Virtual CISO for educational institutions, protecting sensitive data. Why is inviting a virtual CISO to an educational institution a good idea? At the end of the day, it’s about protecting sensitive data. And within an educational institution, it’s really about student personal information.
And this is really important if we go beyond a company’s success or financial numbers or ability to endure a cyber-attack. The most right thing to do is to protect the privacy information of our younger generation. And that is the sole cyber responsibility of educational institutions.
Regulations
How do we do that? Well, I’ve been fortunate enough to work with a couple educational institutions. And the way we do that, first off, is by paying a close attention to the Family Educational Rights and Privacy Act, also known as FERPA. And this is a federal law that governs how schools and educational institutions must protect and handle student data.
So that’s number one. We have to pay attention to regulations that govern how we must protect student data. The other rule I’ve seen come in is educational institutions will regularly work with state agencies.
Security Frameworks
Those state agencies being a part of a government organization will often align to the NIST 800-171 or other NIST 800 guidelines. The second area that we look, as a virtual CISO, to help protect the sensitive data of educational institutions is the NIST 800 regulations. And we need to make sure that the cybersecurity program of the institution is in line with those rules and controls required by the NIST 800.
Cloud Security
The third area that a virtual CISO will look to, to help protect sensitive data for an educational institution, is around the cloud security best practices. And the reason I’m saying that is because from my personal experience, the new technologies that we’re introducing to help students are online. You’re going to notice a lot of new options for students to do school online or to take a class from a non-government institution.
All those classes are hosted on what we call SAS, software as a service. That SAS or that software as a service is being hosted on a cloud platform. That cloud platform then has modules or technologies built into it to handle authentication of username and passwords.
They’ll tie that username and password to a full name. They’ll often tie it to a personal email account. When we look at these cloud standards, number one, the virtual CISO wants to make sure that the educational institution is only holding on to the least amount of information required to get the job done.
What I mean by that is, in an authentication system to a SAS platform, we don’t need them telling us their pet’s name or their social security number. We want to reduce the fields that we’re storing to reduce the amount of sensitive data. Now to do that, we also need to map their identity from this SAS cloud platform to any type of identification system that collects student records or attestations of classes finished for credits or college.
Within that system, in that database, there’s going to be more sensitive information really relating to that student’s full name, their address, their personal email, and sometimes their social security number. These are data elements that are critical for an educational institution to protect. We really want to limit access to those types of databases when they can be accessed and by who they can be accessed.
We want to put additional security controls around that, including multi-factor authentication and full encryption in transit and in storage. Again, we’re going to look at regulations such as FERPA and NIST, but then we’re going to go beyond that to look at cloud security best practices, application security best practices, because at the end of the day, this is more than just about checking a box to protect sensitive data. It’s really a role and responsibility that we just have that it’s the most right thing to do to protect student privacy information.
So that’s how a virtual CISO can help an educational institution. Oftentimes these educational institutions will have to answer a lot of security questionnaires. There’s a lot more hurdles and questions and evidence providing to organizations that they’re trying to sell or promote their educational platform to.
A virtual CISO can greatly reduce the friction and the time that that takes. In addition, one way to reduce friction is to achieve a certain level of cybersecurity approval, such as a SOC 2 type 2. If your educational institution does decide to try to acquire a SOC 2 type 2, a virtual CISO can greatly help speed that process up, organize and delegate the tasks required, and ensure that those controls are properly applied and that evidence is collected for that attestation. That’s something we’ve done, and as a result, we’ve seen those educational institutions achieve greater results in their sales pipeline.
So those are some areas that a virtual CISO can help an educational institution, and those are just around protecting sensitive data. That is just the tip of the iceberg. Really below that are the other things a virtual CISO can help with around really protecting against today’s common threats, and making sure that your technology and your infrastructure remains available, and your productivity remains available, and that in the event of an attack, you are ready to respond to that, and if data is destroyed or ransomed, we have a way to recover that data.
So really, we’re talking about confidentiality of data, integrity of data, and availability of systems and data. I hope that helps. If you have any questions on a role of a virtual CISO with an educational institution, make sure to leave a comment below, and I’ll try to answer those.
Recent Comments