SlideShare a Scribd company logo

Csd6059

Hai Nguyen
Hai Nguyen
TechnologyEconomy & Finance
1 of 4
Download to read offline
Two Factor Authentication (TFA) Has It On Lock Down The information age is upon us, and with new technologies there are ever increasing amounts of data being collected and stored across the cyber community. This data must be protected to ensure program integrity and safeguard taxpayers’ interests. The postsecondary school ecosystem has grown significantly over the past few years with multiple touch points to enable the delivery of Title IV Aid and to accommodate the needs of the students Federal Student Aid (FSA) and our schools serve. In 2007 FSA distributed $80 billion in financial aid to approximately 8 million borrowers. FSA distributed more than $135 billion in Federal Aid this past year to 14 million students and families. Since 2007, the number of borrowers has grown from 8 million to 23 million borrowers in 2010/2011. These figures are expected to grow to the tune of about 10% over the next five years. FSA hosts at least 80 million records - all currently unprotected in accordance with industry best practices and Office of Management and Budget (OMB) / Department of Homeland (DHS) mandates. At a high level, the FSA ecosystem consists of more than 90,000 users accessing the following primary FSA systems: National Student Loan Data System (NSLDS), Central Processing System (CPS), Common Origination and Disbursement (COD), Access and Identity Management System (AIMS), Participation Management (PM), Financial Management System (FMS), and Student Aid Internet Gateway (SAIG). The FSA ecosystem has over 10,000 unique entities including over 6,500 postsecondary schools in 35 countries that interface directly with FSA. This population is supported by 3,200 financial partners including Guaranty Agencies, Title IV Additional Servicers (TIVAs) and other financial institutions. The U.S. continues to be the top country targeted in web-based attacks and the government sector is the most popular target. The type of information FSA hosts is often the target of hackers and may be accessed through malicious software such as keyloggers. Keyloggers can be devices or software used by cybercriminals to covertly capture and record key strokes on a computer. Their target is often log-in names, passwords, and other sensitive information that can be sold for illegitimate purposes. The cost of a data breach is based upon the data captured. According to industry experts, the cost of a customer record compromised in a data breach is $200-$2141 . Compromised records 1 The Ponemon Institute 2010 U.S. Cost of a Data Breach http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=ponemon&om_ext_cid=biz_socmed_twitter_faceboo k_marketwire_linkedin_2011Mar_worldwide_costofdatabreach    
containing bank account information are in the range of $300-$350. With this dynamic environment, there is a need to improve the overall security posture of the ecosystem. Without fortifying the infrastructure, existing leak points across FSA systems could be compromised, exposing FSA to appreciably large financial burdens. Protecting data is a shared responsibility of those facilitating the support of Title IV Aid financial aid across the postsecondary school ecosystem. One of the many activities FSA is undertaking to improve data security is the implementation of Two Factor Authentication (TFA). The objective of the TFA initiative is to provide safe and secure access to FSA network services. To comply with the White House through the United States Office of Management and Budget (OMB) mandate, Memorandum M07-16 attachment 1, and as part of our ongoing efforts to ensure the security of Federal Student Aid data systems, the U.S. Department of Education is required to implement a security protocol through which all authorized users will enter two forms of “authentication” to access Federal Student Aid systems via the Internet. This process is referred to as Two Factor Authentication (TFA). The implementation of Two Factor Authentication significantly reduces exposure to key loggers at both managed and unmanaged endpoints of the network. Authentication is where you prove your identity to a system in order to gain access. When two independent things are combined, strong authentication can be achieved and access is granted. Providing only one piece of information will not allow access to the system. In essence, two factor authentication means providing two independent pieces of evidence that you are who you say you are. Something that you know is the first factor. The second factor is something that you have. Two factor authentication can also be achieved with something you are, using biometrics such as a retina scan or fingerprint. If you have ever used an ATM Card issued by a bank, you have used the two factor authentication process. Something