Are You Prepared For The Inclusion Of Cybersecurity Requirements In Your Next Audit?

Agenda Introduction Why is cybersecurity important? Laws & Regulations Data breaches What does this mean for institutions? Recommendations

Introduction John Knost, Manager with Attain, LLC Attain is a management consulting firm with over 600 employees We provide services TO the Federal Government, State Governments, Not For- profits, and Institutions of Higher Education

Why is cybersecurity important? The incidents of cyber attacks against Institutions of higher Education is increasing This is due to: Ad-hoc security; Increasing complexity of systems used; Traditionally lacked focus on cybersecurity; and The wealth of information stored (e.g. personal information, scientific research, etc) The US Department of Education (ED) has determined that Title IV eligible Institutions are considered Financial Institutions under the Gramm-Leach-Bliley Act (GLBA)

Laws & Regulations ED has cited several laws or regulations that require institutions to have a cybersecurity program GLBA (15 U.S. Code § 6801); Data security requirements in Program Participation agreement; Data security requirements Student Aid Internet Gateway (SAIG) Enrollment Agreement; Dear Colleague Letter (DCL) GEN15-8 & GEN16-2 This presentation Focuses on the GLBA, as it has the highest standards

Laws & Regulations GLBA Requirements: Develop, implement, and maintain a written information security program; Designate the employee(s) responsible for coordinating the information security program; Identify and assess risks to customer information; Design and implement an information safeguards program; Select appropriate service providers that are capable of maintaining appropriate safeguards; and Periodically evaluate and update their security program. DCL GEN16-2

What is a data breach? Per GLBA, a breach is any unauthorized disclosure, misuse, alteration, destruction or other compromise of information. Important items to note: No minimum size or # of records & employees aren’t exempt Not strictly digital or technology-based – paper counts! Covers data in storage, in transit or being processed Post-Secondary Institution Data-Security Overview and Requirements – Tina K.O. Rodrigue FSA 2017

Reporting a Breach The Student Aid Internet Gateway (SAIG) Agreement requires that as a condition of continued participation in the federal student aid programs Title IV schools report suspected/actual data breaches Title IV schools must report on the day of detection when a data breach is even suspected. The Department has the authority to fine institutions that do not comply with the requirement to self-report data breaches; up to $54,789 per violation per 34 C.F.R. § 36.2 Post-Secondary Institution Data-Security Overview and Requirements – Tina K.O. Rodrigue FSA 2017

What does this means for institutions? There are two ways to answer this question: Gold standard – treating Data as Controlled Unclassified Information (CUI) Audit Standard – Minimum requirements to avoid an audit finding Standard for Controlled Unclassified Information (CUI): is detailed in NIST SP 800-171 Nist is the national institute of standards and technology provides very detailed information on what constitutes an effective information security program

What does this means for institutions? - NIST NIST requirements fall into five categories Identify Risk assessment The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. Governance The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.

What does this means for institutions? - NIST Protect Data security Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. Protective technology Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

What does this means for institutions? - NIST .Detect Anomalies and events Anomalous activity is detected in a timely manner and the potential impact of events is understood. Detection process Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.

What does this means for institutions? - NIST respond Communications Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies. Mitigation Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident.

What does this means for institutions? - NIST recover Recovery planning Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events. Communication Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors.

What does this means for institutions? - Audit The FY18 Audit standard is significantly less strict than NIST SP 800-171 two requirements: Have a designated information security officer (ISO); Have completed a risk assessment and designed appropriate internal controls to mitigate identified risks

What does this means for institutions? - Audit What areas must be covered in the risk assessment? …protect student financial aid information, with particular attention to information provided to institutions by the Department of Education…otherwise obtained in support of the administration of the Title IV Federal student financial aid programs authorized under Title IV of the Higher Education Act, as amended (the HEA) [DCL GEN16-2] At a minimum information in: Financial aid management system; Network location where SAIG files are stored; Student system (course registration & grades); Admissions (High School Completion and/or GED scores); Student Accounts (Charges and Title IV payments); Network location documentation for funding draws from G5 are stored; 3rd Party software that has access to or stores related data

Recommendations Open a dialog with campus leaders to discuss the importance of cybersecurity and ed’s requirements Including ED’s recommendation for having a information security program compliant with NIST SP 800-171 in conversation Ensure your institution has Assigned an information security officer (ISO) If not work with appropriate executives to ensure someone is assigned Ask for the completed Information security risk assessment with defined controls

Risk Assessment & Controls

Risk Assessment & Controls Internal Control Systematic measures (such as reviews, checks and balances, methods and procedures) instituted by an organization to (1) conduct its business in an orderly and efficient manner, (2) safeguard its assets and resources, (3) deter and detect errors, fraud, and theft, (4) ensure accuracy and completeness of its accounting data, (5) produce reliable and timely financial and management information, and (6) ensure adherence to its policies and plans. www.businessdictionary.com

Risk Assessment & Controls There are numerous templates available for documenting risk and controls Let’s review one I frequently use

Questions? Contact Information John Knost John.knost@attain.com (714) 263-6208 email me for a copy of the risk assessment template

Join us May 20 - 24, 2019 for FASFAA 2019 at the Hyatt Regency Coconut Point Resort & Spa