How to Build a Risk-Based Infosec Program in Higher Education, Complete Guide

Colleges and universities are collecting more sensitive information than ever, from student data to controlled unclassified information (CUI), banking details, and more. Unfortunately, many universities and colleges need help managing the security of all that information.

As cyberattacks and regulatory compliance standards evolve and penalties grow in severity, building a risk-based information security program is increasingly important for higher education institutions to avoid the risks of noncompliance.

Cybersecurity in Higher Education

The higher ed and research sector was the most attacked industry in the third quarter of 2022, with an average of 2,148 cyberattacks per organization weekly–an increase of 18% compared to the third quarter of 2021.

The higher ed sector was the most attacked industry in the third quarter of 2022.

In the pandemic era, higher education institutions face an onslaught of cyber threats, including malware and ransomware attacks, social engineering and phishing campaigns, Distributed Denial of Service (DDoS) attacks, and data breaches, to name a few.

The average cost of a data breach was US$3.9 million in 2022, which was higher than the global average.

• Ransomware: Ransomware attacks against education increased from 6% in 2019 to 15% in 2020, whereas in healthcare, they increased from 21% to 23% during the same period.
• Data Breaches: The average cost of a data breach in education was US$3.9 million in 2020, which is higher than sectors like transportation, communication, and retail and higher than the global average of US$3.58 million.
• DDoS Attacks: DDoS attacks against the online resources of educational institutions grew by 350% between January and June 2020, compared with the same period in 2019.
• Phishing Campaigns: The percentage of phishing attacks in higher education is substantial compared to other sectors, with social engineering attacks representing nearly 50% of breaches in 2021.

Cybersecurity Challenges in Higher Education

The growing number and sophisticated nature of cyberattacks on colleges and universities is concerning. Cybersecurity incidents are the “new normal,” and unfortunately, they’re likely to worsen in the coming years. Meeting future cybersecurity challenges will be paramount to maintain trust with students, stakeholders, staff, and regulators.

Today, key cybersecurity challenges in higher ed include:

• A complex digital footprint due to the need to secure a vast spectrum of data from cybercriminals that intersects with various sectors, such as Personally Identifiable Information (PII); banking details for students and staff; health and medical information (e-PHI); third-party data about funders, sponsorers, and insurers; enterprise data; and research data
• Remote learning environments for online education and Internet of Things (IoT) devices contribute to an ever-expanding attack surface
• As an open-by-design sector, higher education institutions must balance access and data protection with sharing academic information.
• Transparency in education also means it’s easy to glean the exact timing of critical operations
• Cybersecurity best practices for data security in other sectors are nearly impossible to implement in higher education, including standardizing multi-factor authentication (MFA) for connected devices, deleting infected machines, and forcing updates
•  Various departments typically share the responsibility to protect all that data, so the IT and cybersecurity risk management process is often challenging

The Role of Regulatory Compliance

The complex nature of information security in higher education also means maintaining compliance with a growing number of regulations, including:

• The Family Educational Rights and Privacy Act (FERPA)
• The Federal Information Security Modernization Act of 2014 (FISMA 2014)
• The Gramm-Leach-Baily Act (GLBA)
• The Health Insurance Portability and Accountability Act (HIPAA)
• The Payment Card Industry Data Security Standard (PCI DSS)
• The Cybersecurity Maturity Model Certification (CMMC)

Managing compliance with these and other regulatory standards is already challenging for most, and higher education institutions don’t have endless resources.

The complex nature of information security in higher ed means maintaining compliance with a growing number of regulations.

The overwhelming burden of regulatory compliance can often lead to a “check-the-box” mentality. Yet the pressure is mounting, and many higher education institutions need help figuring out where to start.

The Risk of Noncompliance

Noncompliance with the aforementioned regulatory standards can significantly negatively impact higher education institutions. In addition to the financial and operational burdens associated with recovering from a data breach, universities may face additional financial repercussions in the form of litigatory fines, forfeiture of federal funding, reputational damages, and more.

Noncompliance with regulatory standards can lead to financial and operational repercussions, litigatory fines, forfeiture of federal funding, and more.

Here are just some of the risks that come with noncompliance with the following regulatory standards:

• Noncompliance with FERPA can lead to the withdrawal of US Department of Education funds.
• Noncompliance with FISMA can result in a reduction in federal funding and reputational damage.
• Noncompliance with the GLBA can cost up to $100,000 per violation, and criminal penalties include imprisonment for up to five years.
• Noncompliance with HIPAA can yield penalties ranging from $100 to $50,000 per violation, with a maximum fine of $1.5 million per calendar year and jail time for the individuals responsible.
• Noncompliance with PCI DSS can result in fines of up to $500,000 per incident.
• Noncompliance with the CMMC can lead to the withdrawal of US Department of Defense contracts and funding.

Why Is Information Security Important in Higher Education?

A risk-based information security program can help organizations focus on what matters most and better anticipate what could go wrong–rather than spending valuable time and resources reacting to cyberattacks as they arise.

6 Steps to Building a Risk-Based Information Security Program in Higher Education

Every organization’s risk-based information security program will look different depending on its business goals, regulatory compliance requirements, maturity, and unique security posture.

However, there are some basic steps organizations can take to begin implementing or improving their information security risk management efforts.

Choose a Security Framework

A security framework is a set of standard practices often used to manage an information security program.

There is no single, universal security framework for the higher education sector, but there will be a framework that can best help you achieve your business and compliance goals.

There is no single, universal security framework for the higher education sector.