that you know is the First Factor: Your PIN number Something that you have is the Second Factor: The physical ATM Card FSA has chosen a physical “key fob” token that generates a One Time Password (OTP) for the second factor authentication. Something that you know is the First Factor: User ID and Password Something that you have is the Second Factor: Token with a One Time Password (OTP) The One Time Password (OTP) is a six digit numeric code generated by the token. To generate the OTP, the user presses the button on the front of the token. A different OTP will be generated each time the button is pressed and display for 30 seconds. When the number displayed is entered along with the User ID and Password access will be granted for the user. There are many people working in concert across the ecosystem to deliver financial aid. The TFA initiative encompasses approximately 96,000 FSA employees, U.S. Department of
Education Employees, Financial Aid Directors, Financial Aid Administrators, Destination Point Administrators, Call Center Representatives, Developers and Contractors. The TFA project is focused on privileged users. A privileged user is anyone who can see more than just their own personal data. In this context, personal data is defined as Personally Identifiable Information (PII). PII is “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”2 Examples of PII include, but are not limited to: • Name, such as full name, maiden name, mother‘s maiden name, or alias • Personal identification number, such as social security number (SSN), passport number, driver‘s license number, taxpayer identification number, or financial account or credit card number • Address information, such as street address or email address • Personal characteristics, including photographic image (especially of face or other identifying characteristic), fingerprints, handwriting, or other biometric data (e.g., retina scan, voice signature, facial geometry)3 In order to “Lock Down” FSA systems at postsecondary schools the Primary Destination Point Administrator (PDPA) or Security Administrator for each school will need confirm (attest) who is authorized to access Federal Student Aid systems on behalf of the school. Similar leadership roles will be identified in each of the third party entities supporting the distribution of Title IV Aid. Upon confirmation of the authorized users, FSA will send tokens to the PDPA. The PDPA will be responsible for providing a token to each authorized user such as a Financial Aid Administrator (FAA). The end user in this scenario, the FAA, will then register their token online. The TFA initiative impacts several FSA systems. We plan to implement system changes for TFA in a phased approach from October 2011 through February 2012. Available Now – FAA Access to CPS Online October 24, 2011 – COD System December 18, 2011 – NSLDS and eCB System February 12, 2012 – SAIG/EDconnect 2 This definition is the GAO expression of an amalgam of the definitions of PII from OMB Memorandums 07-16 and 06-19. GAO Report 08-536, Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, May 2008, http://www.gao.gov/new.items/d08536.pdf.  3 NIST GUIDE TO PROTECTING THE CONFIDENTIALITY OF PERSONALLY IDENTIFIABLE INFORMATION (PII), SP 800-122, April 2010 http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf  
The TFA rollout is planned to run from Fall 2011 through Fall 2012. During Q3 and Q4 of FY 2011, over 6,000 TFA tokens were issued to FSA employees and U.S. Department of Education employees. The next phase of deployment is the postsecondary schools. As we implement the system changes, we will also begin rolling out token information and tokens to the domestic school community. Fall 2011 – Authorized users in the DeVry University system of schools have received and registered their tokens. December 2011 – Authorized users at domestic schools in Delaware, Maryland, Virginia, West Virginia, and the District of Columbia will receive and register their tokens. February 2012 through September 2012 – All authorized users at the remaining domestic schools will receive and register their tokens and begin to use them for all systems noted above. We plan to roll out TFA to the remaining schools in approximately eight different groups of states. Just prior to initiating contact with the schools in each group, we will post an electronic announcement that provides notice of the states included in that group. We must do a better job as stewards of PII and to improve our security posture against data leaks. This is a shared responsibility of not only FSA and U.S. Department of Education associates, but all those who access our systems on behalf of our students. We cannot complete this without your help. For more information on TFA, please stop by one of our three sessions where we will go into more detail on the protection of PII and the TFA rollout.

