By Adam Petrovsky, GovEd Practice Leader, Logicalis US
Today, there is a distinct urgency among CIOs and CISOs at colleges and universities nationwide to shore up their IT security measures. Because of the sensitive nature of the information universities possess, when they are not adequately protected, it’s like they’re waving a red flag for cybercriminals saying, “This is the best data – come and get it.”
The chief problem for institutions of higher learning is that they gather and store very diverse kinds of data – including everything from medical information to financial and credit card data – on both the student and their parents. And, of course, there are transcripts and disciplinary records, class schedules and emergency contacts as well. But colleges are also running bookstores and restaurants and infirmaries, which means they are responsible for complying with at least five major privacy-oriented regulations including the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), the Children’s Online Privacy Protection Act (COPPA), the Payment Card Industry Data Security Standard (PCIDSS) as well as a host of state-by-state regulations regarding data breach notifications. In fact, experts estimate that, through a single incident, a college or university could be forced to contend with as many as 100 different breach notice laws.1
Unlike enterprise organizations that can both limit access to sensitive or encrypted data and can often remotely wipe clean a device that provides that access if it is lost or stolen, universities are unable to enforce that level of compliance among their student bodies.
For institutions of higher learning, this presents more than an IT – or even a legal – conundrum. Since colleges and universities attract professors, students and donors based on their reputation, a single breach can also impact the school’s personnel, enrollment and bottom line. As a result, the Higher Ed industry is at a tipping point when it comes to cybersecurity; it’s no longer a question of “if” a university will be breached, it’s a question of “when” – and whether or not the school’s response will be adequate.
Four Ways Colleges Can Strengthen Their Cybersecurity Programs
Since breaches can’t be entirely blocked, it’s important that colleges and universities take these four important steps to will bolster their cybersecurity plans.
- Conduct a Data Security Audit: Knowing what you’re trying to protect and identifying some of the common ways that data could be breached is a logical first step. An in-depth data security audit performed by an experienced cybersecurity solution provider like Logicalis, however, digs much deeper. Auditors should look at the types of data the college has stored, where it is located (on campus or in the cloud). They will identify the servers, workstations, laptops or mobile devices that have access to that data. And they will examine the university’s existing policies regarding data breaches. Every institution of higher learning should have a fully documented security framework for data breach prevention, including a training component to keep students, faculty and vendors up to date on the latest safe data-handling policies.
- Adopt a Common Security Framework: A Common Security Framework (CSF) – also known as an IT Security Framework or an Information Security Management System – is a critical component to any higher education security strategy. The CSF gives you a set of documented policies and procedures that act as a sort of blueprint for your security protocols. While there are a number of reliable CSFs available – including frameworks like NIST SP 800, ISO 27000, SANS 20/CIS20, HITRUST and COBIT – choosing the right one is often a difficult task and is something that an experienced partner can help you do. In addition to being a competitive differentiator, implementing a common security framework can give your college an improved security posture and the ability to meet some very specific compliance requirements.
- Re-Think User Access and Administrative Roles: Denying access to a particular class of data may make some people inside the university system uncomfortable, but it’s a critical step in protecting data from loss. To determine who actually needs access to key types of data, start by classifying the data into categories. By tightening restrictions on data access, it’s easier to prevent unintended disclosures of that data. In addition to re-examining who can access sensitive data, it is also important to think about who really needs administrative privileges. Oftentimes, administrative access is granted to department heads or even groups of support people for internal “political” reasons rather than necessity. In gray areas, relying on an experienced third party may help clarify the access structure that will best protect your data while still satisfying your user’s needs.
- Develop and Test Your Incident Response Plan: As noted earlier, the university’s reputation may depend on how its IT team responds to a data breach, making the development and testing of an incident response plan paramount for every institution of higher learning. Since the cybersecurity community generally agrees that there is no silver bullet when it comes to preventing an attack, it’s critical to have a well-oiled plan in place to detect and stop a breach when it occurs. First, define your incident response plan. Who is your team? Is your plan incorporated – in writing – into your security framework documentation? When was that last time you ran an incident response drill? If it’s been a while since you last updated your incident response protocols, a great place to start is the Educause library where you will find best practices specific to higher education. And if you don’t have an incident response plan, hire an expert in IT security specific to the education market to help you develop one.
Want to learn more? If you need help developing, testing or adjusting your incident response plan or simply want to discuss your school’s compliance with complex data security regulations, come meet with Logicalis GovEd and security experts during Educause, October 31-November 3, 2017. Next, explore the ways Logicalis helps colleges and universities safely provide a borderless digital learning environment, then download a document outlining the digital solutions on every university CIO’s list of top priorities.
Your university’s reputation is the key to its future – ask yourself what prospective students see on your college tour and explore three solutions every college campus needs to keep its students physically safe.