How to Build a Risk-Based Infosec Program in Higher Education, Complete Guide

TL;DR

As colleges and universities collect vast amounts of sensitive data, implementing a risk-based information security program is crucial to mitigate the risks associated with cyberattacks and noncompliance.

Colleges and universities are collecting more sensitive information than ever, from student data to controlled unclassified information (CUI), banking details, and more. Unfortunately, many universities and colleges need help managing the security of all that information.

As cyberattacks and regulatory compliance standards evolve and penalties grow in severity, building a risk-based information security program is increasingly important for higher education institutions to avoid the risks of noncompliance.

This article takes a closer look at some of the cybersecurity challenges facing higher education institutions–including the role of regulatory compliance–and explores how higher education institutions can implement a risk-based information security program to strengthen cyber resilience.

Cybersecurity in higher education

TL;DR:

Higher education faced a surge in cyber threats in 2022, including ransomware, data breaches, DDoS attacks, and phishing campaigns, with significant financial consequences and a growing need for robust cybersecurity measures.

The higher ed and research sector was the most attacked industry in the third quarter of 2022, with an average of 2,148 cyberattacks per organization weekly–an increase of 18% compared to the third quarter of 2021.

The higher ed sector was the most attacked industry in the third quarter of 2022.

In the pandemic era, higher education institutions face an onslaught of cyber threats, including malware and ransomware attacks, social engineering and phishing campaigns, Distributed Denial of Service (DDoS) attacks, and data breaches, to name a few.

The average cost of a data breach was US$3.9 million in 2022, which was higher than the global average.

• Ransomware: Ransomware attacks against education increased from 6% in 2019 to 15% in 2020, whereas in healthcare, they increased from 21% to 23% during the same period.
• Data Breaches: The average cost of a data breach in education was US$3.9 million in 2020, which is higher than sectors like transportation, communication, and retail and higher than the global average of US$3.58 million.
• DDoS Attacks: DDoS attacks against the online resources of educational institutions grew by 350% between January and June 2020, compared with the same period in 2019.
• Phishing Campaigns: The percentage of phishing attacks in higher education is substantial compared to other sectors, with social engineering attacks representing nearly 50% of breaches in 2021.

Cybersecurity challenges in higher education

TL;DR:

Higher education institutions face complex cybersecurity challenges, including securing diverse data types, expanding attack surfaces, balancing openness and protection, implementing best practices, and managing shared responsibilities across various departments.

The growing number and sophisticated nature of cyberattacks on colleges and universities is concerning. Cybersecurity incidents are the “new normal,” and unfortunately, they’re likely to worsen in the coming years. Meeting future cybersecurity challenges will be paramount to maintain trust with students, stakeholders, staff, and regulators.

Today, key cybersecurity challenges in higher ed include:

• A complex digital footprint due to the need to secure a vast spectrum of data from cybercriminals that intersects with various sectors, such as Personally Identifiable Information (PII); banking details for students and staff; health and medical information (e-PHI); third-party data about funders, sponsorers, and insurers; enterprise data; and research data
• Remote learning environments for online education and Internet of Things (IoT) devices contribute to an ever-expanding attack surface
• As an open-by-design sector, higher education institutions must balance access and data protection with sharing academic information.
• Transparency in education also means it’s easy to glean the exact timing of critical operations
• Cybersecurity best practices for data security in other sectors are nearly impossible to implement in higher education, including standardizing multi-factor authentication (MFA) for connected devices, deleting infected machines, and forcing updates
•  Various departments typically share the responsibility to protect all that data, so the IT and cybersecurity risk management process is often challenging

The role of regulatory compliance

TL;DR:

Maintaining compliance across numerous regulations is often challenging for higher education institutions, and can lead to a “check-the-box” mentality.

The complex nature of information security in higher education also means maintaining compliance with a growing number of regulations, including:

• The Family Educational Rights and Privacy Act (FERPA)
• The Federal Information Security Modernization Act of 2014 (FISMA 2014)
• The Gramm-Leach-Baily Act (GLBA)
• The Health Insurance Portability and Accountability Act (HIPAA)
• The Payment Card Industry Data Security Standard (PCI DSS)
• The Cybersecurity Maturity Model Certification (CMMC)

Managing compliance with these and other regulatory standards is already challenging for most, and higher education institutions don’t have endless resources.

The complex nature of information security in higher ed means maintaining compliance with a growing number of regulations.

The overwhelming burden of regulatory compliance can often lead to a “check-the-box” mentality. Yet the pressure is mounting, and many higher education institutions need help figuring out where to start.

The risk of non-compliance

TL;DR:

Non-compliance with regulatory standards in higher education can result in significant financial penalties, loss of funding, reputational damage, and potential imprisonment for responsible individuals.