Recommended

Nascio who areyoue-authbrief122104
Nascio who areyoue-authbrief122104Nascio who areyoue-authbrief122104
Nascio who areyoue-authbrief122104Hai Nguyen
 
Naccu Card Fraud And Identity Theft
Naccu Card Fraud And Identity TheftNaccu Card Fraud And Identity Theft
Naccu Card Fraud And Identity Theftmherr_riskconsult
 
Fifth Annual Study on Medical Identity Theft
Fifth Annual Study on Medical Identity TheftFifth Annual Study on Medical Identity Theft
Fifth Annual Study on Medical Identity Theft- Mark - Fullbright
 
University Payroll Theft Scheme
University Payroll Theft SchemeUniversity Payroll Theft Scheme
University Payroll Theft Schemeworldwidebranding
 
Consumer Sentinel Network Report 2014
Consumer Sentinel Network Report 2014Consumer Sentinel Network Report 2014
Consumer Sentinel Network Report 2014- Mark - Fullbright
 
Chronology of Data Breaches
Chronology of Data BreachesChronology of Data Breaches
Chronology of Data Breaches- Mark - Fullbright
 
Top online frauds 2010
Top online frauds 2010Top online frauds 2010
Top online frauds 2010Cade Zvavanjanja
 
JPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment ReportJPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment ReportDivya Kothari
 

Recommended

Nascio who areyoue-authbrief122104
Nascio who areyoue-authbrief122104Nascio who areyoue-authbrief122104
Nascio who areyoue-authbrief122104Hai Nguyen
 
Naccu Card Fraud And Identity Theft
Naccu Card Fraud And Identity TheftNaccu Card Fraud And Identity Theft
Naccu Card Fraud And Identity Theftmherr_riskconsult
 
Fifth Annual Study on Medical Identity Theft
Fifth Annual Study on Medical Identity TheftFifth Annual Study on Medical Identity Theft
Fifth Annual Study on Medical Identity Theft- Mark - Fullbright
 
University Payroll Theft Scheme
University Payroll Theft SchemeUniversity Payroll Theft Scheme
University Payroll Theft Schemeworldwidebranding
 
Consumer Sentinel Network Report 2014
Consumer Sentinel Network Report 2014Consumer Sentinel Network Report 2014
Consumer Sentinel Network Report 2014- Mark - Fullbright
 
Chronology of Data Breaches
Chronology of Data BreachesChronology of Data Breaches
Chronology of Data Breaches- Mark - Fullbright
 
Top online frauds 2010
Top online frauds 2010Top online frauds 2010
Top online frauds 2010Cade Zvavanjanja
 
JPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment ReportJPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment ReportDivya Kothari
 
Identity Theft - Proactive / Reactive First Steps
Identity Theft - Proactive / Reactive First Steps Identity Theft - Proactive / Reactive First Steps
Identity Theft - Proactive / Reactive First Steps - Mark - Fullbright
 
Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015- Mark - Fullbright
 
Consumer protection is your smartphone too smart
Consumer protection is your smartphone too smartConsumer protection is your smartphone too smart
Consumer protection is your smartphone too smartarcherlaw1
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentDonald E. Hester
 
Cybercriminality
CybercriminalityCybercriminality
CybercriminalityChantal Abam
 
CFPB Compliance Insight
CFPB Compliance InsightCFPB Compliance Insight
CFPB Compliance InsightCommercial Investigations LLC
 
CBSV%20INFORMATION[1]
CBSV%20INFORMATION[1]CBSV%20INFORMATION[1]
CBSV%20INFORMATION[1]Stephanie L. Elder
 
Laudon traver ec11-im_ch05
Laudon traver ec11-im_ch05Laudon traver ec11-im_ch05
Laudon traver ec11-im_ch05BookStoreLib
 
B com 2014 | Email Marketing 4Startup:supportiamo il tuo progetto digitale co...
B com 2014 | Email Marketing 4Startup:supportiamo il tuo progetto digitale co...B com 2014 | Email Marketing 4Startup:supportiamo il tuo progetto digitale co...
B com 2014 | Email Marketing 4Startup:supportiamo il tuo progetto digitale co...B com Expo | GL events Italia
 
