Regulations in information security have become a never-ending stream of catch-up responses to high-profile failures, and while they help direct efforts, they are a lagging indicator rather than a leading one, requiring a tool to give a sense of potential damage before any adverse incidents occur.
It used to be that keeping up with the Joneses—or in today’s parlance, keeping up with the Kardashians—was enough to keep us busy. Unfortunately, now it’s more likely that our goal is keeping up with a never-ending stream of regulations. In recent years, this has become especially true in the arena of information security where a number of high profile failures have led to a raft of legislative responses. Though many regulations may have appeared more recently, the reality is that the threats have been there all along—now we’re playing catch-up as to how to defend against these threats.
At their core, regulations help direct our efforts to where work needs to be done. The problem is that they are a lagging indicator rather than a leading indicator. Often by the time the regulation arrives, the damage has already been done to someone, and the regulation is a response to that damage to prevent the same thing from happening to someone else. Clearly a tool is needed to give a sense of the potential for damage before anything adverse happens.
Risk assessments as a tool for gauging regulatory compliance
Risk assessments, when combined with regulations, provide a proactive approach to compliance and security, while audits serve as a subsequent verification of the implemented controls.
Risk assessments can be seen as an opportunity to receive advance notice of places that, if left unresolved, could result in harm in the future. When paired with regulations, these risk assessments can ensure a minimum confidence that security preparations and controls are in place. This type of risk assessments allows you to assess how compliant you are with the policies, regulations, or laws. Using question sets based on the actual text of the regulations, a risk assessment allows an organization to step through the various requirements of the regulation and gauge how reality measures up.
It should be noted that risk assessments differ from an audit. Risk Assessments act as an initial step in understanding risk by establishing baseline and identifying gaps. However, an audit, whether through an internal or external audit or even a regulatory agency, can focus at a later date on particular areas to verify appropriate controls are in place.
So many regulations, so little time
Selecting an appropriate risk assessment framework depends on your industry and context, with regulations varying by sector and assessments based on best practices or security standards, such as NIST CSF or CIS 20.
Hopefully, you’re with me up to this point. Regulations aren’t just for taking up reams of paper (which they do) or for creating a complex web of requirements to follow (which they collectively also do); regulations enforce necessary minimums we would be wise to follow…or else.
The final question that remains for many might be: which risk assessment framework should I use? Unfortunately, the answer varies depending on your particular context. The good news is that regulations tend to accumulate based on industry, so each industry has their own pantheon of regulations they try to appease.
In addition, Risk Assessments can also be based on industry best practices which truly allows organizations to be proactive at shoring up security posture more broadly. These standards primarily look across a security framework or standard (e.g. NIST CSF/ 800-171) to assess risk in general or relative to recommended controls (e.g. CIS 20).
Choosing a framework is an important initial step in executing a risk assessment, especially in places where multiple verticals overlap such as Higher Education. For a more in-depth review of choosing a framework in Higher Education community, check back for a forthcoming article: IT Risk Assessment in Higher Ed, What Frameworks to Use?
Regulations relevant to higher education
Various regulations relevant to higher education aim to protect specific types of information, such as research grants, education records, financial data, and personal health information, ensuring security and privacy within the sector.
To help narrow the field of possible regulations, we’ve curated the following list to summarize some of the potentially relevant information security regulations for Higher Education. Many regulations require specific explanation which is why you’ll find links to in-depth analysis of regulations, such as HIPAA, in our other blog posts.
As it turns out, regulations are not all bad as they attempt to improve the security landscape of an industry as a whole. Though they may be a blunt tool for doing so, we can rest assured that there is no end in sight of regulations that will be created and no ignoring them for those already in existence.
|DFARs||Research Grant Requirement||Set of cybersecurity regulations that the Department of Defense (DoD) imposes on external contractors and suppliers||Federal and/or Corporate Research Grants and Partnerships (contract specific)|
|FERPA||Registrar||The University must provide students the right to inspect their education records and obtain written consent to release the records||Grades and education records|
|FISMA (NIST 800-53)||Research Grant Requirement||Treats the University as a federal contractor where it is holding federal data pursuant to federally-funded research.||Federal and/or Corporate Research Grants and Partnerships (contract specific)|
|GDPR (EU Data Privacy Act)||European Union Citizens||Law on data protection and privacy for all individuals/citizens of European Union member countries.||European Union Citizen Data whether in EU or not.|
|PIPEDA (Canadian data privacy act)||Canadian Citizens||Law on data protection and privacy for all individuals/citizens of Canada.||Canadian Citizen Data whether in country or not.|
|Privacy Act 1988 (Aus. data privacy act)||Australian Citizens||Law on data protection and privacy for all individuals/citizens of Australia.||Australian Citizen Data whether in country or not.|
|GLBA||Student Financial Aid (Department of Education)||Governs the collection, disclosure, and protection of consumers’ personal information and personally identifiable information.||Banking and financial information|
|HIPAA||Health facilities||Establishes national standards to protect individuals’ medical records and other personal health information.||Health records and information|
|HITECH Act||Health facilities||HITECH broadens HIPAA by extending coverage to business associates.||Health records and information|
|PCI-DSS||Payment processing||Information security standard for organizations that handle branded credit cards from the major card companies.||Payment and credit card information|
Refer to https://www.higheredcompliance.org/compliance-matrix/ for an exhaustive list of regulations relevant to Higher Education.
State regulations relevant to higher education
State-specific regulations in higher education focus on information security and data privacy, with varying requirements for protecting personal information depending on the state.
In addition to federal standards, many state regulations have been passed to address information security standards, often giving requiring state agencies or specific industries to assess their cybersecurity risk. Each state will be different, but the following sampling of state regulations have been relevant in our conversations with our partners.
|State Data Privacy Acts||Various||Many states require specific risk assessment or data privacy steps be taken to protect personal information. Review requirements specific to your state to understand your local requirements.||Personal Information|
|TAC202||TX||Set of security controls closely related to NIST 800-53/FISMA and required at state agencies and higher ed institutions.||Personal Information|
|CCPA (California Data Privacy Act)||CA||Effective in 2020, this grants California residents (aka “consumers”) the right to control the categories, places collected, and pieces of personal information that it collects.||Personal Information|
How Isora GRC from SaltyCloud can help
Isora GRC from SaltyCloud is the powerfully simple solution making regulatory compliance easier while helping organizations improve their cyber resilience.
The stakes have never been higher for organizations as they confront escalating cyberattacks and mounting regulations.
With business-critical data and privacy on the line, companies need a simple solution that helps them move beyond a ‘check-the-box’ mindset towards a risk-informed, data-driven, and proactive approach.
Isora GRC from SaltyCloud is the powerfully simple solution changing how information security teams manage governance, risk, and compliance (GRC). A new intuitive, automated, and collaborative platform designed by GRC experts, Isora GRC helps organizations ace compliance audits, build information security culture, and strengthen cyber resilience at scale.
- Ace compliance audits with collaborative surveys, adaptable security frameworks, dynamic dashboards, and insightful reporting for key regulations.
- Improve your organization’s security posture with maturity models, preloaded security frameworks, and remediation tracking.
- Protect critical data with comprehensive inventory management, seamless integration, continuous assessments, and insightful reporting.
- Minimize third-party risk with a complete vendor inventory, risk assessment surveys, and approval workflows.
Join dozens of information security teams partnering with Isora GRC from SaltyCloud to build a risk and compliance program they can trust.
Discover how Isora GRC from SaltyCloud can streamline compliance and risk management for your organization.