excellence | Reauthorization | LearnStudentAid.org | Parents & Students

Copyright 2009 National Association of Student Financial Aid Administrators (NASFAA)