120 i143
120 i143120 i143
120 i143Hai Nguyen
 
5 goede redenen om verplichte bijscholing online te doen
5 goede redenen om verplichte bijscholing online te doen5 goede redenen om verplichte bijscholing online te doen
5 goede redenen om verplichte bijscholing online te doenHedwig Schlötjes -Belle
 
Implementatiewijzer Stof genoeg en Signaleren
Implementatiewijzer Stof genoeg en SignalerenImplementatiewijzer Stof genoeg en Signaleren
Implementatiewijzer Stof genoeg en SignalerenHedwig Schlötjes -Belle
 
1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaperHai Nguyen
 
GP scenario generation workshop outputs
GP scenario generation workshop outputsGP scenario generation workshop outputs
GP scenario generation workshop outputsC4WI
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industryNumaan Huq
 
Identity Theft ResponseYou have successfully presented an expa
Identity Theft ResponseYou have successfully presented an expaIdentity Theft ResponseYou have successfully presented an expa
Identity Theft ResponseYou have successfully presented an expaLizbethQuinonez813
 
Data security
Data securityData security
Data securityoco26
 
Govt authentication brief ca v
Govt authentication brief ca vGovt authentication brief ca v
Govt authentication brief ca vMike Kuhn
 
UW - IMT 552-JPMorgan Chase & Co. Risk Assessment
UW - IMT 552-JPMorgan Chase & Co. Risk AssessmentUW - IMT 552-JPMorgan Chase & Co. Risk Assessment
UW - IMT 552-JPMorgan Chase & Co. Risk AssessmentAkshay Ajgaonkar
 
IMT 552-JPMorgan Chase & Co. Risk Assessment v05
IMT 552-JPMorgan Chase & Co. Risk Assessment v05IMT 552-JPMorgan Chase & Co. Risk Assessment v05
IMT 552-JPMorgan Chase & Co. Risk Assessment v05Daniel Kapellmann Zafra
 
Data Breach Response Checklist
Data Breach Response ChecklistData Breach Response Checklist
Data Breach Response Checklist- Mark - Fullbright
 
Adjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalAdjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalPriyanka Aash
 

More Related Content

What's hot

Identity Theft - Proactive / Reactive First Steps
Identity Theft - Proactive / Reactive First Steps Identity Theft - Proactive / Reactive First Steps
Identity Theft - Proactive / Reactive First Steps - Mark - Fullbright
 
Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015- Mark - Fullbright
 
Consumer protection is your smartphone too smart
Consumer protection is your smartphone too smartConsumer protection is your smartphone too smart
Consumer protection is your smartphone too smartarcherlaw1
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentDonald E. Hester
 
Laudon traver ec11-im_ch05
Laudon traver ec11-im_ch05Laudon traver ec11-im_ch05
Laudon traver ec11-im_ch05BookStoreLib
 

What's hot (8)

Identity Theft - Proactive / Reactive First Steps
Identity Theft - Proactive / Reactive First Steps Identity Theft - Proactive / Reactive First Steps
Identity Theft - Proactive / Reactive First Steps
 
Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015
 
Consumer protection is your smartphone too smart
Consumer protection is your smartphone too smartConsumer protection is your smartphone too smart
Consumer protection is your smartphone too smart
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local Government
 
Cybercriminality
CybercriminalityCybercriminality
Cybercriminality
 
CFPB Compliance Insight
CFPB Compliance InsightCFPB Compliance Insight
CFPB Compliance Insight
 
CBSV%20INFORMATION[1]
CBSV%20INFORMATION[1]CBSV%20INFORMATION[1]
CBSV%20INFORMATION[1]
 
Laudon traver ec11-im_ch05
Laudon traver ec11-im_ch05Laudon traver ec11-im_ch05
Laudon traver ec11-im_ch05
 

