[unisog] Outside Penetration Testing and FERPA

Ann Ymous ann.ymous at gmail.com
Wed Dec 1 16:55:41 GMT 2004

I apologize for cross posting, but I would like to get feedback from
each of the addressed lists.

My group performs penetration tests for government agencies,
universities and school districts. We feel that having an outside
entity perform these tests improves the overall security posture of
the institution and results in stronger protection. However, in the
course of our engagements with universities and school districts, we
have recovered student records and other identifiable information.

These discoveries would appear to be a violation of FERPA and place
the institution in jeopardy of loosing federal funds.

I have discussed this matter with our attorneys and they have not
found an exemption or loophole in FERPA that would allow for
third-party security testing, that may result in the disclosure of
student information.

Has anyone addressed this matter directly? If so, how have you dealt
with the issue?

More information about the unisog mailing list