The Regulatory Burden
Colleges have daunting privacy and cybersecurity requirements under the Family Educational Rights and Privacy Act (FERPA). FERPA imposes privacy protections and access restrictions on student records, so colleges must keep academic records secure and manage permissions from third parties (parents, for example) who may or may not have authorization to see records.
All the standard privacy laws (HIPAA, Gramm-Leach-Bliley, GDPR) extend to the personal data of others who might be in a college’s database: faculty, staff, contractors and perhaps even parents.
Most colleges and universities either bid on government research projects or accept federal dollars for financial aid. In that case, those institutions must also meet the security standards of NIST 800-171. Projects related to military or national security issues (say, artificial intelligence research) can also face export control restrictions where foreign nationals working with the school (a visiting professor from overseas) cannot be allowed to access project data.
Compliance Objectives
Higher education must use multiple frameworks to address security compliance concerns.
For example, the Federal Financial Institutions Examination Council (FFIEC) has a Cybersecurity Assessment Tool to help map security controls to privacy rules for personal data. Colleges can also use the Institutions of Higher Education Compliance Framework to assess and manage security related to federal financial aid. NIST 800-171 applies to security on government contracts, and CISOs concerned about commercial tech service vendors may want to use their own SOC 2 audits and remediation plans. The compliance objectives CISOs would want to pursue include the ability to:
-
Assess the starting security posture of their systems and any third parties they use.
-
Identify security gaps they must fill to meet regulatory requirements.
-
Establish corrective steps that might be necessary and assign them to control owners.
-
Monitor whether those fixes are on schedule.
-
Monitor usage of IT services to see whether new third parties are on the network.
-
Conduct any new risk assessments might be necessary as new regulations emerge.
Higher Education related Use Cases
Learn how we can fit into your business.
Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.