Financial information is a valuable target for cybercrime, for obvious purposes such as redirection of funds via online banking platforms or hijacked tax returns. Banks were among the first targets of cybersecurity attacks in the 1990s and Congress moved quickly to enact regulatory oversight to protect consumers’ electronic financial information and the money associated with it. But banks aren’t the only types of organizations that process financial information: higher education institutions process plenty of student financial data, especially financial aid information. As banks improve their security posture and become less appealing targets, cybercriminals increasingly target educational institutions’ financial records.
The Gramm-Leach-Bliley Act (“GLBA”, US Code § 6801), passed in 1999, requires financial services organizations, which include postsecondary educational institutions, to ensure the security and confidentiality of student financial aid records and information. Thus, higher education institutions, such as universities, community colleges, and trade schools that process student financial aid information are subject to the same cybersecurity requirements as banks.
The GLBA leaves it up to the institution to determine the actual specific security safeguards it enacts to ensure those protections required below:
Develop, implement, and maintain a written information security program;
Designate the employee(s) responsible for coordinating the information security program;
Identify and assess risks to customer information;
Design and implement an information safeguards program;
Select appropriate service providers that are capable of maintaining appropriate safeguards; and
Periodically evaluate and update their security program.
Determining appropriate cybersecurity safeguards—aka “controls”–can be a challenge, as there are myriad controls frameworks to draw from. To make it easier on higher education institutions to select controls, in 2016 the Undersecretary of the Department of Education (DoEd) released a general recommendation of the National Institutes of Standards and Technology (NIST) Special Publication (SP) 800-171. NIST SP 800-171, titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”, lists a set of 110 controls organizations can implement to protect unclassified but sensitive information, or Controlled Unclassified Information (CUI). The National CUI registry lists General Financial Information, including customer information held by a financial institution, as a CUI category.
In the general recommendation memo, the DoEd “strongly encourages institutions to review and understand the standards defined in the NIST SP 800-171.” While they recognize the 110 controls require investment and effort, they go on to “strongly encourage those institutions that fall short of NIST standards to assess their current gaps and immediately begin to design and implement plans in order to close those gaps using the NIST standards as a model.”
We agree wholeheartedly with the DoEd recommendation of NIST SP 800-171 as a foundational set of cybersecurity safeguards to protect sensitive information. In fact, we’ve been advocating the adoption of NIST SP 800-171 for “covered entities” and “business associates” in the health care sector that must adhere to the HIPAA/HITECH security rule. NIST SP 800-171 is a comprehensive set of controls to protect the confidentiality and integrity of information as processed in an organizational IT system.
Furthermore, if the higher education institution processes CUI as part of Department of Defense (DoD) contracts, such as those associated with research and development projects, then that institution is bound by Federal regulation to implement a NIST SP 800-171 compliant cybersecurity program. This implementation is subject to assessment by the DoD and will soon be subject to an official certification process, the Cybersecurity Maturity Model Certification (CMMC).
Totem has been working with the NIST SP 800-171 standard since its inception, helping private sector organizations develop their cybersecurity program around the 110 controls. We cut our teeth with Department of Defense contractors, as our parent organization is a Prime US Air Force contractor, required to implement a NIST SP 800-171 compliant cybersecurity program. But we also serve clients in the health care and education sectors.
Our engineers and analysts hold cybersecurity graduate degrees and expert-level industry certifications. We purpose built an online cloud-based tool to help our clients plan their cybersecurity program around NIST SP 800-171. The tool helps an organization assess their current state of compliance and acts a repository for the System Security Plan—the set of cybersecurity policies, processes, procedures as well as the descriptions of the technology used to enforce those policies.
Whether the educational institution has student financial records to protect under the GLBA or DoD-related CUI to protect as required by the DoD, Totem has the experience and expertise to help.