08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Csd6059
1. Two Factor Authentication (TFA) Has It On Lock Down
The information age is upon us, and with new technologies there are ever increasing amounts of
data being collected and stored across the cyber community. This data must be protected to
ensure program integrity and safeguard taxpayers’ interests.
The postsecondary school ecosystem has grown significantly over the past few years with
multiple touch points to enable the delivery of Title IV Aid and to accommodate the needs of the
students Federal Student Aid (FSA) and our schools serve. In 2007 FSA distributed $80 billion
in financial aid to approximately 8 million borrowers. FSA distributed more than $135 billion in
Federal Aid this past year to 14 million students and families. Since 2007, the number of
borrowers has grown from 8 million to 23 million borrowers in 2010/2011. These figures are
expected to grow to the tune of about 10% over the next five years.
FSA hosts at least 80 million records - all currently unprotected in accordance with industry best
practices and Office of Management and Budget (OMB) / Department of Homeland (DHS)
mandates. At a high level, the FSA ecosystem consists of more than 90,000 users accessing the
following primary FSA systems: National Student Loan Data System (NSLDS), Central
Processing System (CPS), Common Origination and Disbursement (COD), Access and Identity
Management System (AIMS), Participation Management (PM), Financial Management System
(FMS), and Student Aid Internet Gateway (SAIG).
The FSA ecosystem has over 10,000 unique entities including over 6,500 postsecondary schools
in 35 countries that interface directly with FSA. This population is supported by 3,200 financial
partners including Guaranty Agencies, Title IV Additional Servicers (TIVAs) and other financial
institutions.
The U.S. continues to be the top country targeted in web-based attacks and the government
sector is the most popular target. The type of information FSA hosts is often the target of hackers
and may be accessed through malicious software such as keyloggers. Keyloggers can be devices
or software used by cybercriminals to covertly capture and record key strokes on a computer.
Their target is often log-in names, passwords, and other sensitive information that can be sold for
illegitimate purposes.
The cost of a data breach is based upon the data captured. According to industry experts, the cost
of a customer record compromised in a data breach is $200-$2141
. Compromised records
1 The Ponemon Institute 2010 U.S. Cost of a Data Breach
http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=ponemon&om_ext_cid=biz_socmed_twitter_faceboo
k_marketwire_linkedin_2011Mar_worldwide_costofdatabreach
2. containing bank account information are in the range of $300-$350. With this dynamic
environment, there is a need to improve the overall security posture of the ecosystem. Without
fortifying the infrastructure, existing leak points across FSA systems could be compromised,
exposing FSA to appreciably large financial burdens.
Protecting data is a shared responsibility of those facilitating the support of Title IV Aid financial
aid across the postsecondary school ecosystem. One of the many activities FSA is undertaking
to improve data security is the implementation of Two Factor Authentication (TFA). The
objective of the TFA initiative is to provide safe and secure access to FSA network services.
To comply with the White House through the United States Office of Management and Budget
(OMB) mandate, Memorandum M07-16 attachment 1, and as part of our ongoing efforts to
ensure the security of Federal Student Aid data systems, the U.S. Department of Education is
required to implement a security protocol through which all authorized users will enter two
forms of “authentication” to access Federal Student Aid systems via the Internet. This process is
referred to as Two Factor Authentication (TFA). The implementation of Two Factor
Authentication significantly reduces exposure to key loggers at both managed and unmanaged
endpoints of the network.
Authentication is where you prove your identity to a system in order to gain access. When two
independent things are combined, strong authentication can be achieved and access is granted.
Providing only one piece of information will not allow access to the system.
In essence, two factor authentication means providing two independent pieces of evidence that
you are who you say you are. Something that you know is the first factor. The second factor is
something that you have. Two factor authentication can also be achieved with something you
are, using biometrics such as a retina scan or fingerprint.
If you have ever used an ATM Card issued by a bank, you have used the two factor
authentication process.
Something that you know is the First Factor: Your PIN number
Something that you have is the Second Factor: The physical ATM Card
FSA has chosen a physical “key fob” token that generates a One Time Password (OTP) for the
second factor authentication.
