Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Outside Penetration Testing and FERPA

from [Keith T. Morgan] Network Security [Permanent Link]
Subject: RE: Outside Penetration Testing and FERPA
Date: Wed, 1 Dec 2004 18:02:30 -0500 
IANAL, YMMV, and any other applicable caveat under any applicable
jurisdiction to the extent permitted by law....

If *you* have recovered it, that's one thing. If you've uncovered
evidence that unauthorized parties have accessed the information, that's
another.  The organization should treat you as a contractor.  When we do
penetration testing on HIPAA covered entities, we word our contracts
such that any PHI we uncover, we immediately notify the customer, and
present corrective actions, destroy any copies we have, don't disclose,
etc...  We also have to jump through their authorization hoops prior to
the engagement, as we always assume that eventually, we'll dig up some
PHI.  

They should have required language like this from you in your contract.
If they didn't, the courts would likely treat you as a contractor or
employee.  Uncovering it's one thing.  Posting it on /. is another.  As
long as you immediately notify them of the situation, and EXACTLY what
was disclosed and to whom, you should be ok.  Also, take reasonable
precautions to protect whatever FERPA covered information you have in
your possession from further unauthorized disclosure.

I wouldn't be surprised if your attorneys are baffled by the whole
situation.  Case law on FERPA, HIPAA, SOX et al is all but non-existent
right now.

I guess my point is, that by nature of your contract with the customer,
you may be authorized to see the information (albeit possibly not
by-the-book/letter-of-the-law).  You do have a contract, right?  This is
an authorized pen-test, isn't it? 


These discoveries would appear to be a violation of FERPA and place
the institution in jeopardy of loosing federal funds.

I have discussed this matter with our attorneys and they have not
found an exemption or loophole in FERPA that would allow for
third-party security testing, that may result in the disclosure of
student information.

 
**************************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or  
the 
sender immediately and do not disclose the contents to anyone or make copies.

** this message has been scanned for viruses, vandals and malicious content **
**************************************************************************************************
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: How much does P2P cost businesses?, Richard . Sullivan
Next by Date:  Re: [unisog] RE: Outside Penetration Testing and FERPA, GREGORY SEIBERT
Previous by Thread:  Re: Outside Penetration Testing and FERPA, Michael G Carr
Next by Thread:  Nice push for security training ..., Rob, grandpa of Ryan, Trevor, Devon & Hannah
Indexes:  [Date] [Thread] [Top] [All Lists]