Common cybersecurity frameworks for higher education institutions include the following:

• ISO/IEC 27001:2022 (ISO 27001)
• CIS Critical Security Controls (CIS)
• NIST Cyber Security Framework (NIST CSF)
• NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations (NIST SP 800-53)
• NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST SP 800-171)

For many organizations, selecting a security framework comes down to state requirements or a system-level requirement. As organizations mature, it’s common to begin “crosswalking” or connecting existing frameworks with other frameworks to keep their cybersecurity program compliant.

Prioritize Cybersecurity Operations and Information Security Teams

Having a dedicated information security team, cybersecurity operations (CyberOps) center, and IT professionals on board is critical to ensuring the success of your IT and cybersecurity risk management program. Units will likely share risk management responsibilities, but a central team can help keep departments accountable, raise cybersecurity awareness, and handle incident response.

Implement IT Asset Management

IT asset management is the systematic process of managing the asset lifecycle, from development to operations, maintenance, and upgrade to disposal.

Although each organization is unique, higher education institutions typically share one crucial thing in common: their federated nature. Since these organizations tend to manage an immense number of IT assets across various departments, many don’t know where to begin the process of asset management.

• The first step to IT asset management is an IT asset inventory. Ultimately, you can’t protect what you don’t know about, so start by figuring out your data and where it is.

• Next, find a system to keep track of those assets. A configuration management database (CMDB) will help you understand your devices’ function, relationship, criticality, and dependency at a minimal cost.

• Then, build a process to classify those devices by their organization. Leverage any existing data classification standards your organization uses, or take the time to create a few.

Conduct a Risk Assessment

Risk assessments help bring the necessary information together to help determine how distinct parts of the organization align with institutional information security policies and subsequent framework controls.

A control-based assessment survey aims to identify where the organization stands against a specific control and is typically conducted through a questionnaire and sent throughout the organization. These assessments can also help determine whether a control is in the process of being implemented.

Ideally, infosec teams should start with their most critical assets (i.e., units that hold the most sensitive data or have an urgent regulatory requirement, like the Office of Student Financial Aid, which needs to meet compliance with the requirements of the GLBA Safeguards Rule).

Teams should start with their most critical assets to yield the most valuable insights.

Teams that spend time accurately scoping their organization via an asset management process will better understand what’s most important to them.

In the end, successful control-based assessment surveys can yield valuable insights. For example, they might show whether a specific control is particularly deficient throughout the organization. This data is also vital when making a case for budget–and when the process is continuous and periodic, teams can measure improvements and demonstrate ROI.

Build a Vendor Risk Management Program

Vendor risk management (VRM) is vital to any risk management program.

Supply chain attacks are increasing across industries–2020 saw a 430% increase in supply chain attacks, and in 2022, 80% of organizations reported an attack or vulnerability in their software supply chain.

Supply chain attacks increased by 430% in 2020.

As several states begin to roll out their vendor certification programs, validating the cybersecurity posture of third-party suppliers who use or offer cloud products to deliver services will be critical.

Organizations can leverage the Higher Education Community Vendor Assessment Toolkit (HECVAT), a cloud vendor security questionnaire designed to measure third-party vendor risk specifically for higher education institutions, to assess vendors against security controls and ensure that they have the relevant information, data, and cybersecurity policies to protect sensitive institutional data and constituents’ PII.

Or, higher education institutions can leverage their data classification standards to decide what vendors to compare against which frameworks. Ultimately, how each organization handles the results is up to their discretion.

Cultivate a Culture of Risk Management

A culture of information security includes the attitudes, assumptions, beliefs, values, and knowledge that employees and stakeholders draw from when interacting with the organization’s security systems and procedures.

Infosec teams must figure out how to become “influencers” for their campus and beyond. They must find ways to pitch their ideas and sell them to stakeholders across the organization.

Infosec teams must become “influencers” for their campus and beyond.

To create awareness around information security, we recommend the following:

• Meet with leaders across campus and share about the processes, goals, and importance of information security.
• Use data and storytelling to help stakeholders understand the importance of information security.
• Find creative ways to share with individuals the impact information security has.
• Consider ways to make information security more “fun” and engaging for stakeholders (e.g., creating incentive programs, team building exercises, or even an infosec mascot).

When infosec teams successfully implement a culture of information security, IT and cybersecurity risk management, stakeholders can better understand how they need to help their campus–not only the actions they need to take but the impact those actions have.

How to Get Started Managing Information Security Risks

For most organizations, taking small steps toward building a risk-based information security program is the best path forward. Rather than feeling overwhelmed by the entire process, start by focusing on what will have the most significant impact on your organization in the short term.

Remember, no one has jumped into information security risk management and ended up with a mature program the next day. There’s no better time to start than today, and the best place to start is with your most critical areas.

No one has jumped into information security risk management and ended up with a mature program the next day.

That might mean using spreadsheets to manage risks initially–that’s okay! But eventually, managing any level of scale will require software solutions that can streamline processes and serve as a guide for your organization in the future.

For a more comprehensive overview of how to build a risk-based information security program in higher education, see our latest white paper: Cyber Resilience at Higher Education Institutions: The Definitive Guide for Information Security Teams, 2023 Edition.

How Isora GRC from SaltyCloud Can Help

Isora GRC from SaltyCloud is changing the game for infosec teams at higher education institutions.

It’s a powerfully lightweight governance, risk, and compliance (GRC) assessment platform that’s easy to implement and deploy across the entire organization for IT & Cybersecurity Risk Management, Vendor Risk Management, and IT Asset Management.

With Isora GRC, infosec teams can gain value quickly with unmatched visibility to improve security posture. And its compliance features are as customizable as you need them to be—so you can start with a prebuilt questionnaire or create your own—to ace your regulatory audits.

Discover why dozens of higher education institutions in the US and Canada–including UT Austin, UC Berkeley, and Yale–trust Isora GRC to automate and streamline their information security risk management efforts.