Oct 22 2015
Security

6 Steps to Keep Student Data Safe

Implement these six key components for effective cybersecurity at your university.
by

Stephen A. Grossman and Priya Roy are lawyers with Montgomery McCracken Walker & Rhoads. Grossman serves as chairman of the firm’s data privacy and cybersecurity practice. Roy focuses her work in the areas of higher education and is a member of the firm’s data privacy and cybersecurity practice.

There is a good reason why the Department of Education recently reminded higher education institutions of their continuing obligation to protect data and student information.

While department officials focused their recent update on the security of financial aid information, their message is clear: Institutions need to develop and implement comprehensive cybersecurity practices now.

Unfortunately, no single policy or program works for all universities. Simply having policies and procedures and investing in sophisticated technical solutions are not enough. Implementation of those policies along with smoothly running processes and operations are the true test of whether an institution is prepared for a cybersecurity attack — and whether the institution meets the department’s security expectations. Here are some key components necessary for an effective cybersecurity program.

1. Know Your Risks

The core of any cybersecurity strategy begins with identifying the most sensitive data. For universities, that could include intellectual property, proprietary research, student information (such as Social Security numbers or health records) and employee data. Without an inventory of data and how it is used, shared and stored, risk mitigation and security will suffer.

2. Create a Central Position

Develop a central position to lead the university cybersecurity program and be responsible for the creation of policy, implementation, monitoring, auditing and response. This crucial position should have the authority to manage and delegate operations as well as develop a cross-functional team to support the program.

3. Assess Third-Party Vendors

Institutions are responsible for data breaches caused by third-party vendors. It’s critical to ensure that vendors meet a university’s security standards and communicate and handle data incidents and breaches quickly and efficiently.

4. Train Staff

Data security is the responsibility of all staff and therefore must be a collaborative effort. It’s imperative to periodically train staff (even those outside the internal response team) on security protocols and steps they must take to keep university and student data secure. Employee mistakes and purposeful misuse cause the majority of data incidents.

5. Develop Protocol for Notification

Include a press release, notification to students and families, and a website to detail the scope, date, time and victims of the breach. Having templates of a press release, notification and website prepared saves time during an emergency. Templates can also include FAQs on identity theft protection vendors.

6. Practice Data Breach Responses

Accept that a data incident or breach will happen. It can be stressful and chaotic — from determining the cause of the breach, engaging third-party vendors and working to contain the damage. It is important that the systems and protocols run seamlessly when the inevitable happens.

Massimo Merlini/Getty Images

Related Articles

Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

Subscribe Now