Cybersecurity Compliance: Our Part and Yours
June 16, 2022
We understand. Cybersecurity can feel like red tape that gets in the way of your work. Sometimes we want to put off our annual training, or we're disappointed that it takes extra time for IT to review technology purchases for security requirements.
What's with all these requirements? Why are they important?
There are two reasons for these requirements. We’ve mentioned the first reason many times: The InfoSec team’s purpose is to protect Biola’s people, resources, and reputation. This isn’t easy to do, and requires the entire community’s effort.
Today, we’ll talk about the second reason: Compliance.
Your Part in Compliance
You probably want to know how your responsibilities affect compliance, so here’s how you can participate:
Allow plenty of time: Submit technology purchase requests (software, services, hardware) well in advance of the due date. This will give us time to work through our review process and contract routing if necessary. The same applies to software renewals.
Research your purchases: The software we use at Biola must comply with data security standards. Before submitting a software purchase request, determine exactly what types of university data the software or service will transfer and store. Provide these details on the software purchase request form or service request form, so we can ensure your software is compliant.
Document your data: Make sure you understand and document the types of data you store, where you store it, and how long you maintain it (before deleting it from your systems).
Follow FERPA: Handle all student education records in alignment with FERPA requirements (we talk about FERPA below).
Complete your training: Complete your annual mandatory cybersecurity training. This training is required for all full-time and part-time employees.
Learn to spot phishing: Scrutinize email messages carefully, and think before clicking any links or downloading any attachments. Social engineering attacks are still a significant cybersecurity threat. If you want help analyzing an email message, contact the IT Helpdesk to request help from the InfoSec team.
Gather your evidence: If you are a department that participates in our annual GLBA assessment, make sure you are prepared to provide evidence for each compliance item on your annual questionnaire.
The InfoSec team manages a few security-related compliance standards, and we want you to know about them so that the requirements have some context.
GLBA (the Gramm-Leach-Bliley Act) requires Biola to document and report on our data protection policies and procedures. As part of GLBA, the Federal Trade Commission’s Safeguards Rule requires us to:
Manage an information security program with dedicated personnel
Perform risk assessments in departments that handle payments
Carefully review the security practices of Biola’s third-party service providers
The InfoSec team works through a GLBA compliance process every year with departments like Financial Aid and Student Account Services.
CIS Critical Security Controls Framework
Cybersecurity insurance is getting more expensive every year. Attacks are becoming more common, and insurance brokers see higher education as a liability.
To keep costs down, we align our information security program with a recognized cybersecurity framework, which demonstrates that we follow best practices to protect Biola from cybersecurity threats. The InfoSec team is working on the long-term process of aligning Biola’s program with CISA’s CIS Critical Security Controls framework.
The CIS Controls cover everything from how we securely configure our computers and network, to how we vet vendors and technology purchases, to how we train our users on security principles. Complying with the CIS controls will give Biola a strong cybersecurity posture in a time of increasing threats.
Most of us are familiar with FERPA (The Family Educational Rights and Privacy Act), but we may not know how it applies to our jobs at the university.
For data to qualify as FERPA Student Education Records, it must meet both of these criteria:
Criteria #1: Directly related to a student
Criteria #2: Maintained by an educational agency
Generally, if an education record contains personally identifiable information regarding a student, it will be “directly related” to the student, but any information that could identify a particular student is “directly related” to them.
The second criteria is harder to define, but typically for a record to be “maintained” by Biola, it must be kept in one place with a single record of access. Typically, records kept briefly and then deleted are not FERPA-protected, such as student assignments, but records that are maintained by a department, such as grades, degree completion, or student ID numbers, are.
Anyone who interacts with Biola data for university business is considered a “School Official” under FERPA, and is responsible for protecting student data, even if they don’t work for Biola. This is one reason why we need to review technology contracts, and why IT works with Legal to ensure that we can trust third-parties to handle our data, and that our students are legally protected in the case of a cyberattack or data breach.
Because Biola accepts credit card payments, we must comply with the Payment Card Industry Data Security Standard (PCI DSS). Compliance is a shared year-round effort between Financial Management, InfoSec, and many other departments who handle credit card transactions.
This standard requires us to confirm security controls on our network and computer systems, to train personnel, and to maintain documented policies and procedures.
You are a significant part of Biola’s cybersecurity efforts. Every employee is an entry point for an attacker to hit Biola with a costly data breach or disruption of service. Your awareness and daily habits keep Biola safe. Thank you for contributing to our program by helping us stay compliant with modern security standards!