Educause, Deloitte Report: Information Security Programs Must Be Formalized

Deloitte and Educause have partnered on a joint report that aims to inform higher education institutions of their responsibilities regarding new federal data protection requirements with deadlines beginning Dec. 31 of this year.

The new requirements involve data received from the federal government known as controlled unclassified information (CUI) and are gradually taking hold.

"The Defense Federal Acquisition Regulation Supplement (DFARS) has now established NIST 800-171 as the minimum security standard for protecting both CUI and covered defense information (CDI) (with compliance required by the end of this year)," according to the organizations. "A federal acquisition regulation (FAR) clause is expected to be published before the end of 2017 and apply NIST 800-171 standards to protect CUI associated with a broader set of civilian contracts. Additionally, in 2016, the United States Department of Education communicated its intention to make student financial data subject to those same standards in the future."

"Whether a college or university has many large government research contracts or one small contract, each institution will need to comply with these new data protection standards," said Joanna Lyn Grama, director of cybersecurity and IT GRC programs at Educause, in a prepared statement. "Simply put, the evolving higher education threat landscape and very complex regulatory environment means that ad-hoc approaches to data management and protection are no longer adequate and formalized information security programs, based on recognized frameworks and responsive to specific regulations, are required."

The organizations have found three broad challenges to compliance that universities or colleges may face:

  • Though IT and security staff are "generally" aware of NIST 800-171 requirements, according to the organizations, many institutional leaders or members of trustee boards are not aware of the institutional responsibilities the regulations impose and tend to think of them as technical controls that merely need to be implemented. To combat this, the report suggests reframing the issue as an enterprise risk management with business consequences for the institute;
  • A culture among educational institutions of openness and sharing that may lead to resistance toward the new guidelines. For example, according to Deloitte and Educause, "If a U.S. researcher is building on research done by a colleague in another country, it's normal for the two to talk, share information and even collaborate";
  • The growing number of regulations and standards calls for an enterprise-level solution toward data compliance assessment and certification, rather than a decentralized approach.

The report also offers a half-dozen suggestions for developing an appropriate compliance framework:

  • Form a working group with support from top leadership and ongoing engagement that includes representatives from administration, research and academics;
  • Determine what contracts and data fall under the scope of the new regulations;
  • Assess current security measures, including where affected data resides and how it is processed from the time it comes into the institution's possession through its full lifecycle;
  • Develop a plan with defined roles and responsibilities to mitigate existing gaps and achieve compliance;
  • Define responsibilities and procedures to maintain compliance moving forward; and
  • Use a third party to audit practices across the entire institution.

"Colleges and universities can see this challenge in two ways — as a risk to their federal grants and research funding or as a competitive advantage if they are more proactive in their compliance," said Mike Wyatt, principal at Deloitte & Touche LLP, in a prepared statement.

The full report is available at dupress.deloitte.com.

About the Author

Joshua Bolkan is contributing editor for Campus Technology, THE Journal and STEAM Universe. He can be reached at [email protected].

Featured

  • modern college building with circuit and brain motifs

    Anthropic Launches Claude for Education

    Anthropic has announced a version of its Claude AI assistant tailored for higher education institutions. Claude for Education "gives academic institutions secure, reliable AI access for their entire community," the company said, to enable colleges and universities to develop and implement AI-enabled approaches across teaching, learning, and administration.

  • laptop displaying a red padlock icon sits on a wooden desk with a digital network interface background

    Reports Highlight Domain Controllers as Prime Ransomware Targets

    A recent report from Microsoft reinforces warnings about the critical role Active Directory (AD) domain controllers play in large-scale ransomware attacks, aligning with U.S. government advisories on the persistent threat of AD compromise.

  • human figures surrounded by precise arcs with book and gear icons

    Kennedy-King College Rolls Out Holistic Student Support Program

    Chicago's Kennedy-King College is expanding student support services through a collaboration between City Colleges of Chicago and One Million Degrees (OMD), a Chicago-based nonprofit serving low-income community college students.

  • computer monitor with a bold AI search bar on the screen

    Google Reimagines Search with AI Mode

    About a year after launching AI Overviews in its flagship search offering, Google has announced broad availability of AI Mode in Search.