Presentation is loading. Please wait.

Presentation is loading. Please wait.

Agenda Introduction Why is cybersecurity important? Laws & Regulations

Published byPierce Hood Modified over 6 years ago

Similar presentations

Presentation on theme: "Agenda Introduction Why is cybersecurity important? Laws & Regulations"— Presentation transcript:

1 Are You Prepared For The Inclusion Of Cybersecurity Requirements In Your Next Audit?

2 Agenda Introduction Why is cybersecurity important? Laws & Regulations
Data breaches What does this mean for institutions? Recommendations

3 Introduction John Knost, Manager with Attain, LLC
Attain is a management consulting firm with over 600 employees We provide services TO the Federal Government, State Governments, Not For- profits, and Institutions of Higher Education

4 Why is cybersecurity important?
The incidents of cyber attacks against Institutions of higher Education is increasing This is due to: Ad-hoc security; Increasing complexity of systems used; Traditionally lacked focus on cybersecurity; and The wealth of information stored (e.g. personal information, scientific research, etc) The US Department of Education (ED) has determined that Title IV eligible Institutions are considered Financial Institutions under the Gramm-Leach-Bliley Act (GLBA)

5 Laws & Regulations ED has cited several laws or regulations that require institutions to have a cybersecurity program GLBA (15 U.S. Code § 6801); Data security requirements in Program Participation agreement; Data security requirements Student Aid Internet Gateway (SAIG) Enrollment Agreement; Dear Colleague Letter (DCL) GEN15-8 & GEN16-2 This presentation Focuses on the GLBA, as it has the highest standards

6 Laws & Regulations GLBA Requirements:
Develop, implement, and maintain a written information security program; Designate the employee(s) responsible for coordinating the information security program; Identify and assess risks to customer information; Design and implement an information safeguards program; Select appropriate service providers that are capable of maintaining appropriate safeguards; and Periodically evaluate and update their security program. DCL GEN16-2

7 What is a data breach? Per GLBA, a breach is any unauthorized disclosure, misuse, alteration, destruction or other compromise of information. Important items to note: No minimum size or # of records & employees aren’t exempt Not strictly digital or technology-based – paper counts! Covers data in storage, in transit or being processed Post-Secondary Institution Data-Security Overview and Requirements – Tina K.O. Rodrigue FSA 2017

8 Reporting a Breach The Student Aid Internet Gateway (SAIG) Agreement requires that as a condition of continued participation in the federal student aid programs Title IV schools report suspected/actual data breaches Title IV schools must report on the day of detection when a data breach is even suspected. The Department has the authority to fine institutions that do not comply with the requirement to self-report data breaches; up to $54,789 per violation per 34 C.F.R. § 36.2 Post-Secondary Institution Data-Security Overview and Requirements – Tina K.O. Rodrigue FSA 2017

9 What does this means for institutions?
There are two ways to answer this question: Gold standard – treating Data as Controlled Unclassified Information (CUI) Audit Standard – Minimum requirements to avoid an audit finding Standard for Controlled Unclassified Information (CUI): is detailed in NIST SP Nist is the national institute of standards and technology provides very detailed information on what constitutes an effective information security program

10 What does this means for institutions? - NIST
NIST requirements fall into five categories Identify Risk assessment The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. Governance The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.

11 What does this means for institutions? - NIST
Protect Data security Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. Protective technology Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

12 What does this means for institutions? - NIST
.Detect Anomalies and events Anomalous activity is detected in a timely manner and the potential impact of events is understood. Detection process Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.

13 What does this means for institutions? - NIST
respond Communications Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies. Mitigation Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident.

14 What does this means for institutions? - NIST
recover Recovery planning Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events. Communication Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors.

15 What does this means for institutions? - Audit
The FY18 Audit standard is significantly less strict than NIST SP two requirements: Have a designated information security officer (ISO); Have completed a risk assessment and designed appropriate internal controls to mitigate identified risks

16 What does this means for institutions? - Audit
What areas must be covered in the risk assessment? …protect student financial aid information, with particular attention to information provided to institutions by the Department of Education…otherwise obtained in support of the administration of the Title IV Federal student financial aid programs authorized under Title IV of the Higher Education Act, as amended (the HEA) [DCL GEN16-2] At a minimum information in: Financial aid management system; Network location where SAIG files are stored; Student system (course registration & grades); Admissions (High School Completion and/or GED scores); Student Accounts (Charges and Title IV payments); Network location documentation for funding draws from G5 are stored; 3rd Party software that has access to or stores related data

17 Recommendations Open a dialog with campus leaders to discuss the importance of cybersecurity and ed’s requirements Including ED’s recommendation for having a information security program compliant with NIST SP in conversation Ensure your institution has Assigned an information security officer (ISO) If not work with appropriate executives to ensure someone is assigned Ask for the completed Information security risk assessment with defined controls

18 Risk Assessment & Controls

19 Risk Assessment & Controls
Internal Control Systematic measures (such as reviews, checks and balances, methods and procedures) instituted by an organization to (1) conduct its business in an orderly and efficient manner, (2) safeguard its assets and resources, (3) deter and detect errors, fraud, and theft, (4) ensure accuracy and completeness of its accounting data, (5) produce reliable and timely financial and management information, and (6) ensure adherence to its policies and plans.

20 Risk Assessment & Controls
There are numerous templates available for documenting risk and controls Let’s review one I frequently use

21 Questions? Contact Information John Knost (714) me for a copy of the risk assessment template

22 Join us May 20 - 24, 2019 for FASFAA 2019 at the Hyatt Regency Coconut Point Resort & Spa

Download ppt "Agenda Introduction Why is cybersecurity important? Laws & Regulations"

Similar presentations

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.

Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.

Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Security Information Management Firewall Management, Intrusion Detection, and Intrusion Prevention Intrusion Detection Busters Katherine Jackowski Elizabeth.

Security Information Management Firewall Management, Intrusion Detection, and Intrusion Prevention Intrusion Detection Busters Katherine Jackowski Elizabeth.
EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)

EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
BITS Proprietary and Confidential © BITS 2003. Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
2 1.Client protection principles 2.Principle #6 in practice 3.Two components of protecting client data 4.Participant feedback 5.Practitioner lessons and.

2 1.Client protection principles 2.Principle #6 in practice 3.Two components of protecting client data 4.Participant feedback 5.Practitioner lessons and.
Chapter 5 Internal Control over Financial Reporting

Chapter 5 Internal Control over Financial Reporting
AUDITS What you should know - a campus perspective. Franz Lozano Director/Budget Officer (former Internal Auditor) San Francisco State University Academic.

AUDITS What you should know - a campus perspective. Franz Lozano Director/Budget Officer (former Internal Auditor) San Francisco State University Academic.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Similar presentations

Ads by Google