Viewers also liked

B com 2014 | Email Marketing 4Startup:supportiamo il tuo progetto digitale co...
B com 2014 | Email Marketing 4Startup:supportiamo il tuo progetto digitale co...B com 2014 | Email Marketing 4Startup:supportiamo il tuo progetto digitale co...
B com 2014 | Email Marketing 4Startup:supportiamo il tuo progetto digitale co...B com Expo | GL events Italia
 
5 goede redenen om verplichte bijscholing online te doen
5 goede redenen om verplichte bijscholing online te doen5 goede redenen om verplichte bijscholing online te doen
5 goede redenen om verplichte bijscholing online te doenHedwig Schlötjes -Belle
 
Implementatiewijzer Stof genoeg en Signaleren
Implementatiewijzer Stof genoeg en SignalerenImplementatiewijzer Stof genoeg en Signaleren
Implementatiewijzer Stof genoeg en SignalerenHedwig Schlötjes -Belle
 
1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaperHai Nguyen
 
GP scenario generation workshop outputs
GP scenario generation workshop outputsGP scenario generation workshop outputs
GP scenario generation workshop outputsC4WI
 

Viewers also liked (6)

B com 2014 | Email Marketing 4Startup:supportiamo il tuo progetto digitale co...
B com 2014 | Email Marketing 4Startup:supportiamo il tuo progetto digitale co...B com 2014 | Email Marketing 4Startup:supportiamo il tuo progetto digitale co...
B com 2014 | Email Marketing 4Startup:supportiamo il tuo progetto digitale co...
 
120 i143
120 i143120 i143
120 i143
 
5 goede redenen om verplichte bijscholing online te doen
5 goede redenen om verplichte bijscholing online te doen5 goede redenen om verplichte bijscholing online te doen
5 goede redenen om verplichte bijscholing online te doen
 
Implementatiewijzer Stof genoeg en Signaleren
Implementatiewijzer Stof genoeg en SignalerenImplementatiewijzer Stof genoeg en Signaleren
Implementatiewijzer Stof genoeg en Signaleren
 
1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper
 
GP scenario generation workshop outputs
GP scenario generation workshop outputsGP scenario generation workshop outputs
GP scenario generation workshop outputs
 

Similar to Csd6059

wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industryNumaan Huq
 
Identity Theft ResponseYou have successfully presented an expa
Identity Theft ResponseYou have successfully presented an expaIdentity Theft ResponseYou have successfully presented an expa
Identity Theft ResponseYou have successfully presented an expaLizbethQuinonez813
 
Data security
Data securityData security
Data securityoco26
 
Govt authentication brief ca v
Govt authentication brief ca vGovt authentication brief ca v
Govt authentication brief ca vMike Kuhn
 
UW - IMT 552-JPMorgan Chase & Co. Risk Assessment
UW - IMT 552-JPMorgan Chase & Co. Risk AssessmentUW - IMT 552-JPMorgan Chase & Co. Risk Assessment
UW - IMT 552-JPMorgan Chase & Co. Risk AssessmentAkshay Ajgaonkar
 
IMT 552-JPMorgan Chase & Co. Risk Assessment v05
IMT 552-JPMorgan Chase & Co. Risk Assessment v05IMT 552-JPMorgan Chase & Co. Risk Assessment v05
IMT 552-JPMorgan Chase & Co. Risk Assessment v05Daniel Kapellmann Zafra
 
Adjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalAdjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalPriyanka Aash
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarDon Grauel
 
Why Passwords are not strong enough
Why Passwords are not strong enoughWhy Passwords are not strong enough
Why Passwords are not strong enoughEMC
 
Matthew Fisch Specializes in Cyber Security
Matthew Fisch Specializes in Cyber SecurityMatthew Fisch Specializes in Cyber Security
Matthew Fisch Specializes in Cyber Securityworldwidebranding
 
Crj 101 after having reviewed many traditional forms of white collar
Crj 101 after having reviewed many traditional forms of white collarCrj 101 after having reviewed many traditional forms of white collar
Crj 101 after having reviewed many traditional forms of white collarleonardjonh215
 