Non-compliance with the aforementioned regulatory standards can significantly negatively impact higher education institutions. In addition to the financial and operational burdens associated with recovering from a data breach, universities may face additional financial repercussions in the form of litigatory fines, forfeiture of federal funding, reputational damages, and more.

Non-compliance with regulatory standards can lead to financial and operational repercussions, litigatory fines, forfeiture of federal funding, and more.

Here are just some of the risks that come with non-compliance with the following regulatory standards:

• Non-compliance with FERPA can lead to the withdrawal of US Department of Education funds.
• Non-compliance with FISMA can result in a reduction in federal funding and reputational damage.
• Non-compliance with the GLBA can cost up to $100,000 per violation, and criminal penalties include imprisonment for up to five years.
• Non-compliance with HIPAA can yield penalties ranging from $100 to $50,000 per violation, with a maximum fine of $1.5 million per calendar year and jail time for the individuals responsible.
• Non-compliance with PCI DSS can result in fines of up to $500,000 per incident.
• Non-compliance with the CMMC can lead to the withdrawal of US Department of Defense contracts and funding.

Why is information security important in higher education?

TL;DR:

Information security enables higher education organizations to prioritize resources and proactively address potential cyberattacks, instead of merely reacting to incidents as they occur.

A risk-based information security program can help organizations focus on what matters most and better anticipate what could go wrong–rather than spending valuable time and resources reacting to cyberattacks as they arise.

6 steps to building a risk-based information security program in higher education

TL;DR:

The six steps to building a risk-based information security program are: 1) choose a security framework; 2) prioritize cybersecurity operations and information security teams; 3) implement IT asset management; 4) conduct a risk assessment; 5) build a vendor risk management program; and 6) cultivate a culture of risk management.

Every organization’s risk-based information security program will look different depending on its business goals, regulatory compliance requirements, maturity, and unique security posture.

However, there are some basic steps organizations can take to begin implementing or improving their information security risk management efforts.

Choose a security framework

TL;DR:

Start by choosing a security framework tailored to your organization’s needs from options like ISO 27001, CIS, NIST CSF, NIST SP 800-53, and NIST SP 800-171.

A security framework is a set of standard practices often used to manage an information security program.

There is no single, universal security framework for the higher education sector, but there will be a framework that can best help you achieve your business and compliance goals.

There is no single, universal security framework for the higher education sector.

Common cybersecurity frameworks for higher education institutions include the following:

• ISO/IEC 27001:2022 (ISO 27001)
• CIS Critical Security Controls (CIS)
• NIST Cyber Security Framework (NIST CSF)
• NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations (NIST SP 800-53)
• NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST SP 800-171)

For many organizations, selecting a security framework comes down to state requirements or a system-level requirement. As organizations mature, it’s common to begin “crosswalking” or connecting existing frameworks with other frameworks to keep their cybersecurity program compliant.

Prioritize cybersecurity operations and information security teams

TL;DR:

Prioritize cybersecurity operations and information security teams to enhance accountability, raise awareness, and manage incident response across departments.

Having a dedicated information security team, cybersecurity operations (CyberOps) center, and IT professionals on board is critical to ensuring the success of your IT and cybersecurity risk management program. Units will likely share risk management responsibilities, but a central team can help keep departments accountable, raise cybersecurity awareness, and handle incident response.

Implement IT asset management

TL;DR:

To effectively manage and protect IT assets, conduct an inventory, utilize a configuration management database, and classify devices based on organizational standards.

IT asset management is the systematic process of managing the asset lifecycle, from development to operations, maintenance, and upgrade to disposal.

Although each organization is unique, higher education institutions typically share one crucial thing in common: their federated nature. Since these organizations tend to manage an immense number of IT assets across various departments, many don’t know where to begin the process of asset management.

• The first step to IT asset management is an IT asset inventory. Ultimately, you can’t protect what you don’t know about, so start by figuring out your data and where it is.

• Next, find a system to keep track of those assets. A configuration management database (CMDB) will help you understand your devices’ function, relationship, criticality, and dependency at a minimal cost.

• Then, build a process to classify those devices by their organization. Leverage any existing data classification standards your organization uses, or take the time to create a few.

Conduct a risk assessment

TL;DR:

Risk assessments and control-based assessment surveys focusing on critical assets help align organizational practices with security policies, framework controls, and compliance requirements, providing valuable insights for budgeting and measuring improvement.

Risk assessments help bring the necessary information together to help determine how distinct parts of the organization align with institutional information security policies and subsequent framework controls.

A control-based assessment survey aims to identify where the organization stands against a specific control and is typically conducted through a questionnaire and sent throughout the organization. These assessments can also help determine whether a control is in the process of being implemented.

Ideally, infosec teams should start with their most critical assets (i.e., units that hold the most sensitive data or have an urgent regulatory requirement, like the Office of Student Financial Aid, which needs to meet compliance with the requirements of the GLBA Safeguards Rule).

