In February of this year, the U.S. Department of Education announced it would pull Title IV funding from higher education institutions that did not meet certain cybersecurity criteria, according to law firm Patterson Belknap.
With education institutions being hit harder with cybersecurity breaches, government officials are putting administrators and IT teams on watch to protect student data — or lose crucial financial resources.
Institutions will be required to have “reasonable safeguards” and a response plan, as described in the department’s breach-response checklist.
With the school year about to begin, it is important for institutions to be aware of what they will need to maintain a good cybersecurity plan, or risk jeopardizing student data and potential funding.
Resources to Meet Title IV Cybersecurity Requirements
It is important to maintain a tight cybersecurity regimen, and doing so requires IT teams to be fluid and up to date on all of the latest news regarding cybersecurity innovation.
The action items on the checklist provided by the Education Department are well within the abilities of any university with the help of the right tools.
Here are the requirements from the Education Department schools must meet in order to keep Title IV funding, and how IT teams can approach them:
- Data security program: Developing and documenting a data security program is complicated, as threats are constantly changing, especially with the rise of the Internet of Things. At UBTech 2018, experts suggested approaching staff about risk awareness and investing in integrated platforms.
- Designate an Employee to Lead the Program: It is important to designate someone who to take on the responsibility of leading a successful cybersecurity program. Hiring CISOs — like the University of Arizona’s Lanita Collette — can help steer institutions in the right direction.
- Identify reasonably foreseeable risks: No matter how good an institution’s IT team is, no one can predict the future. Therefore, it is important to conduct and document regular security assessments. Penetration tests and vulnerability scans provide starting points to get a firm grasp on current cybersecurity capabilities.
- Control identified risks: Once assessments have been made, teams can act on those risks. For example, if an assessment finds end users are particularly vulnerable, it is important to educate students and professors about the importance of proper cybersecurity hygiene.
- Oversee Service Providers: For institutions that may have trouble maintaining a heavy cybersecurity lift, outsourcing can be a good way to ease some of the load. However, it is important to discuss with a security provider what your needs will be, and ensure that they can be met, before hiring. Institutions should apply what they learn from security assessments and cybersecurity reports to give providers an accurate picture of what they will need.
- Evaluate and Readjust: Maintaining strong cybersecurity measures is an ongoing effort, and institutions will need to consistently evaluate their systems and make changes to shore up any holes in security practices. This can be done using assessment tools and tests, as well as learning from previously reported breaches.