CRC Alert November 2019 Final.pdf
CRC Alert November 2019 Final.pdfCRC Alert November 2019 Final.pdf
CRC Alert November 2019 Final.pdfssuser7464571
 
An Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsAn Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsDoubleHorn
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxwlynn1
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceFinancial Poise
 
An Overview and Competitive Analysis of the One-Time Password (OTP) Market
An Overview and Competitive Analysis of the One-Time Password (OTP) MarketAn Overview and Competitive Analysis of the One-Time Password (OTP) Market
An Overview and Competitive Analysis of the One-Time Password (OTP) MarketEMC
 
Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?Druva
 

Similar to Csd6059 (20)

wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industry
 
Identity Theft ResponseYou have successfully presented an expa
Identity Theft ResponseYou have successfully presented an expaIdentity Theft ResponseYou have successfully presented an expa
Identity Theft ResponseYou have successfully presented an expa
 
Data security
Data securityData security
Data security
 
Govt authentication brief ca v
Govt authentication brief ca vGovt authentication brief ca v
Govt authentication brief ca v
 
UW - IMT 552-JPMorgan Chase & Co. Risk Assessment
UW - IMT 552-JPMorgan Chase & Co. Risk AssessmentUW - IMT 552-JPMorgan Chase & Co. Risk Assessment
UW - IMT 552-JPMorgan Chase & Co. Risk Assessment
 
IMT 552-JPMorgan Chase & Co. Risk Assessment v05
IMT 552-JPMorgan Chase & Co. Risk Assessment v05IMT 552-JPMorgan Chase & Co. Risk Assessment v05
IMT 552-JPMorgan Chase & Co. Risk Assessment v05
 
Data Breach Response Checklist
Data Breach Response ChecklistData Breach Response Checklist
Data Breach Response Checklist
 
Adjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalAdjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New Normal
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler Seminar
 
Why Passwords are not strong enough
Why Passwords are not strong enoughWhy Passwords are not strong enough
Why Passwords are not strong enough
 
Data Breach Response Checklist
Data Breach Response ChecklistData Breach Response Checklist
Data Breach Response Checklist
 
Matthew Fisch Specializes in Cyber Security
Matthew Fisch Specializes in Cyber SecurityMatthew Fisch Specializes in Cyber Security
Matthew Fisch Specializes in Cyber Security
 
Accounting
AccountingAccounting
Accounting
 
Crj 101 after having reviewed many traditional forms of white collar
Crj 101 after having reviewed many traditional forms of white collarCrj 101 after having reviewed many traditional forms of white collar
Crj 101 after having reviewed many traditional forms of white collar
 
CRC Alert November 2019 Final.pdf
CRC Alert November 2019 Final.pdfCRC Alert November 2019 Final.pdf
CRC Alert November 2019 Final.pdf
 
An Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsAn Overview of the Major Compliance Requirements
An Overview of the Major Compliance Requirements
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docx
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
 
An Overview and Competitive Analysis of the One-Time Password (OTP) Market
An Overview and Competitive Analysis of the One-Time Password (OTP) MarketAn Overview and Competitive Analysis of the One-Time Password (OTP) Market
An Overview and Competitive Analysis of the One-Time Password (OTP) Market
 
Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?
 

More from Hai Nguyen

Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailarHai Nguyen
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_faHai Nguyen
 
Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheetHai Nguyen
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthenticationHai Nguyen
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Hai Nguyen
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_briefHai Nguyen
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 enHai Nguyen
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationHai Nguyen
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseHai Nguyen
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authenticationHai Nguyen
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Hai Nguyen
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheetHai Nguyen
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheetHai Nguyen
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationHai Nguyen
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationxHai Nguyen
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingHai Nguyen
 
Citrix sb 0707-lowres
Citrix sb 0707-lowresCitrix sb 0707-lowres
Citrix sb 0707-lowresHai Nguyen
 

More from Hai Nguyen (20)

Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
Sms based otp
Sms based otpSms based otp
Sms based otp
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailar
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_fa
 
Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheet
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthentication
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_brief
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 en
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authentication
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterprise
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authentication
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheet
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheet
 
Gambling
GamblingGambling
Gambling
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authentication
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationx
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for banking
 
Citrix sb 0707-lowres
Citrix sb 0707-lowresCitrix sb 0707-lowres
Citrix sb 0707-lowres
 

Recently uploaded

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Csd6059

  • 1. Two Factor Authentication (TFA) Has It On Lock Down The information age is upon us, and with new technologies there are ever increasing amounts of data being collected and stored across the cyber community. This data must be protected to ensure program integrity and safeguard taxpayers’ interests. The postsecondary school ecosystem has grown significantly over the past few years with multiple touch points to enable the delivery of Title IV Aid and to accommodate the needs of the students Federal Student Aid (FSA) and our schools serve. In 2007 FSA distributed $80 billion in financial aid to approximately 8 million borrowers. FSA distributed more than $135 billion in Federal Aid this past year to 14 million students and families. Since 2007, the number of borrowers has grown from 8 million to 23 million borrowers in 2010/2011. These figures are expected to grow to the tune of about 10% over the next five years. FSA hosts at least 80 million records - all currently unprotected in accordance with industry best practices and Office of Management and Budget (OMB) / Department of Homeland (DHS) mandates. At a high level, the FSA ecosystem consists of more than 90,000 users accessing the following primary FSA systems: National Student Loan Data System (NSLDS), Central Processing System (CPS), Common Origination and Disbursement (COD), Access and Identity Management System (AIMS), Participation Management (PM), Financial Management System (FMS), and Student Aid Internet Gateway (SAIG). The FSA ecosystem has over 10,000 unique entities including over 6,500 postsecondary schools in 35 countries that interface directly with FSA. This population is supported by 3,200 financial partners including Guaranty Agencies, Title IV Additional Servicers (TIVAs) and other financial institutions. The U.S. continues to be the top country targeted in web-based attacks and the government sector is the most popular target. The type of information FSA hosts is often the target of hackers and may be accessed through malicious software such as keyloggers. Keyloggers can be devices or software used by cybercriminals to covertly capture and record key strokes on a computer. Their target is often log-in names, passwords, and other sensitive information that can be sold for illegitimate purposes. The cost of a data breach is based upon the data captured. According to industry experts, the cost of a customer record compromised in a data breach is $200-$2141 . Compromised records 1 The Ponemon Institute 2010 U.S. Cost of a Data Breach http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=ponemon&om_ext_cid=biz_socmed_twitter_faceboo k_marketwire_linkedin_2011Mar_worldwide_costofdatabreach    
  • 2. containing bank account information are in the range of $300-$350. With this dynamic environment, there is a need to improve the overall security posture of the ecosystem. Without fortifying the infrastructure, existing leak points across FSA systems could be compromised, exposing FSA to appreciably large financial burdens. Protecting data is a shared responsibility of those facilitating the support of Title IV Aid financial aid across the postsecondary school ecosystem. One of the many activities FSA is undertaking to improve data security is the implementation of Two Factor Authentication (TFA). The objective of the TFA initiative is to provide safe and secure access to FSA network services. To comply with the White House through the United States Office of Management and Budget (OMB) mandate, Memorandum M07-16 attachment 1, and as part of our ongoing efforts to ensure the security of Federal Student Aid data systems, the U.S. Department of Education is required to implement a security protocol through which all authorized users will enter two forms of “authentication” to access Federal Student Aid systems via the Internet. This process is referred to as Two Factor Authentication (TFA). The implementation of Two Factor Authentication significantly reduces exposure to key loggers at both managed and unmanaged endpoints of the network. Authentication is where you prove your identity to a system in order to gain access. When two independent things are combined, strong authentication can be achieved and access is granted. Providing only one piece of information will not allow access to the system. In essence, two factor authentication