This chapter gives an overview of the software and security issues that must be considered when planning how your school will process FSA data and reports. The security of personal and organizational data is important, and federal law requires schools to have an information security plan. This chapter may help you develop it.
-
Software Providers
-
Communications software: EDconnect
-
Data processing: EDExpress, mainframe, & 3rd party software
-
-
Security issues
-
SAIG mailbox and destination point administrator
-
FSA website access
-
Software permissions
-
-
Options for controlling data flow & user access
-
Creating SAIG mailboxes
-
Setting user permissions in the software
-
Setting file paths
-
-
Examples
-
Single and multiple mailboxes
-
Password protection policies
-
SOFTWARE PROVIDERS
While your school is required to have at least one SAIG mailbox and to enroll in FSA systems such as the CPS, COD, and NSLDS, the Department doesn’t specify what software must be used at your school to open, create, or correct FSA records and reports.
As a service to participating schools, FSA provides free PC-based software to transmit and receive data over the Internet (EDconnect) and to assist with student application, packaging, origination and disbursement records, cash management, and reconciliation functionality (EDESuite; EDExpress and Direct Loan Tools).
However, schools may choose to use software developed by third-party vendors, or develop their own PC or mainframe-based software programs to work with FSA records and reports. Some of the more sophisticated software products have the advantage of being able to share information with other offices at your school—for instance, enrollment data with your bursar’s office and payment information with your business office.
If you choose a third-party software product, you are responsible for ensuring that it can perform the necessary functions to open, edit, and create FSA student records and reports. (In particular, your software must be able to send and receive COD records in XML format.) Ultimately, the responsibility for ensuring the timeliness and accuracy of electronic data rests with your school.
FSA software, related manuals, and technical references can be downloaded online. https://fsapartners.ed.gov/knowledgecenter/topics/software-and-other-tools
For help installing the software, call CPS/SAIG technical support at 1-800-330-5947 or email CPSSAIG@ed.gov.
SECURITY ISSUES
Because student aid records contain personally-identifiable information that is quite sensitive, your school must take special care to ensure that only appropriate members of the administrative staff are able to view and edit those records. The person who configures the security settings in EDExpress is usually referred to as the “systems administrator.” The systems administrator can be one of the destination point administrators identified in the SAIG enrollment process, as discussed in Chapter 2, or it may be someone at your school who has general responsibility for the installation of new software and network security. In either case, the person configuring the software should carefully consider how it will be used and the types of access required for each user.
Managing permissions for school staff requires a little planning. Access to FSA data is controlled at three different levels:
-
SAIG Mailbox—The destination point administrator (DPA) specifies what kinds of data are sent to a particular mailbox when the mailbox is created. The DPA also creates and updates the SAIG password for that mailbox, which is shared by all members of the security group that will be using that mailbox.
-
FSA websites—The destination point administrator for a primary mailbox can enroll users for the CPS, COD and NSLDS websites. (NSLDS Web access requires the creation of a separate mailbox for each user.)
-
EDconnect & EDExpress (or equivalent)—User permissions for software that is run on school computers are set locally, and the information about the school staff who are using the software is not transmitted to any of the FSA systems.
Because access is configured separately for Web users and software users, it is possible for a Web user to have access to some data that he or she cannot open in local software (or vice versa). In general, we recommend that you configure the access rights in EDconnect and EDExpress so that they are consistent with the permissions that you have established through the SAIG Enrollment Form, the SAIG website, and with COD School Relations. (See Chapter 2.) For instance, if you have given a user access to CPS data in EDconnect and EDExpress, then you would probably want to give that user the capability to view and edit ISIR data on FAA Access to CPS Online.
-
Ensure that the workstation or network drive which your EDExpress database sits on is secured and password-protected and that the workstation is locked when you are not present.
-
Exit EDconnect and EDExpress completely when leaving a workstation for long periods.
-
Have a unique user ID and password.
-
Choose passwords that cannot be guessed easily.
-
Don’t leave login information in public view.
-
Don’t allow students to enter or edit any information in your software.
-
Keep all personal information printed from software or ED websites in a secure place.
-
Have the appropriate level of access.
-
Close student records when updates are completed.
-
Delete access for staff who are no longer employed or responsible for FSA program administration.
Since software programs such as EDconnect and EDExpress are used to access student records and build a database of student information, the school must be careful to restrict access to the software to those staff members who are authorized to view and/or change student records.
When software is installed on a server and will be used by multiple users, the systems administrator will assign access rights to each of the individual users.
OPTIONS FOR CONTROLLING DATA FLOW AND USER ACCESS
Creating separate SAIG mailboxes
One way to organize the exchange of FSA data is to create separate SAIG mailboxes for different kinds of data. For instance, you could establish one mailbox solely for ISIR data, and another mailbox solely for COD data.
