Institutions of higher education (IHEs) are besieged by risk, especially cybersecurity and information security risk. Risk management for these institutions is critical but also extremely challenging, like trying to juggle balls and lighted torches all at once.
Colleges and universities are worlds in themselves, providing not only classroom learning but health care, living quarters, meals, athletics, entertainment, research opportunities, and more to students, faculty, and staff. To pull it off, higher education institutions must collect a lot of personal data such as health records, financial information, scholastic records, and insurance information. These are the details that enable colleges to meet the needs of so many people every day. But possessing all this data makes every college and state university an enticing target for cyberthieves.
In addition, universities may conduct sensitive research, even working with the federal government on projects. Protecting the proprietary information that goes into and comes out of those projects is another challenge, especially given the rise in nation-state cyberattacks.
Meanwhile, the rise in digital learning, although convenient for students, offers cybercriminals a vast portal through which to access the system.
And then there are ancillary operations to consider. For example, there are development programs, which solicit and accept donations; third-party contractors, whose data must also be protected (and who must comply with the laws that the institution is required to follow); legal matters, and even retail sales. All these generate sensitive data, which must be protected—typically, not by a central enterprise risk management (ERM) team, as is the case with many corporations, but by multiple people working separately in a disparate, decentralized environment.
All the while, college and university risk managers must maintain compliance with a litany of laws and regulations:
- Family Educational Rights and Privacy Act (FERPA), which prohibits higher education institutions from disclosing education records or student personally identifiable information (PII) without the student’s written consent
- Federal Information Security Modernization Act of 2014 (FISMA 2014), which mandates the security of federal data
- Gramm-Leach-Bliley Act (GLBA), a law governing financial institutions, including higher education, to ensure the security and confidentiality of customer PII
- Health Insurance Portability and Accountability Act (HIPAA), a federal law mandating privacy protections for health records and other personal health information (PHI) and limiting their use and disclosures without authorization
- Higher Education Act (HEA), which requires colleges and universities with Title IV (financial aid) programs to enact information security policies, safeguards, monitoring, and management practices. In addition, new federal memos link these programs with GLBA and the National Institute for Standards and Technology’s (NIST) special publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
- Student Aid Internet Gateway (SAIG) Enrollment Agreement, requiring IHEs with Title IV programs to protect Federal Student Aid applicant information
- NIST 800-171, a federal cybersecurity framework whose compliance is required of institutions that bid on government research projects or accept federal dollars for financial aid
Noncompliance with these laws and regulations could spell disaster for higher education institutions, not just because of reputational risk, but also because penalties can be so severe.
You’re All in This Together: Enterprise Risk Management
The number-one recommendation for Chief Information Security Officers (CISO) and risk managers wishing to improve their institution’s security posture is to integrate the campus into a unified digital whole.
So often at colleges and universities, the left hand doesn’t know what the right hand is doing. Health services keeps students’ health data, for instance, while financial aid holds their financial records. That’s all well and good—to a point. But to effectively manage today’s security risks, someone needs to oversee the entire operation. Walls of separation need to tumble down, and the complete IT infrastructure needs to be managed as a cohesive whole. In the business world, this inclusive approach is known as “enterprise risk management”, or ERM.
ERM covers not just cybersecurity, but all risks, even those posed by natural disasters. It entails risk assessment, risk identification, and decision-making on an institution-wide scale. Steps include:
- Assess your starting point. What’s your institution’s security posture today? How secure are your contractors?
- Make improvements. Correct deficiencies you might have found in step 1.
- Look for new users. Monitor overall IT use to identify any new third parties on the network, and vet their security posture, as well.
- Identify gaps. Compare compliance requirements with what you’re doing, and see what must be done to fill them.
- Continuously monitor. Use software or other tools to track compliance and alert you when you fall short.
- Stay up-to-date. Know when new regulations or updates require changes, and make them as soon as possible.
Fortunately, a number of frameworks are available to help your institution manage risk and compliance.
- The Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool helps map security controls to privacy rules for personal data.
- The Institutions of Higher Education Compliance Framework helps assess and manage security related to federal financial aid.
- NIST 800-171 is a useful framework for compliance with federal security regulations regarding government contracts.
- Systems and Organization Controls for Service Organizations 2 (SOC 2) is helpful for ensuring the effectiveness of controls of third-party service providers such as IT service vendors.
- The University Risk Management and Insurance Association offers many resources to members, including a risk management guide.
Get help if you need it
Keeping an entire higher education institution safe and resilient is an enormous job—too big for just one person, and maybe for an entire team. Those who’ve tried the task using spreadsheets wind up throwing up their hands in despair (or maybe they’re trying to keep their heads above the piles of paperwork).
Digital problems call for a digital solution. Software like ZenGRC simplifies the task of risk management and compliance with fast deployment, a user-friendly interface, system-wide gap analysis and to-do lists, continuous monitoring of risk and compliance posture, real-time compliance framework updates, vendor risk management, and more.