[unisog] Re: Outside Penetration Testing and FERPA

Michael G Carr mcarr at nebraska.edu
Wed Dec 1 17:30:31 GMT 2004

(1) Unless you are familiar with the particular institution's public data 
policy or by-law, I'm not sure how you'd even know if accessing the 
particular student data elements are a violation of FERPA (each 
institutions' definition of what constitutes public directory information 
can be different), 

(2) I would have hoped that your organization's legal agreement would have 
indemnified you from liability as well as required you to not disclose any 
data or information you uncovered, and

(3) As an outside consultant hired to perform penetration tests, it would 
seem to me that you have an obligation to inform the institution of their 
system's and network's vulnerabilities ASAP (after all, that is probably 
why they hired you...).

So, it seems that as long as you (a) were not scanning someone's network 
without their knowledge/permission, (b) do not disclose what you found, 
and (c) inform the institution as soon as possible, you wouldn't have to 
worry about any FERPA exemption or loop-hole.  It sounds like an the 
institution outsourced its penetration testing responsibility to you and 
your company and, as a contractor, you have an need (as well as moral 
obligation and perhaps a legal one) to keep what you may have learned 
confidential while also reporting it to your customer.

Michael G. Carr, Esq., CISSP 
CSN Information Security Officer 
University of Nebraska 
3835 Holdrege St, 227 Varner Hall 
PO Box 830742 
Lincoln, NE 68583-0742 
direct: (402) 472-1349 
cell: (402) 450-6622 
fax: (402) 472-2038
mcarr at nebraska.edu

Ann Ymous <ann.ymous at gmail.com> 
12/01/2004 10:55 AM
Please respond to
Ann Ymous <ann.ymous at gmail.com>

Pen Test List <pen-test at securityfocus.com>, Security Mgmt List 
<security-management at securityfocus.com>, Unisog <unisog at lists.sans.org>

Outside Penetration Testing and FERPA

I apologize for cross posting, but I would like to get feedback from
each of the addressed lists.

My group performs penetration tests for government agencies,
universities and school districts. We feel that having an outside
entity perform these tests improves the overall security posture of
the institution and results in stronger protection. However, in the
course of our engagements with universities and school districts, we
have recovered student records and other identifiable information.

These discoveries would appear to be a violation of FERPA and place
the institution in jeopardy of loosing federal funds.

I have discussed this matter with our attorneys and they have not
found an exemption or loophole in FERPA that would allow for
third-party security testing, that may result in the disclosure of
student information.

Has anyone addressed this matter directly? If so, how have you dealt
with the issue?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20041201/02d47c61/attachment.htm

More information about the unisog mailing list