By Adam Petrovsky, GovEd Practice Leader, Logicalis US
Data breach, identity theft, credit card fraud and malware are top-of-mind challenges facing our digital, connected world. Cybersecurity analysis, threat and identity management, intrusion prevention, and determining encryption standards are challenging topics – making security frameworks more complex and constantly changing. For Higher Education organizations, these data security problems are magnified due to state and federal regulations.
College and university networks contain a wide variety of personally identifiable information (PII) which are prime targets for cybercriminals. Student-focused data represents a unique cross section of PII. This data may contain medical information, sensitive student identifiers, confidential files, financial/credit card data, report cards, transcripts, disciplinary records, contact and family information, and class schedules. Additionally, Higher Education organizations must comply with at least six major privacy-oriented regulations to protect sensitive information:
- Family Educational Rights and Privacy Act (FERPA) – gives parents certain protections with regards to their children’s education records.
- Health Insurance Portability and Accountability Act of 1996 (HIPAA) – A rule and a set of standards set up to ensure privacy of health information for patients.
- The Health Information Technology for Economic and Clinical Health (HITECH) Act, promotes the adoption and meaningful use of health information technology. Strengthens HIPPA.
- The Children’s Online Privacy Protection Act (COPPA) gives parents control over what information websites can collect from their kids.
- The Payment Card Industry Data Security Standard (PCIDSS) applies to any organization that accept credit card payments, and covers a broad range of security requirements and processes.
- State-by-State Regulations regarding data breach notifications. All states have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.
Creating a security framework that integrates the compliance requirements of these regulations can be daunting. The SANS Institute, in a posted Reading Room survey, estimates only 45% of Higher Ed organizations represented had formal risk assessment and remediation policies in place (worsening to only 31% in organizations with fewer than 2,000 employees). Beyond assessment, there are key strategies to consider when evaluating a comprehensive cybersecurity strategy for Higher Ed:
- Understand the systems of greatest risk. By evaluating data by functional systems, colleges and universities can pinpoint where they need to apply the greatest focus. Typically, these are administrative systems, faculty and staff computers (tied with web applications), and faculty and staff mobile devices. Additional targets should be identified.
- Identify and manage the sensitive data at risk. Thorough understanding of the above regulations can pinpoint PII, which deserves higher levels of security than other types of data. Encryption should be considered in a variety of ways. According to the National Institute of Standards and Technology (NIST) for recommended encryption level practices, it states that “when there is even a remote possibility of risk, encryption needs to be in place, and FIPS 140-2, which incorporates the Advanced Encryption Standard (AES) into its protocols is an ideal choice.”
- Take an architectural approach to cybersecurity. While it is important to identify where PII data exists in the network, a broader, structural approach to data integrity is critical. How data is transferred, switched, routed, computed and stored must be evaluated. Complying with regulations requires much more than password-protecting a laptop or workstation. Consideration of data at-rest when stored on school systems or temporary media devices is key. Remote access can also be a target for cybercriminals. A secure VPN, using Transport Layer Security (TLS) and AES encryption should be a cornerstone for securing data transfer.
- Data Security should include partners & consultants. 68% of survey respondents to the SANS report indicated they were dissatisfied with their existing set of solutions, manpower and budget to keep the college or university’s data secure. In some cases, this is due to a “lack of resources and needed support from top management and the environmental culture.” Managing a security-based platform can quickly become overwhelming. Data security and compliance with federal regulations may require outside help. Finding a knowledgeable partner and/or consulting firm that understands the challenges of the Higher Ed data set can be a powerful change agent. Many partners can provide real-time monitoring/management, quarterly risk assessments, a Higher Ed specific security framework and much more.
Colleges and universities represent a unique challenge from a data protection perspective. Staying up to date with state and federal regulations, understanding the PII, and managing to a Higher Ed focused security framework are amongst the top challenges for IT and Higher Ed.
Resources
https://www.sans.org/reading-room/whitepapers/analyst/higher-education-open-secure-35240
Please see below for a list of Logicalis security blogs by Ron Temske, Vice President – Security Solutions
Why Enterprise Security Architecture Matters
What is a Common Security Framework?
The Importance of Endpoint Security
What Would an Umbrella Approach to Security Look Like for Your Enterprise? (Part 1)
What would an Umbrella Approach to Security Look Like for your Enterprise? (Part 2)