The United States Department of Education (DOE) has sent friendly notices for two years in a row reminding colleges and universities of their requirement to comply with the strict guidelines for protecting student financial aid information. Cybersecurity should be near the top of every organization’s priority list, but for higher education institutions it should be elevated even further. Given that the DOE has provided two warnings to date, we should assume they plan to take a stricter stance on cybersecurity infrastructure, protection, and controls during compliance audits.
Many organizations quickly punt the topic of cybersecurity to the IT department. While IT plays a huge role in cybersecurity, it is the responsibility of those charged with organization governance to ensure compliance is met. Board members and senior leadership should be asking the questions and confirming that the institution is devoting the proper resources and attention to cybersecurity.
- It is also critical to understand that cybersecurity is not a one-time project. It is a continual evolution and initiative.
- Leadership needs to also recognize there can be substantial costs associated with cybersecurity activities and they are not optional. The DOE letter makes this point very clear when they state “The Department understands the investment and effort required by institutions to meet and maintain the security standards established in NIST SP 800-171. Nonetheless, across the public and private sectors, it is imperative that organizations continue to enhance cybersecurity in order to meet evolving threats to controlled unclassified information and challenges to the security of such organizations.”
With the ongoing focus on higher education institution’s bottom lines, it might be tempting to defer projects related to cybersecurity to reduce budgets. However, doing so could put your institution in a position where the DOE finds your organization in noncompliance with your Program Participation Agreement (PPA) with Title IV student financial aid. Cutting corners on cybersecurity compliance could wind up costing your institution more in the long run.
At this point, most organizations have some form of information security or cybersecurity policies in place, but do yours include the very specific requirements outlined in the Gramm-Leach-Bliley Act (15 U.S. Code 6801) and NIST SP 800-171? When was the last time your institution performed and a thorough IT risk assessment (one that meets the NIST SP 800-171 standards)? Have proper remediation tasks been completed for any deficiencies that have been identified? If you cannot answer “Yes” with 100% confidence to all these questions, it is time to take action, before your institution faces substantial negative impacts.
For assistance in reviewing and determining is your institution’s cybersecurity position, specifically as it relates to compliance with DOE standards, contact Jason Miller at 859-425-7626 or firstname.lastname@example.org.
Dean Dorton Technology provides specialized cybersecurity services, specific to the unique requirements and challenges of higher education institutions. Our team of IT auditors has an elite background of audit experience combined with practical IT administration and will evaluate information system control environments, identify the risks, provide a basis for reliance on the system, and deliver cost-effective control recommendations for your organization.