[unisog] Outside Penetration Testing and FERPA

Samuel Liles sliles at purdue.edu
Wed Dec 1 19:18:47 GMT 2004

Ann Ymous?

Come on you can do better than that!

-----Original Message-----
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
On Behalf Of Ann Ymous
Sent: Wednesday, December 01, 2004 10:56 AM
To: Pen Test List; Security Mgmt List; Unisog
Subject: [unisog] Outside Penetration Testing and FERPA

I apologize for cross posting, but I would like to get feedback from each of
the addressed lists.

My group performs penetration tests for government agencies, universities
and school districts. We feel that having an outside entity perform these
tests improves the overall security posture of the institution and results
in stronger protection. However, in the course of our engagements with
universities and school districts, we have recovered student records and
other identifiable information.

These discoveries would appear to be a violation of FERPA and place the
institution in jeopardy of loosing federal funds.

I have discussed this matter with our attorneys and they have not found an
exemption or loophole in FERPA that would allow for third-party security
testing, that may result in the disclosure of student information.

Has anyone addressed this matter directly? If so, how have you dealt with
the issue?
unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list