The SAIG enrollment process gives you the choice of the following types of data for a mailbox:
-
CPS—ISIR batch data, FAA Access to CPS Online services
-
COD—Exchange Direct Loan or Grant Services, which includes Pell Grant, Iraq and Afghanistan Service Grant, and TEACH (Teacher Education Assistance for College and Higher Education) Grant data; COD Online services; FISAP, the Campus-Based programs, which includes FWS (Federal Work Study) and FSEOG (Federal Supplemental Educational Opportunity Grant) access and the Return of Title IV calculation tool
-
NSLDS—Enrollment reporting, transfer student monitoring and/ or financial aid history, guaranty agency annual reasonability, exit counseling reports, electronic cohort default rate (eCDR), notification package, and NSLDS online services
-
CSB—Direct Loan delinquency reports and borrower services
-
FAFSA on the Web data transfer site
-
Total and Permanent Disability (TPD) System—TPD loan holder notification
-
Enterprise Complaint System (ECS)
Schools that participate in the FSA programs are required to follow Federal Trade Commission regulations, which require all financial institutions to develop, implement, and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards designed to achieve the following objectives:
-
insure the security and confidentiality of customer information,
-
protect against any anticipated threats or hazards to the security or integrity of such information, and
-
protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
For more information on these requirements, see Volume 2, Chapter 7 of the FSA Handbook.
In theory, you could have a different mailbox for each of these types of data, but at most schools it would make more sense to combine some of these categories into one mailbox. For instance, staff members working with default prevention could be served by a single mailbox that collected NSLDS batches, eCDR information, and Direct Loan borrower delinquency reports. Or a school might have one SAIG mailbox for Direct Loan data coming from the COD system but a different one for getting grant data from COD.
Also note that you will need to establish separate SAIG mailboxes for additional locations of your school if the locations have different federal school codes for purposes of FAFSA/ISIR data. Similarly, a school can obtain separate Direct Loan codes for approved additional locations, if it wants to set up a mailbox to receive DL data for just that location.
Setting user permissions in the software
If you are acting as the systems administrator and are setting up EDconnect or EDExpress software on a PC, you can set the access rights for each security group that you create. All of the users in a security group have the same access rights.
Your EDExpress security groups do not have to mirror your EDconnect security groups because the access rights that are being assigned are quite different. EDconnect controls the ability to send and receive files to and from FSA, and we recommend that you only establish one security group for each of your school’s mailboxes. EDExpress controls the functions for working with the individual records (viewing, updating, printing, etc.).
-
EDconnect—Security View > Properties. Since you will only create one EDconnect security group for each of your SAIG mailboxes, all of the users in that group have the same access to the mailbox. In other words, you cannot limit their access so that they can send/ receive only certain types of files.
-
EDExpress—Tools > Setup > Global > Security Groups. Because you can create multiple security groups in EDExpress, you can set very specific levels of access to different types of data (Global, App Express, Packaging, Direct Loan, Pell, TEACH, and COD). For instance, you could create a security group just for your counselors, with permission to view (but not edit) ISIR records, while another security group of more senior staff would have the ability to edit ISIRs, as well as access rights for COD data.
You can organize your security groups to control workflow. For instance, you might give your COD workgroup the ability to create and update common records but not give them the permission to transmit files in EDconnect. A member of the EDconnect security group for the SAIG mailbox would be responsible for sending and receiving files on a predetermined or ad hoc schedule. This would be one way to stage your work in larger batches.
Setting file paths
EDconnect automatically downloads NSLDS files into the default folder C:\NSLDS\Files. All other files (COD, CPS, PMESSAGES, etc.) are automatically downloaded to the default folder C:\IAM\DATA. If you change EDconnect to download or send non-NSLDS files to a location other than C:\IAM\DATA, use File Management in EDExpress to tell EDExpress where to look for the files.
You may find it convenient to have different types of data sent to different folders on a single-user PC or a network. This can be done by setting file paths in EDconnect. There are two ways to do this:
-
EDconnect—Different file paths for each type of message can be set in the “Message Class Manager” in EDconnect. For instance, you could specify that all processed ISIRs be placed in a network folder on the “F” drive. To ensure the security of this data, use of the F drive would be restricted to counselors and other aid staff working with student aid applications and verification.
-
EDconnect—User-specific file paths can be set in EDconnect so that when a user logs in, any files that he or she downloads will go to that user’s designated folder. Note that this method can create problems if a user automatically downloads all files to his or her folder, including files that other users need.
Your systems administrator can provide an additional layer of security by controlling which users have access to the data kept in folders on a shared drive.
SAIG mailbox rules and security groups
For each SAIG mailbox that it establishes, a school must designate at least one destination point administrator or DPA who is responsible for the security of the data sent and received through that mailbox.
-
Only the DPA of one SAIG mailbox can have access to the NSLDS website.
