Privacy regulations continue to develop for Higher Education institutions. Although Higher Education has had to comply with the FTC’s Safeguard Rule for some time now a recent change by the Department of Higher Education (ED) has elevated the importance of having a robust information security program. At a very high level, the Safeguard Rule requires an organization to “develop, implement, and maintain a comprehensive information security program that is written…”, and it must contain appropriate “administrative, technical, and physical safeguards.” This vague description has left room for interpretation and many Higher Education institutions have taken various approaches.
Recently, within a “Dear Colleague” letter in 2016, ED announced that they were incorporating a Safeguards Rule Audit Objective into the Federal Single Audit process. This change is likely a reaction to various data breaches experienced by university systems and growing public awareness over privacy issues. The requirement has been on hold but is expected come into full effect for the 2021 audit process.
Although ED has not increased standards past the Safeguard Rules, the letter shows an intent to focus more specifically on Higher Education’s implementation of these programs. Based on current trends ED will publish specific information security standards and more robust reporting requirements in the coming years.
This change coincides with an increase in FTC enforcement actions and also fines related to improper reporting of cyber breaches. Although FASFA aid has never been threatened by cybersecurity issues and higher education has not experienced FTC fines, a day could soon be arriving where, if an organization fails to properly implement a security program, the organization could be subject to loss of access to Federal Aid Programs and even FTC fines.
SpearTip has years of experience helping financial institutions comply with GLBA, investigate data breaches, and react to regulator actions. With this in mind, SpearTip has several high-level recommendations for consideration below:
- Ensure senior leadership at your organization has officially delegated responsibility for information security and privacy. This should not be an implied role, but one that is officially assigned. In small organizations, it may be held by the Chief Information Officer. But for most organizations, it is preferable if held by a Chief Information Security Officer or a Chief Privacy Officer
- Ensure your information security policies and procedures are up to date. At a minimum, this should include an acceptable use policy, a data classification policy, an incident response policy, and minimum-security guidelines for software and operating systems.
- Conduct a comprehensive risk assessment, at least once a year. A basic risk assessment should include a review of your information security policies and procedures, internal threat hunting to detect unknown compromises, and a penetration test from an internal and external perspective. It is ideal to perform the penetration test on a quarterly or semesterly basis due to the high velocity of change in most organizations.
- Develop a robust IT change control policy and process. The change control process should involve a validation from a security professional that the change does not create unreasonable risk to the organization. It should also maintain comprehensive documentation of the changes to show a referenceable history.
- Establish and maintain a user awareness training program. Not only will this help mitigate risk associated with social engineering attacks, but it will also improve the security culture of your organization. It is vital to educate your users on information security issues and ensure that everyone understands the security of personal information is a shared responsibility.
Stronger and more detailed requirements are coming for Higher Education. These are some fairly basic recommendations, but a robust and effective information security program must go beyond basic compliance. There is an opportunity to be ahead of the curve not only to comply with new ED requirements but also to improve your organizations security and reduce risk. Protecting student data is an essential activity for any Higher Education institution today.