Assessing Risk in Higher Education

Assessing Risk in Higher Education


How is your institution assessing risk?
By J.J. Widener, CIO | CISO | Cybersecurity and InfoSec Evangelist at Seward County Community College

Every day new threats and vulnerabilities are evolving, or found. There isn’t a day that goes by that I don’t receive a new notification about a developing ransomware attack, or a new Common Vulnerability or Exposure (CVE) being published that will need to be immediately patched. The threat landscape is growing at a faster rate than most of our institutions can keep up with, and this is especially true for Higher Education institutions. Higher Ed is in the top 5 of the most attacked industries, and on top of that is one of the most regulated industries in America. New regulations that are increasingly becoming important are GDPR and GLBA.

General Data Protection Regulation (GDPR):

Let’s start with the new General Data Protection Regulation (GDPR), and how a regulation in the EU can have such a profound impact on the US. The Privacy Shield Act replaced the International Safe Harbor Privacy Principle, and will completely change how US organizations handle Personal Identifiable Information (PII). There are 10 steps to reach GDPR compliance, which are modified and condensed from Gartner:

  1. Determine responsibility for GDPR, similar to GLBA, someone has to be responsible for this process.
  2. Determine legal grounds for processing data of EU citizens, and business process owners will need to be aware any time they are processing EU citizen data.
  3. All data processed will need to have a purpose, for example, applying for scholarships.
  4. EU Citizens can enforce their rights to have their data removed from any information system. Some recommendations include creating an electronic form or portal for EU citizens to make this request. Manual paper requests, via written letter, can also be made to the institution. Data retention policies can also help minimize requests and risk to the organization for processing data that isn’t necessary.
  5. Consent must be given. For a Higher Ed institution, if a student requests information from a website, that is consent. If a student does a web search for the institutions MBA program, it is not considered giving consent. With the onslaught of CRM tools and web tracking for admissions programs, caution must be used if that website visitor is from the EU.
  6. Include the following information in the institutions Privacy Notice:
    • An introduction of the data controller (“who we are”)
    • An explanation of the personal data that is processed
    • A description of the purposes for which that personal data is processed
    • An explanation for the duration of the retention periods applicable
    • A description of data processors that are involved on behalf of the data controller
    • An indication of who to contact (“contact us”) in case of a complaint, a question, or when a data subject wishes to exercise his or her rights
  7. Appoint a Data Privacy Officer (DPO). This could also be a team effort, with a team leader being designated as the DPO.
  8. Organizations that don’t have a presence in the EU will need to appoint a representative from the institution to be a liaison with the regulatory authorities.
  9. Will you be fined for a data breach? Not necessarily, it all depends on what data was compromised, and if it contained PII of EU citizens. All data breaches must be reported within 72 hours to the regulatory authorities, and notification to any EU subjects “without undue delay”.
  10. Security and Risk Management team must consider already existing security controls, and if the institution cannot perform the required functions, then a 3rd party service might be needed. Similar to GLBA compliance, continuous information security risk assessments will be needed, along with a program for controlling risk, will also be necessary.

Most of these steps to compliance cannot be completed without an ongoing understanding of current risk affecting the institution. The risk of noncompliance of GDPR can be very costly, given the financial penalties that can be enacted by the new regulation.

Gramm-Leach Bliley Act (GLBA):

Another regulation that effects Higher Ed is the Gramm-Leach Bliley Act (GLBA), which requires all institutions to perform a risk assessment on their environment, and submit the results with their Fiscal Year (FY) 2018 audit. The auditing bodies will be looking for the information security risk assessment, and compliance with the Safeguards Rule according to GLBA. To summarize the Safeguards Rule in 3 easy steps:

  1. Appoint someone responsible for information security risk.
  2. Perform a risk assessment.
  3. Have an action plan in place to implement the recommended controls from the risk assessment, and perform ongoing risk management practices.

Every Higher Ed institution must have a risk assessment, and the recommendation is to have them done on a yearly basis. Risk assessments aren’t simply scanning for vulnerabilities, but it includes reviewing, examining, and testing current controls in place. Staff interviews need to be performed, because the largest risk to any institution is also the most valuable asset, our employees. It is not only a recommendation by every auditing and information security governing body (like ISACA and ISC2), but now a requirement by the US Government to perform risk assessments to be compliant with GDPR and GLBA.

How OculusIT can help:

Oculus IT can help assess your environment by scanning all of your systems, performing onsite interviews, reviewing system configurations, and providing an in-depth risk assessment report that outlines all of the critical information needed to make business decisions, which in turn will help the institution implement the correct information security controls to mitigate unnecessary risk.