The Regulatory Burden

Colleges have daunting privacy and cybersecurity requirements under the Family Educational Rights and Privacy Act (FERPA). FERPA imposes privacy protections and access restrictions on student records, so colleges must keep academic records secure and manage permissions from third parties (parents, for example) who may or may not have authorization to see records.

All the standard privacy laws (HIPAA, Gramm-Leach-Bliley, GDPR) extend to the personal data of others who might be in a college’s database: faculty, staff, contractors and perhaps even parents.  

Most colleges and universities either bid on government research projects or accept federal dollars for financial aid. In that case, those institutions must also meet the security standards of NIST 800-171. Projects related to military or national security issues (say, artificial intelligence research) can also face export control restrictions where foreign nationals working with the school (a visiting professor from overseas) cannot be allowed to access project data.

Compliance Objectives

Higher education must use multiple frameworks to address security compliance concerns.

For example, the Federal Financial Institutions Examination Council (FFIEC) has a Cybersecurity Assessment Tool to help map security controls to privacy rules for personal data. Colleges can also use the Institutions of Higher Education Compliance Framework to assess and manage security related to federal financial aid. NIST 800-171 applies to security on government contracts, and CISOs concerned about commercial tech service vendors may want to use their own SOC 2 audits and remediation plans.  The compliance objectives CISOs would want to pursue include the ability to:

  • Assess the starting security posture of their systems and any third parties they use.
  • Identify security gaps they must fill to meet regulatory requirements.
  • Establish corrective steps that might be necessary and assign them to control owners.
  • Monitor whether those fixes are on schedule.
  • Monitor usage of IT services to see whether new third parties are on the network.
  • Conduct any new risk assessments might be necessary as new regulations emerge.

Higher Education related Use Cases

COSO

Below is COSO related content that will save you lots of time and hassle.

Read articles

GDPR

Below is GDPR related content that will save you lots of time and hassle.

Read articles

CCPA

Below is CCPA related content that will save you lots of time and hassle.

Read articles

FedRAMP

Below is FedRAMP related content that will save you lots of time and hassle.

Read articles

HIPAA

Below is HIPAA related content that will save you lots of time and hassle.

Read articles

PCI

Below is PCI related content that will save you lots of time and hassle.

Read articles

COBIT

Below is COBIT related content that will save you lots of time and hassle.

Read articles

SOC

Below is SOC related content that will save you lots of time and hassle.

Read articles

ISO

Below is ISO related content that will save you lots of time and hassle.

Read articles

SSAE 18

Below is SSAE related content that will save you lots of time and hassle.

Read articles

HITRUST

Below is HITRUST related content that will save you lots of time and hassle.

Read articles

SOX

Below is SOX related content that will save you lots of time and hassle.

Read articles

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

  • G2 Leader Spring 2022
  • G2 Momentum Leader Spring 2022
  • G2 Best Relationship Mid-Market Spring 2022
  • G2 High Performer Spring 2022
  • G2 Users Love Us

See ZenGRC in action!