January 9, 2020
Higher Education Regulations Quick Guide
It used to be that keeping up with the Joneses—or in today’s parlance, keeping up with the Kardashians—was enough to keep us busy. Unfortunately, now it’s more likely that our goal is keeping up with a never-ending stream of regulations. In recent years, this has become especially true in the arena of information security where a number of high profile failures have led to a raft of legislative responses. Though many regulations may have appeared more recently, the reality is that the threats have been there all along—now we’re playing catch-up as to how to defend against these threats.
At their core, regulations help direct our efforts to where work needs to be done. The problem is that they are a lagging indicator rather than a leading indicator. Often by the time the regulation arrives, the damage has already been done to someone, and the regulation is a response to that damage to prevent the same thing from happening to someone else. Clearly a tool is needed to give a sense of the potential for damage before anything adverse happens.
Risk assessments as a tool for gauging regulatory compliance.
Risk assessments can be seen as an opportunity to receive advance notice of places that, if left unresolved, could result in harm in the future. When paired with regulations, these risk assessments can ensure a minimum confidence that security preparations and controls are in place. This type of risk assessments allows you to assess how compliant you are with the policies, regulations, or laws. Using question sets based on the actual text of the regulations, a risk assessment allows an organization to step through the various requirements of the regulation and gauge how reality measures up.
It should be noted that risk assessments differ from an audit. Risk Assessments act as an initial step in understanding risk by establishing baseline and identifying gaps. However, an audit, whether through an internal or external audit or even a regulatory agency, can focus at a later date on particular areas to verify appropriate controls are in place.
So many regulations, so little time.
Hopefully, you’re with me up to this point. Regulations aren’t just for taking up reams of paper (which they do) or for creating a complex web of requirements to follow (which they collectively also do); regulations enforce necessary minimums we would be wise to follow…or else.
The final question that remains for many might be: which risk assessment framework should I use? Unfortunately, the answer varies depending on your particular context. The good news is that regulations tend to accumulate based on industry, so each industry has their own pantheon of regulations they try to appease.
In addition, Risk Assessments can also be based on industry best practices which truly allows organizations to be proactive at shoring up security posture more broadly. These standards primarily look across a security framework or standard (e.g. NIST CSF/ 800-171) to assess risk in general or relative to recommended controls (e.g. CIS 20).
Choosing a framework is an important initial step in executing a risk assessment, especially in places where multiple verticals overlap such as Higher Education. For a more in-depth review of choosing a framework in Higher Education community, check back for a forthcoming article: IT Risk Assessment in Higher Ed, What Frameworks to Use?
Regulations relevant to higher education
To help narrow the field of possible regulations, we’ve curated the following list to summarize some of the potentially relevant information security regulations for Higher Education. Many regulations require specific explanation which is why you’ll find links to in-depth analysis of regulations, such as HIPAA, in our other blogs posts.
As it turns out, regulations are not all bad as they attempt to improve the security landscape of an industry as a whole. Though they may be a blunt tool for doing so, we can rest assured that there is no end in sight of regulations that will be created and no ignoring them for those already in existence.
|DFARs||Research Grant Requirement||Set of cybersecurity regulations that the Department of Defense (DoD) imposes on external contractors and suppliers||Federal and/or Corporate Research Grants and Partnerships (contract specific)|
|FERPA||Registrar||The University must provide students the right to inspect their education records and obtain written consent to release the records||Grades and education records|
|FISMA (NIST 800-53)||Research Grant Requirement||Treats the University as a federal contractor where it is holding federal data pursuant to federally-funded research.||Federal and/or Corporate Research Grants and Partnerships (contract specific)|
|GDPR (EU Data Privacy Act)||European Union Citizens||Law on data protection and privacy for all individuals/citizens of European Union member countries.||European Union Citizen Data whether in EU or not.|
|PIPEDA (Canadian data privacy act)||Canadian Citizens||Law on data protection and privacy for all individuals/citizens of Canada.||Canadian Citizen Data whether in country or not.|
|Privacy Act 1988 (Aus. data privacy act)||Australian Citizens||Law on data protection and privacy for all individuals/citizens of Australia.||Australian Citizen Data whether in country or not.|
|GLBA||Student Financial Aid (Department of Education)||Governs the collection, disclosure, and protection of consumers’ personal information and personally identifiable information.||Banking and financial information|
|HIPAA||Health facilities||Establishes national standards to protect individuals’ medical records and other personal health information.||Health records and information|
|HITECH Act||Health facilities||HITECH broadens HIPAA by extending coverage to business associates.||Health records and information|
|PCI-DSS||Payment processing||Information security standard for organizations that handle branded credit cards from the major card companies.||Payment and credit card information|
Refer to https://www.higheredcompliance.org/compliance-matrix/ for an exhaustive list of regulations relevant to Higher Education.
State regulations relevant to higher education
In addition to federal standards, many state regulations have been passed to address information security standards, often giving requiring state agencies or specific industries to assess their cybersecurity risk. Each state will be different, but the following sampling of state regulations have been relevant in our conversations with our partners.
|State Data Privacy Acts||Various||Many states require specific risk assessment or data privacy steps be taken to protect personal information. Review requirements specific to your state to understand your local requirements.||Personal Information|
|TAC202||TX||Set of security controls closely related to NIST 800-53/FISMA and required at state agencies and higher ed institutions.||Personal Information|
|CCPA (California Data Privacy Act)||CA||Effective in 2020, this grants California residents (aka “consumers”) the right to control the categories, places collected, and pieces of personal information that it collects.||Personal Information|
The DFARS Interim Rule came into effect on September 29, 2020, and it affects Higher Education Institutions that conduct DoD-sponsored research
Conducting a GLBA Pre-Audit Assessment will serve as evidence for your auditors and a guide for your institution
Learn everything you need to know about the GLBA in Higher Education with our comprehensive blog post
IT Risk Assessments are a critical component of any mature security program. Learn how to conduct your own with this quick guide.