Teams should start with their most critical assets to yield the most valuable insights.

Teams that spend time accurately scoping their organization via an asset management process will better understand what’s most important to them.

In the end, successful control-based assessment surveys can yield valuable insights. For example, they might show whether a specific control is particularly deficient throughout the organization. This data is also vital when making a case for budget–and when the process is continuous and periodic, teams can measure improvements and demonstrate ROI.

Build a vendor risk management program

TL;DR:

VRM is essential for higher education institutions to assess and mitigate supply chain attacks, and protect sensitive data and constituents’ personal information.

Vendor risk management (VRM) is vital to any risk management program.

Supply chain attacks are increasing across industries–2020 saw a 430% increase in supply chain attacks, and in 2022, 80% of organizations reported an attack or vulnerability in their software supply chain.

Supply chain attacks increased by 430% in 2020.

As several states begin to roll out their vendor certification programs, validating the cybersecurity posture of third-party suppliers who use or offer cloud products to deliver services will be critical.

Organizations can leverage the Higher Education Community Vendor Assessment Toolkit (HECVAT), a cloud vendor security questionnaire designed to measure third-party vendor risk specifically for higher education institutions, to assess vendors against security controls and ensure that they have the relevant information, data, and cybersecurity policies to protect sensitive institutional data and constituents’ PII.

Or, higher education institutions can leverage their data classification standards to decide what vendors to compare against which frameworks. Ultimately, how each organization handles the results is up to their discretion.

Cultivate a culture of risk management

TL;DR:

Foster a culture of information security by having infosec teams become influencers, engaging with leaders, using data and storytelling, sharing impacts, and making security initiatives fun and engaging to promote stakeholder understanding and participation.

A culture of information security includes the attitudes, assumptions, beliefs, values, and knowledge that employees and stakeholders draw from when interacting with the organization’s security systems and procedures.

Infosec teams must figure out how to become “influencers” for their campus and beyond. They must find ways to pitch their ideas and sell them to stakeholders across the organization.

Infosec teams must become “influencers” for their campus and beyond.

To create awareness around information security, we recommend the following:

• Meet with leaders across campus and share about the processes, goals, and importance of information security.
• Use data and storytelling to help stakeholders understand the importance of information security.
• Find creative ways to share with individuals the impact information security has.
• Consider ways to make information security more “fun” and engaging for stakeholders (e.g., creating incentive programs, team building exercises, or even an infosec mascot).

When infosec teams successfully implement a culture of information security, IT and cybersecurity risk management, stakeholders can better understand how they need to help their campus–not only the actions they need to take but the impact those actions have.

How to get started managing information security risks

TL;DR:

Build a risk-based information security program by taking small steps, focusing on critical areas, and gradually progressing from simple tools to software solutions for scalability and long-term resilience.

For most organizations, taking small steps toward building a risk-based information security program is the best path forward. Rather than feeling overwhelmed by the entire process, start by focusing on what will have the most significant impact on your organization in the short term.

Remember, no one has jumped into information security risk management and ended up with a mature program the next day. There’s no better time to start than today, and the best place to start is with your most critical areas.

No one has jumped into information security risk management and ended up with a mature program the next day.

That might mean using spreadsheets to manage risks initially–that’s okay! But eventually, managing any level of scale will require software solutions that can streamline processes and serve as a guide for your organization in the future.

For a more comprehensive overview of how to build a risk-based information security program in higher education, download our latest white paper: Cyber Resilience at Higher Education Institutions: The Definitive Guide for Information Security Teams, 2023 Edition.

How Isora GRC from SaltyCloud can help

TL;DR:

Isora GRC from SaltyCloud is the powerfully simple solution making regulatory compliance easier while helping organizations improve their cyber resilience.

With business-critical data and privacy on the line, higher education institutions need a simple solution that helps them move beyond a ‘check-the-box’ mindset towards a risk-informed, data-driven, and proactive approach.

Isora GRC from SaltyCloud is the powerfully simple solution changing how information security teams manage governance, risk, and compliance (GRC). A new intuitive, automated, and collaborative platform designed by GRC experts, Isora GRC helps organizations ace compliance audits, build information security culture, and strengthen cyber resilience at scale.

• Ace compliance audits with collaborative surveys, adaptable security frameworks, dynamic dashboards, and insightful reporting for key regulations.
• Improve your organization’s security posture with maturity models, preloaded security frameworks, and remediation tracking.
• Protect critical data with comprehensive inventory management, seamless integration, continuous assessments, and insightful reporting.
• Minimize third-party risk with a complete vendor inventory, risk assessment surveys, and approval workflows.

Join dozens of information security teams partnering with Isora GRC from SaltyCloud to build a risk and compliance program they can trust.

Discover how Isora GRC from SaltyCloud can streamline your information security risk management program.