-
In EDconnect, there will be a “security group” of users at the school for each SAIG mailbox; users will have the same SAIG password and common access to that mailbox.
-
In EDExpress, security groups have the capability to read and modify different types of files.
The EDExpress security groups are not necessarily associated with a particular mailbox and can have different users than the EDconnect security groups.
Security group setup examples
SAIG mailboxes at Career Tech: single security group
Career Tech has set up two SAIG mailboxes for the two members of its small financial aid office. Bill Frisell and Steve Lacy use the first mailbox to exchange CPS, COD, and NSLDS batch files. Because each NSLDS online user is the destination point administrator (DPA) of their own mailbox, Steve Lacy has a separate mailbox to receive files he requested from the NSLDS System. Both Bill and Steve are assigned to the same security group in the EDExpress software, in this case “Express Administration.”
SAIG mailboxes for AEC University: multiple security groups
AEC University has a larger aid office and has set up separate mailboxes for staff who work with application data (ISIRs) and those who are responsible for Pell and Direct Loan awards (COD). Each security group has its own TG number and SAIG password, which are used by all the users in that group. Note that Joseph Jarman belongs to both the COD and Apps Groups. In addition, several of the staff have individual mailboxes so that they can have access to the NSLDS website.
AEC University uses a product called Finaid Software to create and modify student records. Staff members are given access to different types of records, depending on their responsibilities. The various security groups are listed on the right-hand side of the page.
Security group setup examples (continued)
AEC University (continued)
SAIG mailboxes at TriState College: multiple locations
TriState College has campuses in three different locations, so it has requested and received a different federal school code for each campus. Therefore, Tristate has three different mailboxes for ISIR data. (This example does not show TriState’s other SAIG mailboxes for COD, NSLDS, etc.)
Security group setup examples (continued)
TriState College (continued)
Password requirements
As a system owner/manager, you must ensure these security precautions are followed:
-
Your systems should support authentication of individual users.
-
Passwords should not be stored in clear text or in any easily reversible form.
-
Regular changing of passwords should be systemically enforced in accordance with procedures outlined in the system security plan.
-
Users should be warned when a password is about to expire and prompted to change a password that has expired.
-
User accounts should be disabled after three consecutive invalid attempts are made to supply a password.
-
Reinstatement of a disabled user account should require the assistance of a help desk technician or a system administrator.
The FSA ID password
-
must have a minimum length of 12 characters
-
must contain each of the following four types of characters:
-
English uppercase letters (A-Z),
-
English lowercase letters (a-z),
-
Westernized Arabic numerals (0-9), and
-
non-alphanumeric special characters, specifically !, @, #, $, &, *
-
-
cannot contain any words that are easily guessed like dictionary words, names, or acronyms
-
must contain at least four alphabetic characters
-
cannot contain three or more identical characters in a row
The EDExpress password
-
must be a minimum of 12 characters
-
must include:
-
at least one uppercase letter
-
one lowercase letter
-
one number, and
-
one keyboard character that is not a letter or number (such as an exclamation mark or other punctuation symbol)
-
-
requires a minimum of 24 password resets before allowing a password to be reused
-
must be changed after 90 days
The SAIG password
-
must be a minimum length of eight characters
-
must begin with an alpha character
-
must contain at least two alpha characters of different cases (uppercase/lowercase) and at least one numeric character
-
cannot be the word “PASSWORD” (uppercase, lowercase, or mixed case)
-
cannot be the same as any of the previous five passwords
-
will be locked out after three failures. (You must wait 30 minutes for your password to be unlocked. After 30 minutes, you can try again.)
-
can contain special characters, but it is not required [SAIG passwords can contain special keyboard characters, such as @, #, and $, but because some computer platforms use certain special characters as command characters, we recommend avoiding % (percent), ^ (caret), & (ampersand), \ (backslash), / (forward slash), < (less than), > (greater than), and |(“pipe” symbol).]
-
expires every 90 days
Knowledge Center
https://fsapartners.ed.gov/knowledge-center
The Knowledge Center is your link to official guidance on FSA program requirements, including the annual FSA Handbook and ongoing updates in the form of Dear Colleague Letters and electronic announcements.
Software and other tools
https://fsapartners.ed.gov/knowledge-center/topics/software-and-other-tools
The IFAP website has information about ED-developed software (e.g., EDExpress and Direct Loan Tools), as well as user guides and technical references for FSA systems.
IPEDS Training Center
Any SAIG mailbox or destination point is identified by its TG number.
For network setups, the executable files for EDExpress are loaded onto individual PC’s, but the database file (***.accdb) is loaded onto a network drive. A student record in the database file can only be opened by one user at a time.
When you change the default paths for files, you MUST make sure that you change them identically in EDconnect and your financial aid software (e.g., EDExpress) so the two software programs both know where to store and where to find student records. To change file paths in EDconnect, go to: Tools/Setup/File.