Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Outside Penetration Testing and FERPA

from [Michael G Carr] Network Security [Permanent Link]
Subject: Re: Outside Penetration Testing and FERPA
Date: Wed, 1 Dec 2004 11:30:31 -0600 
(1) Unless you are familiar with the particular institution's public data 
policy or by-law, I'm not sure how you'd even know if accessing the 
particular student data elements are a violation of FERPA (each 
institutions' definition of what constitutes public directory information 
can be different), 

(2) I would have hoped that your organization's legal agreement would have 
indemnified you from liability as well as required you to not disclose any 
data or information you uncovered, and

(3) As an outside consultant hired to perform penetration tests, it would 
seem to me that you have an obligation to inform the institution of their 
system's and network's vulnerabilities ASAP (after all, that is probably 
why they hired you...).


So, it seems that as long as you (a) were not scanning someone's network 
without their knowledge/permission, (b) do not disclose what you found, 
and (c) inform the institution as soon as possible, you wouldn't have to 
worry about any FERPA exemption or loop-hole.  It sounds like an the 
institution outsourced its penetration testing responsibility to you and 
your company and, as a contractor, you have an need (as well as moral 
obligation and perhaps a legal one) to keep what you may have learned 
confidential while also reporting it to your customer.

Michael G. Carr, Esq., CISSP 
CSN Information Security Officer 
University of Nebraska 
3835 Holdrege St, 227 Varner Hall 
PO Box 830742 
Lincoln, NE 68583-0742 
direct: (402) 472-1349 
cell: (402) 450-6622 
fax: (402) 472-2038
mcarr@nebraska.edu




Ann Ymous <ann.ymous@gmail.com> 
12/01/2004 10:55 AM
Please respond to
Ann Ymous <ann.ymous@gmail.com>


To
Pen Test List <pen-test@securityfocus.com>, Security Mgmt List 
<security-management@securityfocus.com>, Unisog <unisog@lists.sans.org>
cc

Subject
Outside Penetration Testing and FERPA




I apologize for cross posting, but I would like to get feedback from
each of the addressed lists.

My group performs penetration tests for government agencies,
universities and school districts. We feel that having an outside
entity perform these tests improves the overall security posture of
the institution and results in stronger protection. However, in the
course of our engagements with universities and school districts, we
have recovered student records and other identifiable information.

These discoveries would appear to be a violation of FERPA and place
the institution in jeopardy of loosing federal funds.

I have discussed this matter with our attorneys and they have not
found an exemption or loophole in FERPA that would allow for
third-party security testing, that may result in the disclosure of
student information.

Has anyone addressed this matter directly? If so, how have you dealt
with the issue?
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Outside Penetration Testing and FERPA, Ann Ymous
Next by Date:  Nice push for security training ..., Rob, grandpa of Ryan, Trevor, Devon & Hannah
Previous by Thread:  Outside Penetration Testing and FERPA, Ann Ymous
Next by Thread:  RE: Outside Penetration Testing and FERPA, Keith T. Morgan
Indexes:  [Date] [Thread] [Top] [All Lists]