Table of Contents
As an educational institution operating in New York State, you are aware of Edlaw 2-d, which was first enacted in 2014. You may not be aware that an amendment to the law was enacted in 2020 which strengthen the data security and privacy of personal identification information (PII) for student and staff. If you have not looked at the new requirements carefully, you may have missed a crucial element — Section 121.5 (a) and (b), which states
As required by Education Law §2-d (5), the Department adopts the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (NIST Cybersecurity Framework or NIST CSF) as the standard for data security and privacy for educational agencies.
No later than July 1, 2020, each educational agency shall adopt and publish a data security and privacy policy that implements the requirements of this Part and aligns with the NIST CSF.
With those two statements, New York State added over 100 controls in 14 areas to the list of compliance requirements for data security and privacy in education.
According to the updated requirements, educational institutions must comply with the following no later than July 1, 2020.
It’s easy to gloss over the last item in the list, but institutions need to look carefully at the NIST requirements.
The National Institute of Standards and Technology (NIST) published a cybersecurity framework that has been adopted completely or in part by many branches of the federal government. For institutions of higher learning, the framework is part of the requirement to receive federally-funded research or grants. The standard is designed to address cybersecurity compliance where no explicit standard currently exists.
The framework organizes cybersecurity into five activities:
Under each of these activity levels, there are categories and subcategories with specific requirements. There is also a set of tiers that indicate the level of proficiency an organization has achieved.
Complying with NIST means meeting over 100 individual controls across the following groups:
Putting a cybersecurity infrastructure together that addresses each of these categories at Tier 4 is not a simple task. Nor is it a task that can be done quickly and without expert support.
According to a 2020 report on data breaches, 80% of malware-related incidents at higher education institutions were the result of ransomware. Malware distribution through websites was the primary cause because of the large number of unmonitored emails and internet activity from students, faculty, and staff using their own devices. Almost 25% of educational facilities lack a reporting process, and 50% cannot supply enough evidence to pursue an incident legally. With more educational institutions incorporating remote or distance learning, the risk of a cyberattack increases. Each endpoint becomes a possible entry point for a hacker.
According to an IBM report, loss of reputation has the largest financial impact on an organization. Institutions can lose the public’s trust. Students may not want to attend. Higher-education facilities may have difficulty attracting researchers or research grants. These difficulties can extend two to three years after the attack. Over time, financial penalties or fines may be assessed for organizations that remain out of compliance.
Implementing a NIST Cybersecurity Framework can appear overwhelming, especially if IT resources are limited. Just meeting the minimum of identifying PII, determining where it is stored, and knowing who has access can take days, possibly months, of work. Then, institutions are faced with implementing multi-factor authentication from a centralized identity entity and developing an auditing process for security controls.
Working with a managed IT provider with cybersecurity expertise can make the path to NIST compliance shorter. At WPG Consulting, we have knowledgeable professionals to help with cybersecurity assessments and implementations. In addition, our team has worked with institutions of higher learning and is aware of the unique requirements that educators face. For many, they create and store data in digital systems that lack state-of-the-art defenses.
Our firm offers tailor-made cybersecurity solutions for higher education. These solutions include guidance for staff and students on cybersecurity measures, continuous system monitoring, and comprehensive support. As institutions struggle to comply with the list of NIST requirements, WPG Consulting is ready to partner with educators to deliver an effective cybersecurity solution. Contact us to schedule a consultation.
Sources:
Haven’t heard of SASE before? You’re not alone. Standing for Secure Access Service Edge, SASE…
The presence of cyber risks could lead to a disruption in the operations of any…
IT teams require more effective approaches to monitor and control devices remotely as remote work…
Artificial Intelligence (AI) capabilities like machine learning, natural language processing and robotic process automation are…
From servers to smartphones, schools and businesses depend on scores of devices. Managing this technology…
Do you ever wonder how your school’s computers get software updates or performance fixes without…