Put Your Money Where Your Risks Are: Cybersecurity Requirements for Institutions of Higher Education

By Susan Shogren, Assessment and Project Coordinator

During a breakout session at the 2016 NASFAA National Conference, Linda Wilbanks, director of IT Risk Management for the U.S. Department of Education (ED), shared important recommendations for ensuring the security and confidentiality of students’ personal information. With cybersecurity threats increasing in number and level of sophistication, it is more important than ever for schools to examine how they protect their data, where they might be at risk, and how they plan to respond to any data breaches.

Certainly, cybersecurity issues threaten those whose information is compromised. Schools are at risk, too, for being found in noncompliance with the Higher Education Act of 1965, as amended, the Family Educational Rights and Privacy Act (FERPA), and the Gramm-Leach Bliley Act, among others. Schools also must live up to their commitments under their own Program Participation Agreements (PPA), and their own Student Aid Gateway (SAIG) Enrollment Agreements to protect the data they collect and transmit.

“Before you experience a failure,” Wilbanks advised, “make sure you have a plan.” Describe who will be involved in evaluating whether a data breach has occurred, who will communicate about it, and who will decide the appropriate actions to take. Prepare to act quickly and decisively—even if it means assuming a data breach has occurred until you prove otherwise. Practice addressing various types of cybersecurity threats, including how you will respond to threats you couldn’t anticipate.

Reduce your exposure to risk by protecting the “keys to the kingdom.” Establish a clean desk policy—in which all information is secured unless a staff member is present—and never share access controls, such as PINs and passwords. Use strong passwords, making sure to avoid using typical references to family members’ names or birthdates. Don’t write passwords down and shut them away in a drawer; that’s the first place a cyber thief will look. Instead, save passwords in one encrypted file, to which you assign a single strong password you can remember. Finally, purge sensitive data once you no longer require access to it, according to record-keeping requirements. Don’t keep data forever.

As Wilbanks emphasized, “Training is your first line of defense.” Educate your staff and your students on cybersecurity risks and how to protect sensitive data. Help everyone at your institution understand that data in transmission is data at risk. For further guidance, refer to Dear Colleague Letters GEN-15-18 and GEN-16-12.

You and your students cannot afford to wait for your school to identify and address cybersecurity risks someday. Wilbanks urged session attendees to “do it now, and move fast!”

Publication Date: 8/5/2016