Lepide Blog: A Guide to IT Security, Compliance and IT Operations

Leveraging the NIST Framework in Educational Institutions

NIST Framework in Educational Institutions

Data security is a top priority for higher education institutions due to their susceptibility to cyberattacks. Colleges and universities attract cybercriminals due to the extensive use of online communication platforms, such as email and video conferencing. To make matters worse, the COVID-19 pandemic forced students, teachers and other employees to operate from home, thus presenting additional cybersecurity challenges. Therefore, it is imperative for these institutions to implement robust data security measures.

Addressing Cybersecurity Threats in Higher Education Institutions

Education institutions today face numerous threats that can jeopardize the privacy and security of sensitive information. One common threat is social engineering, where cybercriminals manipulate individuals into divulging confidential data or granting unauthorized access. Additionally, weak passwords, insufficient security protocols, and unpatched software systems present vulnerabilities that can be exploited. Data breaches can result in the exposure of student and staff personal information, including social security numbers and financial data. Below are some of the most notable measures that education institutions should focus on to minimize the number of cybersecurity incidents:

1. Prevent social engineering: Phishing attacks target educational institutions due to high email volume. Security awareness training and secure file transfer processes can reduce the threat

2. Protect lines of communication: Improper configuration of communication tools like Zoom can lead to unauthorized access. Reviewing staff’s usage and implementing security measures can improve protection.

3. Understand compliance requirements: Higher education institutions are required to protect student records under FERPA, and other regulations. Non-compliance can result in penalties, including the loss of federal funding.

4. Use effective data collection methods: Resolving issues with manual data entry and outdated technology, will make it considerable harder to prevent data breaches. Using the latest and greatest technology improves productivity and enhances data security. Additionally, using web forms for data collection centralizes information and saves time.

Adapting the NIST Framework for Educational Institutions

The NIST Framework is a set of guidelines and best practices that organizations can voluntarily follow to enhance their risk management processes and overall security. By standardizing this framework, businesses can communicate and learn from each other, protecting themselves from cyber attacks. The goal is to assist organizations of all sizes in understanding their security risks and effectively preventing, responding to, and recovering from potential attacks.

The NIST SP 800-171 is a set of security controls that sets standards for cybersecurity in federal government organizations. Given their ties to federal agencies, colleges and universities have started adopting this framework to protect themselves against cyber threats. It is important for higher education institutions with government partnerships to prioritize cybersecurity compliance.

NIST SP 800-171 can help educational institutions comply with the following regulations:

  • Family Educational Rights and Privacy Act (FERPA)
  • Federal Information Security Management Act (FISMA)
  • Gramm-Leach-Biley Act (GLBA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Higher Education Act (HEA)
  • NIST Risk Assessment and Audit Standards
  • Payment Card Industry Data Security Standards (PCI-DSS)
  • Student Aid Internet Gateway (SAIG) Enrollment Agreement

Safeguarding Student Data: Best Practices

To adhere to the compliance standards outlined in NIST SP 800-171, educational institutions should adopt these recommended approaches in order to effectively fulfill their cybersecurity obligations.

Discover & Classify Sensitive Data: To enhance data security processes, schools should discover and classify their sensitive data based on different levels of importance and the impact of a breach. They should also ensure that they are not storing any duplicate data. Priority should be given to securing enrollment numbers, tuition payment information, student financial aid details, personal information of students, employees, and staff, healthcare information, classified research data, and critical infrastructure plans.

Evaluate Existing Security Capabilities: NIST offers a guide (NIST SP 800-30) for evaluating cybersecurity risk. Conducting an annual risk assessment is crucial for organizations to understand their security posture and vulnerabilities. The assessment process involves identifying security gaps and creating incident response procedures for cyber attacks. In some cases, schools may have to turn down government contracts if the costs outweigh the benefits.

Establish a Cybersecurity & Compliance Program: As mentioned above, schools can improve their cybersecurity by implementing the NIST 800-171 security framework. This framework helps identify and address security gaps, meet compliance requirements, and assign specific roles within the IT team. It may also involve creating multiple incident response plans based on risk assessment audit findings to tackle new attack vectors and cyber threats.

In addition, a compliance program should include actionable milestones for short and long-term goals, funding requirements, security budgets, team responsibilities, and data governance policies. It is crucial to regularly update these programs to align with the latest compliance procedures and cybersecurity standards. Schools can conduct self-assessments or hire third-party auditors to monitor progress and adapt to regulatory changes.

Furthermore, schools must prioritize cybersecurity education and training for all staff, employees, and students to maintain consistent standards. This helps schools stay knowledgeable about evolving threats, technology updates, and new malware.

Implement a System Security Plan: A system security plan (SSP) is a formal document that outlines an organization’s information system security requirements and controls. It helps establish a roadmap for cybersecurity goals and programs. The SSP covers data protection, user access, IT team roles, access control, traffic monitoring, network segmentation, incident response, threat intelligence, and reporting. Failing to have an SSP in place can result in non-compliance with NIST 800-171, leading to the rejection of contract bids by the federal government.

Perform a Cybersecurity Audit: Schools should regularly assess their cybersecurity programs, SSPs, and compliance with a cybersecurity audit, similar to a risk assessment. Changes in regulations and emerging attack methods necessitate yearly reviews and updates to security policies. While internal audits can be conducted by the IT team, it is advisable to engage an external third-party auditor. This approach can uncover system and network vulnerabilities, identify new security gaps, and propose improved security measures to combat cyber threats.

Ensuring Compliance with Student Privacy Regulations

In the United States, the Family Educational Rights and Privacy Act (FERPA) requires that colleges and universities have practices in place to secure student data. FERPA sets guidelines for protecting student data, such as requiring educational agencies and institutions to use reasonable methods to identify and authenticate individuals before disclosing or granting access to personal information. While FERPA does not specify the exact methods to use, best practice recommendations include;

  • Conducting privacy risk assessments
  • Selecting authentication levels based on risk
  • Storing credentials securely
  • Implementing password policies to prevent misuse, which includes encrypting stored passwords and locking out accounts that exhibit suspicious activity.

Case Study: Successful Implementation in Education

The University of Chicago’s Biological Sciences Division (BSD) has adopted the NIST Cybersecurity Framework to establish a unified cybersecurity program across its 23 departments. As one of the largest divisions within the institution, BSD comprises over 5,000 faculty and staff members. BSD and its consultants formed a group of cybersecurity engineers and other relevant experts to carry out the implementation of the framework. The team established four specific stages that would steer the implementation process. Using all seven steps outlined in the NIST Framework, these four phases were known as Current State, Assessment, Target State, and Roadmap.

After successfully implementing the NIST Framework, the team used ISO 15504 to assess the gaps in BSD’s cybersecurity program. They assigned values from 0 to 4 to measure the difference between the current and target states. The team also created a self-assessment tool to help departments track their progress in completing projects outlined in the roadmap. A radar chart was used to monitor progress across departments and present updates to the leadership team. BSD also educated all users on the security program and continuously monitored improvements. Key initiatives were implemented to enhance cybersecurity capabilities throughout the organization and support departments in achieving their goals.

If you’d like to see how the Lepide Data Security Platform can help you integrate the NIST framework into your data security program, schedule a demo with one of our engineers.