You wake up to 10 missed phone calls, three text messages, and a meeting appointment first thing in the morning from the president’s office. The president received a letter late yesterday that contained a notice of noncompliance with information security standards from the Department of Education (ED). As you listen to the voicemail, you think back several weeks when you were visited by two FBI agents. You talked with your team, and your team didn’t find any evidence you were breached. You assumed the screenshots provided from the FBI came from a student system, or another company and closed out the investigation.
The letter states ED was forwarded private student information from your network. With some digging online, you come across a story on an investigative journalist blog pointing to repositories containing private student information from your school. The story had been bubbling up in the cybersecurity news community but had not yet hit mainstream news outlets. ED is threatening to immediately suspend FAFSA aid programs and payments because they don’t want to put additional student information at risk.
Although this story is fictitious, SpearTip witnesses this happening in other industries across the country and soon may be a reality for an unprepared Higher Education institution. Based on ED directives, Higher Education has had to comply with the FTCs Safeguard Rule for several years now. Recent changes have included a Safeguard Rule Audit within the Single Audit Process raising the importance of compliance with the rule and indicating a focus on information security programs by ED.
Though the Safeguard Rule generally requires a written security program containing various controls to reduce risk, the implementation is nondescript and open to interpretation. Higher Education has taken various approaches to compliance with this, but based on the audit requirement, standards will become more robust and specific over the next several years.
The following case study documents how SpearTip partners with Higher Education institutions to not only comply with the Safeguard Rule and prepare for the new audit requirement, but also ensures their organization is appropriately protected against advanced cyber threats.
The Safeguard Rule
At a very basic level, a Higher Education organization is required to have an information security program compliant with the FTC’s Safeguard Rule. Although specific research grants and other programs may increase this burden on a university, such as requiring NIST SP 800-171 compliance, all must comply with the basic standards in the Safeguard Rule. It requires organizations …
“…develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the institution’s size and complexity, the nature and scope of institutional activities, and the sensitivity of any customer information at issue.”
Standards for Safeguarding Customer Information, 16 C.F.R. sec. 314.3 (2011).
Based on SpearTip’s expertise in GLBA compliance, an information security program must have at a minimum the following elements to comply with the Safeguard Rule:
- A designated information security role inside the environment
- Data mapping and classification procedures
- The ability to detect, prevent and respond to attacks, intrusions and system failures
- A risk assessment process
- A change control process
- A vendor management process
- Regular adjustments of the information security program based on the risk assessment process
In the past, Higher Education institutions simply had to attest to the presence of a written information security program. Testing of the various elements of an information security program were not audited during the Single Audit Process, but this is changing. Recently, within a “Dear Colleague” letter in 2016, ED announced they were incorporating a Safeguards Rule Audit Objective into the Federal Single Audit process. This change is likely a reaction to various data breaches experienced by university systems and growing public awareness over privacy issues. The requirement has been on hold but is expected to come into full effect for the 2021 audit process.
It appears the initial audit requirement will be focused on ensuring that these elements are properly documented within written policies and procedures. Eventually we see this requirement being increased to the point of auditing based not only on the presence of the written policies and procedures but also adherence to the policies within a specified time period. This performance-based audit will certainly be challenging for an unprepared Higher Education Institution.
SpearTip has assisted several universities that are forward thinking that have a desire to fully comply with the Safeguard Rule with their information security program. SpearTip assists organizations through an engagement called a Pre-Breach Risk Assessment.
Pre-Breach Risk Assessment
SpearTip’s Pre-Breach Risk Assessment has been used by Higher Education institutions across the country to easily ensure that their information security program complies with the Safeguard Rule. The engagement either strengthens an existing information security program or can even help implement an information security program, if none exists.
The first step in the engagement is to establish the current Cyber Maturity of the organization. Effectively measuring Cyber Maturity is key to any successful risk management program. This rating will help determine next steps and show areas of strength and weakness. In many cases, efforts to fully develop a risk management program fail because a complicated framework is selected prior to establishing a sufficient understanding of the current state. SpearTip assists in these efforts through a Security Architecture and Gap Analysis.
SpearTip has worked with several Higher Education clients to walk the fine line between effective security controls and the open, educational environment required for successful academic development. During the Security Architecture and Gap Analysis, SpearTip performs a review of all existing policies, procedures, guidelines, audit reports, and other relevant documents. SpearTip will identify areas of improvements and also note where documentation might be missing. In addition, key staff interviews will be conducted in order to measure how operationalized the information security program is. During this analysis, SpearTip is testing for several hundred security controls mapped to various frameworks. In this way, if an organization has the desire to comply with one or more frameworks, they will have a flexible information security program that can accommodate future requirements without reinventing the program for each framework. This data will be used to establish the current and desired future state of the cyber security model.
In addition to testing procedural based controls, technical controls will be evaluated through a three phased approach. During the first phase, software agents are deployed through the environment for advanced threat hunting. This process validates current configurations and other technical security controls inside the environment and assists in developing a system inventory for data classification efforts. In addition, dark web monitoring is conducted to determine if the environment was ever compromised in the past. During the second and third phase, a robust penetration test is conducted from an external and internal perspective. The penetration test will further validate technical controls and also develop various attack vectors and scenarios for consideration in developing the information security program.
The four phases of the evaluation of the technical controls inform the development of the procedural controls. After the data is collected and analyzed, SpearTip develops a comprehensive remediation strategy to assist the organization in achieving the desired maturity level. The remediation could include steps such as policy development or technical configuration profiles that resolve the gaps identified during the assessment process. Once remediation is conducted, SpearTip will validate the success of the implementation. Several deliverables are generated including technical reports and a letter of attestation. These can be used during audits to validate the activities involved in the assessment process were completed successfully.