Something that you know is the First Factor: User ID and Password
Something that you have is the Second Factor: Token with a One Time
Password (OTP)
The One Time Password (OTP) is a six digit numeric code generated by the token. To generate
the OTP, the user presses the button on the front of the token. A different OTP will be generated
each time the button is pressed and display for 30 seconds. When the number displayed is
entered along with the User ID and Password access will be granted for the user.
There are many people working in concert across the ecosystem to deliver financial aid. The
TFA initiative encompasses approximately 96,000 FSA employees, U.S. Department of
3. Education Employees, Financial Aid Directors, Financial Aid Administrators, Destination Point
Administrators, Call Center Representatives, Developers and Contractors.
The TFA project is focused on privileged users. A privileged user is anyone who can see more
than just their own personal data. In this context, personal data is defined as Personally
Identifiable Information (PII). PII is “any information about an individual maintained by an
agency, including (1) any information that can be used to distinguish or trace an individual‘s
identity, such as name, social security number, date and place of birth, mother‘s maiden name, or
biometric records; and (2) any other information that is linked or linkable to an individual, such
as medical, educational, financial, and employment information.”2
Examples of PII include, but are not limited to:
• Name, such as full name, maiden name, mother‘s maiden name, or alias
• Personal identification number, such as social security number (SSN), passport number,
driver‘s license number, taxpayer identification number, or financial account or credit
card number
• Address information, such as street address or email address
• Personal characteristics, including photographic image (especially of face or other
identifying characteristic), fingerprints, handwriting, or other biometric data (e.g., retina
scan, voice signature, facial geometry)3
In order to “Lock Down” FSA systems at postsecondary schools the Primary Destination Point
Administrator (PDPA) or Security Administrator for each school will need confirm (attest) who
is authorized to access Federal Student Aid systems on behalf of the school. Similar leadership
roles will be identified in each of the third party entities supporting the distribution of Title IV
Aid.
Upon confirmation of the authorized users, FSA will send tokens to the PDPA. The PDPA will
be responsible for providing a token to each authorized user such as a Financial Aid
Administrator (FAA). The end user in this scenario, the FAA, will then register their token
online.
The TFA initiative impacts several FSA systems. We plan to implement system changes for
TFA in a phased approach from October 2011 through February 2012.
Available Now – FAA Access to CPS Online
October 24, 2011 – COD System
December 18, 2011 – NSLDS and eCB System
February 12, 2012 – SAIG/EDconnect
2
This definition is the GAO expression of an amalgam of the definitions of PII from OMB
Memorandums 07-16 and 06-19. GAO Report 08-536, Privacy: Alternatives Exist for Enhancing Protection of Personally
Identifiable Information, May 2008, http://www.gao.gov/new.items/d08536.pdf.
3
NIST GUIDE TO PROTECTING THE CONFIDENTIALITY OF PERSONALLY IDENTIFIABLE INFORMATION (PII),
SP 800-122, April 2010 http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf
4. The TFA rollout is planned to run from Fall 2011 through Fall 2012. During Q3 and Q4 of FY
2011, over 6,000 TFA tokens were issued to FSA employees and U.S. Department of Education
employees. The next phase of deployment is the postsecondary schools. As we implement the
system changes, we will also begin rolling out token information and tokens to the domestic
school community.
Fall 2011 – Authorized users in the DeVry University system of schools have received and
registered their tokens.
December 2011 – Authorized users at domestic schools in Delaware, Maryland, Virginia, West
Virginia, and the District of Columbia will receive and register their tokens.
February 2012 through September 2012 – All authorized users at the remaining domestic schools
will receive and register their tokens and begin to use them for all systems noted above. We plan
to roll out TFA to the remaining schools in approximately eight different groups of states. Just
prior to initiating contact with the schools in each group, we will post an electronic
announcement that provides notice of the states included in that group.
We must do a better job as stewards of PII and to improve our security posture against data
leaks. This is a shared responsibility of not only FSA and U.S. Department of Education
associates, but all those who access our systems on behalf of our students. We cannot complete
this without your help. For more information on TFA, please stop by one of our three sessions
where we will go into more detail on the protection of PII and the TFA rollout.