means providing two independent pieces of evidence that you are who you say you are. Something that you know is the first factor. The second factor is something that you have. Two factor authentication can also be achieved with something you are, using biometrics such as a retina scan or fingerprint. If you have ever used an ATM Card issued by a bank, you have used the two factor authentication process. Something that you know is the First Factor: Your PIN number Something that you have is the Second Factor: The physical ATM Card FSA has chosen a physical “key fob” token that generates a One Time Password (OTP) for the second factor authentication. Something that you know is the First Factor: User ID and Password Something that you have is the Second Factor: Token with a One Time Password (OTP) The One Time Password (OTP) is a six digit numeric code generated by the token. To generate the OTP, the user presses the button on the front of the token. A different OTP will be generated each time the button is pressed and display for 30 seconds. When the number displayed is entered along with the User ID and Password access will be granted for the user. There are many people working in concert across the ecosystem to deliver financial aid. The TFA initiative encompasses approximately 96,000 FSA employees, U.S. Department of
  • 3. Education Employees, Financial Aid Directors, Financial Aid Administrators, Destination Point Administrators, Call Center Representatives, Developers and Contractors. The TFA project is focused on privileged users. A privileged user is anyone who can see more than just their own personal data. In this context, personal data is defined as Personally Identifiable Information (PII). PII is “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”2 Examples of PII include, but are not limited to: • Name, such as full name, maiden name, mother‘s maiden name, or alias • Personal identification number, such as social security number (SSN), passport number, driver‘s license number, taxpayer identification number, or financial account or credit card number • Address information, such as street address or email address • Personal characteristics, including photographic image (especially of face or other identifying characteristic), fingerprints, handwriting, or other biometric data (e.g., retina scan, voice signature, facial geometry)3 In order to “Lock Down” FSA systems at postsecondary schools the Primary Destination Point Administrator (PDPA) or Security Administrator for each school will need confirm (attest) who is authorized to access Federal Student Aid systems on behalf of the school. Similar leadership roles will be identified in each of the third party entities supporting the distribution of Title IV Aid. Upon confirmation of the authorized users, FSA will send tokens to the PDPA. The PDPA will be responsible for providing a token to each authorized user such as a Financial Aid Administrator (FAA). The end user in this scenario, the FAA, will then register their token online. The TFA initiative impacts several FSA systems. We plan to implement system changes for TFA in a phased approach from October 2011 through February 2012. Available Now – FAA Access to CPS Online October 24, 2011 – COD System December 18, 2011 – NSLDS and eCB System February 12, 2012 – SAIG/EDconnect 2 This definition is the GAO expression of an amalgam of the definitions of PII from OMB Memorandums 07-16 and 06-19. GAO Report 08-536, Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, May 2008, http://www.gao.gov/new.items/d08536.pdf.  3 NIST GUIDE TO PROTECTING THE CONFIDENTIALITY OF PERSONALLY IDENTIFIABLE INFORMATION (PII), SP 800-122, April 2010 http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf  
  • 4. The TFA rollout is planned to run from Fall 2011 through Fall 2012. During Q3 and Q4 of FY 2011, over 6,000 TFA tokens were issued to FSA employees and U.S. Department of Education employees. The next phase of deployment is the postsecondary schools. As we implement the system changes, we will also begin rolling out token information and tokens to the domestic school community. Fall 2011 – Authorized users in the DeVry University system of schools have received and registered their tokens. December 2011 – Authorized users at domestic schools in Delaware, Maryland, Virginia, West Virginia, and the District of Columbia will receive and register their tokens. February 2012 through September 2012 – All authorized users at the remaining domestic schools will receive and register their tokens and begin to use them for all systems noted above. We plan to roll out TFA to the remaining schools in approximately eight different groups of states. Just prior to initiating contact with the schools in each group, we will post an electronic announcement that provides notice of the states included in that group. We must do a better job as stewards of PII and to improve our security posture against data leaks. This is a shared responsibility of not only FSA and U.S. Department of Education associates, but all those who access our systems on behalf of our students. We cannot complete this without your help. For more information on TFA, please stop by one of our three sessions where we will go into more detail on the protection of PII and the TFA rollout.