How do you gauge the strength of your information security plan?
Information with any value will always be at risk. Even institutions with world-class security systems know that a breach is still possible, even likely. The best strategy? Plan ahead.
A well-rounded security plan accounts for both short- and long-term needs, mapping out actionable strategies to reduce risk, while knowing how to address the inevitable breach. Just as threats evolve, infosec plans must be continually revised alongside the policies and technology that support them.
10 questions to gauge the strength of your information security plan
1. Do we know our security requirements?
To outline, budget for, and implement an effective security program, you must first understand what needs to be protected and what it will take to do the job right. This includes taking an inventory of the following:
- Your institution’s data and information assets
- The technology, people, and processes that affect how that information is stored and shared
- The security posture of your partners and other external parties
- The tools and capabilities required to safeguard your assets
Even systems and data that are not under the direct control of your central IT team should be included in this audit. The institution is responsible for protecting all its information assets, regardless of ownership, so your plan must be comprehensive.
2. Are we staying up to date on legal and regulatory requirements?
In addition to your own internal standards, there are a range of legal and regulatory policies governing data privacy and protection. Requirements may vary by state, country, and institution type, but failure to comply can impact your funding and reputation.
The best strategy for staying current and compliant is to create a strong partnership between your IT and legal departments. Don’t leave it to technical staff to interpret the law. Your legal team is best equipped to:
- Understand and monitor local, state, federal, and international policies
- Put regulations in context as to how they relate to your institution and the level of risk involved
- Help manage compliance
3. Do we have adequate policies and standards?
Every school should have a clear set of policies and standards governing how institutional data gets used, stored, and shared. Here are a few guiding principles:
- Develop an “Acceptable Use” policy that dictates what employees and other users can or can’t do on the institution’s network and systems
- Set standards for how often passwords must be changed and how strong they must be
- Create policies governing the use of personal devices on campus
The SANS Institute—a non-profit organization serving security professionals across multiple industries—offers templates for creating and implementing a range of information security policies.
All employees should be educated and expected to follow institutional policies and standards. Ensure other users are informed of their responsibilities as well. Some organizations have a formal certification process for new employees—or all employees at regular intervals—to ensure compliance.
4. Are we tightly managing identity and access?
Identity and access management is about giving the right people access to the right information at the right time. If you don’t keep a tight rein on who’s accessing what, you leave multiple entry points for hackers.
For example, here are two common scenarios that put many institutions at risk:
- There are dozens of systems across campus that aren’t linked and require separate IDs and passwords. To make life easier, staff tend to use the same password for a low-security system (like a survey application) as they do for a high-security system (like payroll). A hacker then only needs to break into the survey application to gain entry into payroll.
- There isn’t a clear process for changing or removing credentials when employees switch roles or leave the institution. Perhaps a disgruntled former employee can still access financial information or a staff member who has moved to a new department can still access information that’s no longer relevant to their job.
As institutions across the country weathered transitions to remote learning, new security gaps emerged, possibly accounting for the number of ransomware attacks on higher education doubling between 2019 and 2020, as reported by Educause. Now is the time for institutions to ensure they have a unified, centralized system for managing identity and access—one that is well integrated into daily business processes.
5. Have we engaged senior management and the board?
Security is not just a technology challenge, it’s a business imperative. Given the large potential impact of a data breach, senior management and board members must be highly engaged in information security planning. IT alone cannot weigh risk vs. cost or ensure a culture of compliance at every level of the institution.
When faced with funding decisions for network security, senior leaders need to understand exactly what’s at stake. According to IBM’s 2021 report, the average cost of a data breach in the education sector is $3.79 million. For colleges and universities, however, the true expense can’t be calculated, as any failure to secure personal information risks noncompliance with federal regulations, potential funding opportunities, and most critically, student trust.
6. Are we providing adequate ongoing education?
Lack of awareness and education about security threats is one of the biggest risks for most institutions.
You must have a well-documented and adequately resourced plan for ongoing information security training. This could include everything from mandatory courses on phishing and malware to regular messaging on the latest threats.
Educause offers a number of free resources institutions can use to educate faculty, staff, and students about cybersecurity.
7. Are we careful when choosing partners?
When retail giant Target experienced a massive data breach in 2013, it was not their own network that hackers broke into but rather the network of a heating and air conditioning sub-contractor that had worked at a number of Target stores.
No one remembers the name of that HVAC company, but they surely remember Target as a company that loses personal data. Target also paid a heavy financial price to rectify the situation and appease customers. The key takeaway? You are ultimately responsible for your students’ and employees’ personal data, even when—especially when—it’s being shared with third-party vendors. So, choose partners wisely.
Ask potential partners the same hard questions about the security of their information systems as you do about your own. Discuss auditing and compliance up front. Put processes in place to hold them accountable. If they can’t meet your standards, look for someone who can.
8. Are we using appropriate technology?
Technology can greatly enhance information security. The key is to modernize and simplify, since complexity only makes it harder to monitor and control who is accessing what.
- Identify and retire legacy systems and business processes that are needlessly cumbersome or no longer receive security patches.
- Streamline the steps you use to grant system and data access, as well as those used to close the loop once an employee moves on.
- Install updates and patches as soon as they’re available.
- Invest in new tools and technology regularly
While it might feel like the investments you’ve already made will soon be obsolete, a lot of malicious activity remains rudimentary in nature. If you’ve implemented basic security protocols and technology, they’ll still be effective against all but the most advanced attacks for quite some time.
To address more advanced threats, or if you’re having trouble getting basic systems and processes in place, consider relying more on partners. Vendors that specialize in information security have significantly more resources and expertise than institutions can likely build in house. Transitioning data to the cloud, for example, might be a smart security move for institutions with outdated infrastructure or skills. By outsourcing some aspects of security, you can use your own resources more efficiently.
9. Do we aggressively follow up on incidents?
We live in a world where data breaches are “when” not “if.” That’s why responding appropriately to security incidents is as important as preventing them.
Gather data on incidents that will help you reduce recurring issues or prevent more damaging impacts. Establish routines and best practices, so that you can mobilize quickly in the event of a breach. Review and analyze your trends. Data can also help you make the case for spending more money on things like firewalls or network intrusion detection.
10. Are we making continuous investments?
Information security is an ongoing practice, not a one-time implementation. You will never be fully protected because there will always be new threats. But with careful planning—and a sustained investment of resources—you can effectively mitigate risk.
Make sure that your annual and long-term budget for information security reflects its level of importance to your business. Help decision makers understand the link between data protection—or lack thereof—and successful recruiting, advising, fundraising, and other key functions. Stay actively engaged with industry forums and workgroups to understand evolving threats and security best practices.
Get comfortable with discomfort
Planning for something to go wrong, in a world where what can go wrong is constantly changing, is uncomfortable, to say the least. But if you can get comfortable with discomfort—becoming agile, alert, responsive, and realistic—you can create the level of security that faculty, staff, and students need to thrive.