Since Jan. 1, higher education institutions that engage in certain types of federal government research have been required to meet new standards governing data security. The mandates, outlined in the National Institute of Standards and Technology Special Publication 800-171, are designed to protect controlled unclassified information, such as research data, student records, patient information and more.
Most major research centers, such as the University of Arizona, the University of Wisconsin-Madison and Northwestern University, had little trouble meeting that deadline. But compliance issues in general are a big and sometimes vexing part of their jobs, say CISOs.
Security Mandates Drive Higher Ed IT Investments
A major challenge to compliance efforts is simply the sheer number of regulations that apply to university research, from the Family Educational Rights and Privacy Act and HIPAA to European Union Data Protection regulations, and many more, says UW-Madison CISO Bob Turner.
“Each research project, and there are many going on in the university at once, comes with its own set of regulatory requirements,” he says. “There’s a lot of overlap, but you have to pay attention to each requirement, know which controls apply, and then audit the controls.”
The University of Florida, for example, created its Research Shield network in part to meet Federal Information Security Management Act requirements and to be eligible for a $40 million federal research grant.
Colleges Manage Security Risks to Preserve Research Funding
For many universities, there's a lot at stake. Billions of dollars in research funding go to institutions each year, and related projects can be a major component of faculty careers. That's not to mention, of course, the discoveries and developments that researchers contribute to the fields of medicine, business, social sciences and other areas.
All of these factors, in addition to formal compliance mandates, push institutions to ensure that research data is secure.
“It’s easy to fall into the trap of simply equating compliance with regulations to good information security, but managing cyber-risk is more than that,” says Northwestern CISO Tom Murphy. “You have to translate compliance, or lack thereof, into risk for the institution and always keep that in mind. Failure means potential loss of reputation, potential loss of research grants or loss of data that requires the research to be redone.”
To learn more about security strategies in higher education, read our magazine feature, "Higher Ed Security Pros Get Strategic to Neutralize Threats."