Security controls have evolved over time, becoming easier to use and more effective at stopping a wide variety of threats. Of course, threats continue to evolve and strengthen as well, with an ever-sharpening focus on stealing valuable data.
Despite the precautions and products available to help IT departments curb data security risks, there are frequent accounts in the news of major data breaches involving higher education. How can institutions better manage risk?
The answer lies in focusing on managing data risk, not IT risk. Institutions have long known the basics of IT risk mitigation — installing patches, configuring operating systems and applications securely, implementing access control. Those fundamental principles have not changed. What has changed is the attackers' focus on gaining unauthorized access to sensitive data. That is not meant to imply that general IT risk mitigation is not important — by all means, institutions still need to apply patches and do all those other fundamental security activities — but they must also carefully consider the threats against sensitive data and perform risk management activities specific to protecting that data from unauthorized access.
A number of risk management methodologies are out there, and all include the same basic steps: Identify security requirements, perform a risk assessment, implement security controls, identify (and correct) any deficiencies within those controls and monitor them.
I don't intend to rehash the finer details of risk management methodologies; rather, I've highlighted here some of the critical planning actions necessary for any data risk management methodology to reduce the potential for exposure of sensitive data and the likely impact of any such exposure.
1. Conduct an inventory of sensitive data assets.
Establish and maintain a comprehensive, up-to-date inventory of the institution's sensitive data assets, which may be much easier said than done. The challenge is greater today, thanks to the advent of cloud technologies, causing sensitive data to be stored increasingly in third-party servers outside of an institution's direct control. Within the institution's boundaries, it may be possible to use data loss prevention (DLP) technologies to scan servers and other institution-controlled hosts to identify sensitive data stored on those hosts or being transferred to or from them.
For identifying sensitive data stored in cloud environments, it may be possible to get a partial picture automatically through cloud use analysis services or products, which monitor and report all cloud activity involving an institution's users and systems. While that will not produce an inventory of sensitive data in cloud environments, at minimum it will indicate which cloud services are in use and by whom so that further investigation can be conducted.
2. Incorporate data security into the institution's information security plan.
Most institutions already have an information security plan, but it may not adequately take the security of sensitive data into account. At a minimum, any plan should define a scheme for information classification based on the sensitivity of the data — for instance, labeling it confidential, internal or public — so that the institution can define security policies and procedures corresponding to those classifications. The plan also should list any laws or any other regulations — such as the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standards (PCI DSS) or the Family Educational Rights and Privacy Act (FERPA) — to which some or much of an institution's data are subject.
3. Develop an incident response plan that addresses breaches of sensitive data.
It is important to update the institution's incident response plan to address proper response in the case of a sensitive data breach. Educational records, financial information and health records are all considered highly sensitive. Of course, it is also important to be technically prepared to handle such breaches: Conduct forensic analysis to determine the scope of the breach and correct exploited vulnerabilities to ensure that they are not taken advantage of again. It is just as important for the institution as a whole to be prepared from an organizational perspective. Be ready to compose notification messages and distribute them to the affected parties (faculty and staff, students, alumni, patients, etc.) in a timely manner, and offer protective compensation, such as credit monitoring services for financial information breaches. Far too often, institutions that suffer sensitive data breaches are criticized for a slow response; adequate incident response planning can speed response time.
4. Communicate expectations and protocols to all system users.
It's been widely reported the past few years that internal users themselves are the largest cause of sensitive data breaches. Although many of these breaches are intentional (such as an employee stealing financial information in order to commit identity theft), the majority are inadvertent (such as an employee accidentally emailing sensitive information to unintended recipients or saving a copy of a sensitive file in an unsecured location). Many of those incidents could be avoided if users receive security awareness training. Tools such as DLP may also be helpful in blocking both accidental and intentional breaches or, at a minimum, warning users of the sensitivity of what they are doing and asking them to confirm their action before executing it.