Higher education simmers with security risk. Institutions are highly regulated. their stock-and-trade is sensitive information (from personal data about students and staff to research data with national security concerns) and the IT infrastructure colleges use can evolve rapidly as users bring new devices or new services onto the network.GET A DEMO
Colleges have daunting privacy and cybersecurity requirements under FERPA, the Family Educational Rights and Privacy Act. FERPA imposes privacy protections and access restrictions on student records, so colleges must keep academic records secure and manage permissions from third parties (parents, for example) who may or may not have authorization to see records.
All the standard privacy laws (HIPAA, Gramm-Leach-Bliley, GDPR) extend to the personal data of others who might be in a college’s database: faculty, staff, contractors, and perhaps even parents.
Most colleges and universities either bid on government research projects or accept federal dollars for financial aid. In that case, those institutions must also meet the security standards of NIST 800-171. Projects related to military or national security issues (say, artificial intelligence research) can also face export control restrictions where foreign nationals working with the school (a visiting professor from overseas) cannot be allowed to access project data.
Higher education must use multiple frameworks to address its security compliance concerns.
For example, the Federal Financial Institutions Examination Council (FFIEC) has a Cybersecurity Assessment Tool to help map security controls to privacy rules for personal data. Colleges can also use the Institutions of Higher Education Compliance Framework to assess and manage security related to federal financial aid. NIST 800-171 applies to security on government contracts; and CISOs concerned about commercial tech service vendors may want to apply their own SOC 2 audits and remediation plans. The compliance objectives CISOs would want to pursue include:
Assess the starting security posture of their own systems and any third parties they use;
Identify security gaps they must fill to meet regulatory requirements;
Establish corrective steps that might be necessary, and assign them to control owners;
Monitor whether those fixes are on schedule; and
Monitor usage of IT services to see whether new third parties are on the network;
Conduct any news risk assessments might be necessary as new regulations emerge.
Click on one of the tabs to learn more about ZenGRC's compliance, risk or reporting features.
As a cloud-based solution, ZenGRC deploys simply and quickly (six to eight weeks) even across a large enterprise. It provides a unified platform to manage controls across multiple frameworks, and a dashboard to let CISOs monitor key performance indicators for compliance and IT security efforts.Learn More