Is Your Institution in Compliance with NIST Cybersecurity Framework?

Is Your Institution in Compliance with NIST Cybersecurity Framework?

As an educational institution operating in New York State, you are aware of Edlaw 2-d, which was first enacted in 2014. You may not be aware that an amendment to the law was enacted in 2020 which strengthen the data security and privacy of personal identification information (PII) for student and staff.  If you have not looked at the new requirements carefully, you may have missed a crucial element — Section 121.5 (a) and (b), which states

As required by Education Law §2-d (5), the Department adopts the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (NIST Cybersecurity Framework or NIST CSF) as the standard for data security and privacy for educational agencies.

No later than July 1, 2020, each educational agency shall adopt and publish a data security and privacy policy that implements the requirements of this Part and aligns with the NIST CSF.

With those two statements, New York State added over 100 controls in 14 areas to the list of compliance requirements for data security and privacy in education.

Edlaw 2-d Updated Requirements

According to the updated requirements, educational institutions must comply with the following no later than July 1, 2020.

• Appoint a Data Protection Officer.
• Develop a Data Security and Privacy Policy.
• Conduct security training for employees.
• Publish a Parent’s Bill of Rights.
• Incorporate the Bill of Rights into all contracts with third-party contractors that have access to PII.
• Mandate that third-party contractors submit a Data Security and Privacy Plan for PII protection.
• Meet the requirements of the NIST Cybersecurity Framework for data privacy and security.

It’s easy to gloss over the last item in the list, but institutions need to look carefully at the NIST  requirements.

What is NIST Cybersecurity Framework?

The National Institute of Standards and Technology (NIST) published a cybersecurity framework that has been adopted completely or in part by many branches of the federal government. For institutions of higher learning, the framework is part of the requirement to receive federally-funded research or grants. The standard is designed to address cybersecurity compliance where no explicit standard currently exists.

The framework organizes cybersecurity into five activities:

• Identify.  Develop an institutional-wide understanding regarding cybersecurity risks to systems, people, assets, data, and capabilities.
• Protect. Develop and implement safeguards to ensure the delivery of critical services during a cybersecurity event.
• Detect. Develop and implement actions to identify the occurrence of a cybersecurity event.
• Respond. Develop and implement actions to detect cybersecurity incidents.
• Recover. Develop and implement actions to maintain plans for resilience and to restore any capabilities or services that are impaired due to a cybersecurity incident.

Under each of these activity levels, there are categories and subcategories with specific requirements. There is also a set of tiers that indicate the level of proficiency an organization has achieved.

What Are the NIST Requirements?

Complying with NIST means meeting over 100 individual controls across the following groups:

• Access Control.  Limit the number of authorized users.
• Awareness.   Train employees on security risks.
• Authentication and Identification.  Implement multi-factor identification.
• Accountability.  Create, retain, and audit system logs.
• Change management.   Implement change management processes against a baseline.
• Incident response.   Establish incident response protocols for cybersecurity incidents.
• Maintenance.  Maintain all systems.
• Media disposal.  Define processes for destroying all media containing PII.
• Personnel security.  Screen individuals carefully before granting access to PII.
• Physical security.   Limit physical access to facilities with PII systems.
• Risk assessment.  Assess the risk to PII when processing, storing, and transmitting data.
• Security assessment.  Evaluate security controls and limit vulnerabilities.
• Infrastructure protection.  Design secure infrastructures and software development methods.
• System security.  Monitor infrastructure for flaws and vulnerabilities.

Putting a cybersecurity infrastructure together that addresses each of these categories at Tier 4 is not a simple task. Nor is it a task that can be done quickly and without expert support.

Why Comply?

According to a 2020 report on data breaches, 80% of malware-related incidents at higher education institutions were the result of ransomware. Malware distribution through websites was the primary cause because of the large number of unmonitored emails and internet activity from students, faculty, and staff using their own devices.  Almost 25% of educational facilities lack a reporting process, and 50% cannot supply enough evidence to pursue an incident legally. With more educational institutions incorporating remote or distance learning, the risk of a cyberattack increases. Each endpoint becomes a possible entry point for a hacker.

According to an IBM report, loss of reputation has the largest financial impact on an organization. Institutions can lose the public’s trust. Students may not want to attend. Higher-education facilities may have difficulty attracting researchers or research grants. These difficulties can extend two to three years after the attack. Over time, financial penalties or fines may be assessed for organizations that remain out of compliance.

NIST Cybersecurity Experts In Education

Implementing a NIST Cybersecurity Framework can appear overwhelming, especially if IT resources are limited. Just meeting the minimum of identifying PII, determining where it is stored, and knowing who has access can take days, possibly months, of work.  Then, institutions are faced with implementing multi-factor authentication from a centralized identity entity and developing an auditing process for security controls.

Working with a managed IT provider with cybersecurity expertise can make the path to NIST compliance shorter. At WPG Consulting, we have knowledgeable professionals to help with cybersecurity assessments and implementations. In addition, our team has worked with institutions of higher learning and is aware of the unique requirements that educators face. For many, they create and store data in digital systems that lack state-of-the-art defenses.

Our firm offers tailor-made cybersecurity solutions for higher education. These solutions include guidance for staff and students on cybersecurity measures, continuous system monitoring, and comprehensive support. As institutions struggle to comply with the list of NIST requirements, WPG Consulting is ready to partner with educators to deliver an effective cybersecurity solution. Contact us to schedule a consultation.

Sources: