[unisog] Outside Penetration Testing and FERPA
wyang at gcfn.net
Thu Dec 2 01:53:33 GMT 2004
Ann Ymous wrote:
> I apologize for cross posting, but I would like to get feedback from
> each of the addressed lists.
> My group performs penetration tests for government agencies,
> universities and school districts. We feel that having an outside
> entity perform these tests improves the overall security posture of
> the institution and results in stronger protection. However, in the
> course of our engagements with universities and school districts, we
> have recovered student records and other identifiable information.
> These discoveries would appear to be a violation of FERPA and place
> the institution in jeopardy of loosing federal funds.
> I have discussed this matter with our attorneys and they have not
> found an exemption or loophole in FERPA that would allow for
> third-party security testing, that may result in the disclosure of
> student information.
> Has anyone addressed this matter directly? If so, how have you dealt
> with the issue?
As a professional security contractor, I'm appalled that you're running
into this question after starting an engagement.
Assuming you actually have, have spoken with, and have understood the
communications of an attorney regarding this matter (and that
conjunction isn't evident here), it sounds like you've gotten pathetic
I am not an attorney. I am not going to provide you with legal advice.
I'm not aware of any explicit prohibition on security auditing and pen
testing, and rather think that--based on the FERPA information sheet at
the Department of Education's FERPA web
site--http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html, which is
one of the first 'google' hits on 'family educational rights privacy
act' (what FERPA stands for).
Were I you, I would ask my attorney whether "official" means "employee"
-- after all, contractors and outsourcing can be good decisions, even in
the educational market.
1. Who are you trying to protect? The school? Yourself? Your
organization? The students? The government? You need to define the
constituency you're trying to protect, as the interests may be in conflict.
2. Were you authorized to engage in activity for some legitimate
purpose by appropriately authorized individuals at the school in question?
3. You need to evaluate your contract, scope, and statement of work.
You need to perform due dilligence on the contracting organization and
meet an appropriate standard of care when entering into agreements. And
don't take this as legal advice--this is all business advice.
4. Were I you, I would identify and engage a real lawyer; whomever
you're using is pretty pathetic if they've left you looking for legal
advice from a mailing list that's populated largely by security
engineers and system administrators.
wyang at gcfn.net
More information about the unisog