Educause, Deloitte Report: Information Security Programs Must Be Formalized

• By Joshua Bolkan
• 11/02/17

Deloitte and Educause have partnered on a joint report that aims to inform higher education institutions of their responsibilities regarding new federal data protection requirements with deadlines beginning Dec. 31 of this year.

The new requirements involve data received from the federal government known as controlled unclassified information (CUI) and are gradually taking hold.

"The Defense Federal Acquisition Regulation Supplement (DFARS) has now established NIST 800-171 as the minimum security standard for protecting both CUI and covered defense information (CDI) (with compliance required by the end of this year)," according to the organizations. "A federal acquisition regulation (FAR) clause is expected to be published before the end of 2017 and apply NIST 800-171 standards to protect CUI associated with a broader set of civilian contracts. Additionally, in 2016, the United States Department of Education communicated its intention to make student financial data subject to those same standards in the future."

"Whether a college or university has many large government research contracts or one small contract, each institution will need to comply with these new data protection standards," said Joanna Lyn Grama, director of cybersecurity and IT GRC programs at Educause, in a prepared statement. "Simply put, the evolving higher education threat landscape and very complex regulatory environment means that ad-hoc approaches to data management and protection are no longer adequate and formalized information security programs, based on recognized frameworks and responsive to specific regulations, are required."

The organizations have found three broad challenges to compliance that universities or colleges may face:

• Though IT and security staff are "generally" aware of NIST 800-171 requirements, according to the organizations, many institutional leaders or members of trustee boards are not aware of the institutional responsibilities the regulations impose and tend to think of them as technical controls that merely need to be implemented. To combat this, the report suggests reframing the issue as an enterprise risk management with business consequences for the institute;
• A culture among educational institutions of openness and sharing that may lead to resistance toward the new guidelines. For example, according to Deloitte and Educause, "If a U.S. researcher is building on research done by a colleague in another country, it's normal for the two to talk, share information and even collaborate";
• The growing number of regulations and standards calls for an enterprise-level solution toward data compliance assessment and certification, rather than a decentralized approach.

The report also offers a half-dozen suggestions for developing an appropriate compliance framework:

• Form a working group with support from top leadership and ongoing engagement that includes representatives from administration, research and academics;
• Determine what contracts and data fall under the scope of the new regulations;
• Assess current security measures, including where affected data resides and how it is processed from the time it comes into the institution's possession through its full lifecycle;
• Develop a plan with defined roles and responsibilities to mitigate existing gaps and achieve compliance;
• Define responsibilities and procedures to maintain compliance moving forward; and
• Use a third party to audit practices across the entire institution.

"Colleges and universities can see this challenge in two ways — as a risk to their federal grants and research funding or as a competitive advantage if they are more proactive in their compliance," said Mike Wyatt, principal at Deloitte & Touche LLP, in a prepared statement.

The full report is available at dupress.deloitte.com.