Creating a Risk-Based Security Strategy
This month EDUCAUSE released their 2018 Top 10 IT Issues in Higher Ed. It comes as no surprise that once again Information Security topped the list for the third year running. This year EDUCAUSE phrased the #1 IT issue as “Developing a risk-based security strategy that keeps pace with security threats and challenges.”
That leads us to ask what is a risk-based security strategy and where does a campus start in creating one? Well for starters the authors at EDUCAUSE suggest that campuses “Pick a framework to follow (e.g., the CIS Controls or the NIST Cybersecurity Framework to set a baseline for where you are and to plan for how to improve within the chosen framework.” Assessing risk is critical for both demonstration of required compliance standards (e.g., FERPA, GLBA 314.4(b)) as well as to document institution wide risk over time and thus provide a roadmap to safeguarding risks and maturing campus security posture.
With the EDUCAUSE Security Professional Conference (SPC) only a few weeks away, we at SaltyCloud have decided to take the next few weeks to focus our blog on development of a Risk-based security strategy in Higher Ed. More specifically we will focus on the Role of Risk Assessments within a Risk-based security strategy with the intended goal to drive discussion around several areas pertinent to Higher Ed. Topics will include: Getting Started with an It Risk Assessment in Higher Ed, What Frameworks to Use, How Risk Assessment Fits into a Broader Risk Management Plan and How to Use the Output of a Risk Assessment.
Give us your comments, tell us what you want to hear about, and be sure to check back or subscribe for new posts.
More Saltyblog
-
ED Audit Guide 2020: GLBA Requirements
[vc_row css=".vc_custom_1539289638916{padding-top: 2rem !important;}"][vc_column width="4/5"][vc_column_text]UPDATE (February 2020) — The Department of Education Federal Student Aid released an electronic announcement. The announcement explains the procedures for enforcing the cybersecurity requirements under the Gramm-Leach-Bliley Act, and the consequences for institutions or servicers that fail to comply. UPDATE (October 2019) — The Department of Education Office of Inspector General issued Dear CPA Letter CPA-19-01. The letter amends the 2016 Audit Guide and explains the process for auditors to determine whether Institutions of Higher Education are in compliance with the Gramm-Leach-Bliley Act. UPDATE (June 2018) —
-
HECVAT: Building a VRM Process in Higher Ed
Learn how you can leverage the HECVAT to build a robust and efficient Vendor Risk Management (VRM) process across your higher ed institution.
-
Higher Education: Regulations Quick Guide
Regulations can help direct our efforts to where work might need to be done, but risk assessments give us advance notice of exactly where those gaps might be. Using a variety of applicable regulatory frameworks, anyone can shore up their compliance through the use of questionnaire-based risk assessments.
-
HIPAA: a roadmap for regulatory compliance.
For anyone in the medical field, HIPAA sets the standards for the use and protection of medical information and impacts every organization across the healthcare ecosystem, whether interacting with patients or not. As if the threat (and reality) of breaches wasn’t enough, the regulators behind HIPAA mean business when it comes to compliance.