Higher Education is a Large Target for the Adversary
From a practical standpoint, colleges and universities collect and store copious amounts of personal data to provide students with the best holistic experience.
However, as a deluge of recent data breaches demonstrate, these organizations are having an increasingly hard time protecting this information. Verizon’s most recent data breach report identified an escalation in the scope, frequency, and cost of education-related data breaches. In addition, IBM’s annual Cost of a Data Breach Report found that the average education-related record costs $200, nearly 25% more than in other industries.
Taken together, this reality should increase the impetus for higher education institutions to ensure that they are complying with relevant cybersecurity standards and meet higher education cybersecurity best practices.
Student Data Collection in Higher Education
While all academic organizations collect and store students’ personal information, colleges and universities collect more than any other educational institution because they account for students’ entire lives while they reside on campus.
For instance, in addition to personally identifiable information, like names, addresses, and phone numbers, colleges and universities collect healthcare data, financial information, and other sensitive details.
This data collection is both practical and opportunistic. Colleges have a responsibility to provide certain healthcare services, for example. At the same time, many schools are joining widespread big data initiatives to create better and more compelling platforms.
Regardless of the use case, higher education institutions have a responsibility to protect and secure this data, and several higher education cybersecurity guidelines apply.
Other Data Collection in Higher Education
Many colleges and university enter large research contracts with government agencies. These contracts can provide critical funding for higher education institution but in order to continue to receive them they will need more than your standard cybersecurity best practices implemented.
Federal agencies, like the DoD, are requiring heightened cybersecurity measures (NIST 800-171) around controlled unclassified information (CUI):
- Controlled technical information
- Engineering drawings and data
- Research data
- Agricultural data
- Patent information
- Privacy, student, and health records
- Financial information
Applicable Regulatory Cybersecurity Frameworks
The Federal Information Security Management Act (FISMA)
This comprehensive data protection framework was issued in 2002 to reduce the risk of a data breach at government organizations. It identifies several best practices, including the categorization of protected information, implementation of baseline controls, active threat monitoring, and ongoing effectiveness assessments.
Health Insurance Portability and Accountability Act (HIPAA)
This privacy regulation has been around for more than two decades, and it sets data privacy and security parameters for organizations managing peoples’ protected health information (PHI). In addition to outlining specific compliance standards, HIPAA includes financial penalties for companies that can’t secure this critical information.
Health Information Technology for Economic and Clinical Health Act (HITECH Act)
These guidelines, implemented as part of the American Recovery and Reinvestment Act of 2009, encourage the use of health information technology while governing its implementation to protect patient privacy
Payment Card Industry Security Standard (PCI)
Organizations that manage payment card information are required to follow PCI standards to ensure that highly sensitive payment information isn’t exploited at checkout. An independent overseas this standard that is broadly applicable to organizations in every sector.
The Gramm-Leach-Bliley Act (GLBA)
Signed into law more than twenty years ago, this compliance standard requires financial institutions to disclose their procedures for sharing and securing customers’ personal data.
NIST SP 800 - 171
These guidelines, issued by the National Institute of Standards and Technology in 2015, are intended to secure federal information stored in non-federal databases. It includes broad requirements covering a variety of data security threats that apply to higher education and is required for higher educational institutions that process Controlled Unclassified Information (CUI).
Picking the Best Cybersecurity Frameworks
To be sure, higher education institutions don’t entirely get to pick and choose their compliance standards. Specifically, HIPAA and PCI compliance are specific requirements that these organizations need to follow. However, when adopting a general framework, the US Department of Education recommends that higher education institutions should look to NIST SP 800 – 171 for several reasons.
Similarly, the office of Federal Student Aid has issued guidance on NIST SP 800 – 171. That’s because these standards issue guidance for a broad range of risks, including everything from access control to risk assessment management. Colleges and universities face an ever-evolving threat landscape, and NIST SP 800 – 171 provides the most comprehensive guidance for defending personal data.
In addition, colleges and universities receiving grants from various Department of Defense (DOD) must comply with NIST SP 800 – 171. Since many academic and research institutions receive DOD funding, this cybersecurity framework stands out as a baseline standard for higher education institutions striving to protect student data.
Notably, NIST SP 800 – 171 doesn’t identify specific objectives to achieve. Instead, it identifies individual controls and organizational actions, making it a practical and tangible document for academic institutions.
A Final Word
Securing student information is both a bottom-line issue and a matter of legal obligation for colleges and universities. In today’s increasingly-fraught digital environment, people are unwilling to work with organizations that can’t protect their information, and fines and regulatory penalties can siphon away much-needed financial resources, creating a wave of cascading consequences that no institution wants to endure.
Of course, defending student data in today’s cybersecurity environment is uniquely challenging. As the office of Federal Student Aid notes, “The Department understands the investment and effort required by institutions to meet and maintain the security standards established under NIST SP 800-171. Nonetheless, across the public and private sectors, it is imperative that organizations continue to enhance cybersecurity in order to meet evolving threats to CUI and challenges to the security of such organizations.”
Therefore, the Department adds, “We strongly encourage those institutions that fall short of NIST standards to assess their current gaps and immediately begin to design and implement plans in order to close those gaps using the NIST standards as a model.”
At Totem, our team is uniquely positioned to understand the requirements of NIST SP 800 – 171, and we can provide you with the tools and standards to help you achieve compliance. We help make colleges and universities compliant while also adding 18 additional controls that allow them to meet HIPAA requirements as well.
Indeed, data security is a high responsibility for higher education, but they don’t have to undergo these initiatives alone. Contact us today, and let our experts help you protect student data.