Higher Education Must Ensure Information Security
I was talking to my colleague, Nicole White, the other day about the need for DoD contractors to implement NIST 800-171 controls before the end of 2017 to comply with DFARS 252.204-7012. For over ten years, InfusionPoints has been helping Federal agencies implement the entire suite of FISMA controls. Now our company is thoroughly engaged in helping private industry, DoD primes and subs, to implement similar controls. Soon, Nicole and my conversation turned to other entities outside the Federal government and we chatted about the information security rules that have been applied in a greater degree in the past two years to institutions of higher education.
On July 29, 2015 the Department of Education published the Dear Colleague Letter GEN-15-18. The summary of this letter was to remind institutions of higher education and their third-party servicers of their continuing obligations to protect data used in all aspects of the administration of the Title IV Federal student financial aid programs.
Nicole reminded me that in this letter and a follow-up in 2016 (GEN-16-12) the Department of Education laid out its plan to regulate universities and colleges data security practices with regards to the use and collection of Personally Identifiable Information (PII) to the standards of the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule.
The GLBA requires colleges and universities to, among other things:
- Designate one or more employees to coordinate its information security program;
- Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks;
- Design and implement a safeguards program, and regularly monitor and test it;
- Select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information; and
- Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.
This letter and the intent it serves become increasingly significant when you factor in that institutions of higher education have some of the highest instances of data breaches. Nicole mentioned that since 2005 higher education institutions have had more than 500 breaches, involving nearly 13 million known records with nearly 35% of all reported data breaches taking place at higher education institutions.
Implementing the standards set forth by the GLBA can be a massive undertaking for educational institutions and partnering with the right cybersecurity firm can help alleviate some of the burden.
At InfusionPoints we have the tools and cybersecurity experts available to make GLBA compliance and implementation as easy as possible. We have over ten years of experience implementing NIST 800-53 security controls for the government and can leverage that expertise to help you perform in-depth risk assessments, build more robust security controls, and manage and defend your systems. We can also provide 24/7 log management and monitoring, so that risks can be quickly identified and removed before a breach can occur. For more information on how we can help you implement the safeguards set forth in the GLBA please contact our team.