INFORMATION SECURITY requirements in HIGHER EDUCATION

Institutions of higher learning are considered a prime target for hackers due to many factors. One of those factors is the well reported lack of readiness and overall security preparedness. The Department of Education and the federal government have taken initiatives to enhance the security controls in higher education institutions. As noted in the Dear Colleague Letters GEN 15-18 and GEN 16-12, institutions of higher learning are expected to comply with the Safeguards Rule established by the Gramm-Leach-Bliley Act (GLBA). This data protection rule passed in 1999 was established to protect the financial information of individuals held at financial institutions. The Federal Trade Commission (FTC) declared institutions of higher learning to be financial institutions and, full compliance with the data security Safeguards Rule is expected. 

The Safeguards Rule under GLBA requires financial institutions to implement security measures to protect non-public personal information (NPI) of consumers. In the context of higher education, this would include personally identifiable financial information collected from students, parents, or other individuals. 

In addition, higher learning institutions are expected to secure Controlled Unclassified Information (CUI) in accordance with the security requirements described in the National Institute of Standards and Technology Special Publication, 800-171R3 (NIST SP 800-171R3). Our IT General Control Testing addresses all requirements of the GLBA and NIST SP 800-171R3. 

The mission of our team of experts is to aid institutions of all sizes. We will assist institution and IT leaders to identify gaps in compliance and in overall security. Our reporting process is executive friendly while addressing technical risks, and we will further help boards and leaders identify a roadmap to compliance. 

To help cover all aspects of the Safeguards Rule, our penetration team will address the requirement for annual penetration testing in a combined testing package for ease of execution. 

To read more about the GLBA Safeguards Rule, NIST, and the ED Dear Colleague letters, see our Higher Education Resources page. OR, if you are ready to begin your assessment, contact us today!

Some institutions may not feel ready for full IT control testing. For those, we offer a GLBA Information Security Readiness Assessment. To learn more about the process designed to help initiate your security program, click here. 

We offer comprehensive training and education programs to help your staff understand and avoid cyber attacks. We also offer board level information security training to help clarify management's responsibility for the institution's security.  Click here for more information on security training options. 

The foundation of any well-constructed information security program is a well documented and reviewed information security risk assessment. Our seasoned team have helped countless clients across the United States to establish their risk assessment program and supporting policies.  With these safeguards, institutions are better able to comply with the GLBA Safeguards Rule, 314.4, section (b), requiring institutions to "base your information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security."

If you would like help building a new information security risk assessment, we are ready to help. Contact us now to get started.

One of the major hurdles facing higher education leaders is the time and skill set needed to establish appropriate governance. Our team of security consultants includes former Chief Information Security Officers (CISOs), and a former COO and CIOs in higher education whose experience helps them to understand not only the risk facing ED, but they also understand the hurdles of establishing and implementing new policies and controls.. 

If you are ready to work with a knowledgeable team to have your information security policy reviewed, revamped, or tor completely rebuilt, we are ready to help. Contact us now to get started.

Another major change to the GLBA Safeguards Rule relates to penetration testing.  Penetration testing, often referred to as "pen testing" or "ethical hacking," is a proactive security assessment technique used to identify vulnerabilities and weaknesses in an organization's systems, networks, applications, or infrastructure. It involves authorized, simulated attacks conducted by SOMA Cyber’s skilled security professionals to evaluate the security posture and to identify potential entry points that attackers could exploit. Our ethical hacking team will test the resiliency of your network and work with IT management to remediate known issues and security gaps.  

If you would like to meet with our ethical hacking team to learn more about this approach and our very competitive rates, we are ready to help. Contact us now to get started.

Another important policy is the incident response plan and policy. This GLBA requirement addresses what your response teams must do in the event of a security incident. In the event of a security breach or cyber attack, a well established incident response plan and a trained team must be in place to help contain damage and data loss, and to get the institution back on track. For help with your incident response plan, tabletop testing, or a simple, low-cost review of your current plan, contact us now.