Mission: Not Impossible –Why a Security Program Is Important to Your College and Students

Photo by Taskin Ashiq / Unsplash

Your mission, should you chose to accept it (wait one second…you do not have a choice) pertains to security.
Why are Information Technology (IT) security policies, controls and procedures important to your college and students?

Your Mission: Security

You are obligated to protect the PII (Personal Identifiable Information) data under the Student Aid Internet Gateway Agreement (SAIG) Enrollment Agreement.
You are obligated to protect the PII data under Title V of Gramm-Leach-Bliley Act (GLBA).
You are obligated to protect the PII data under HEA/FERPA and Contractual Agreements (you remain liable for any action by your third party servicer).

Your Team: The Staff

Security is NOT an Information Technology (IT) Department problem. Attacks are being aimed at colleges and universities. Without training anyone in the college may unknowingly help a hacker bypass the security controls that your IT department has put in place.

**Your Opponent: Hackers **

Some Key Factors to Keep in Mind

  1. Phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
  2. 91% of hacks start with a Phishing email.
  3. Ransomware attacks are on the rise.
  4. The most effective protection you have is an educated and an AWARE user population.
  5. Training is no longer enough, you should be testing the effectiveness of that training.

Your Plan: Training

According to Knowbe4 (a provider of testing/evaluation services), most companies that request their services will initially have approximately 27% of the staff that will click on a phishing email. However, after Knowbe4 has worked with those companies for a year or so these companies see a marked improvement with their regularly tested staff. The percentage of staff that will click on a fake phishing email or links has dropped to 2.17% after the first year of testing.

If you are not evaluating your security training program, then……

  • You don’t know if your employees are taking it seriously.
  • You don’t know your areas of weakness or the areas that require reinforcement.
  • You can’t identify trends or staff who may need counseling or remedial training.

If a breach occurs or you suspect a breach has occurred related to FSA applicants PII, the college must immediately notify FSA at mailto:CPSSAIG@ed.gov

So much to know, so little time - stay tuned for more security tips to come in future articles…

Your Sources
Knowbe4.com Security Awareness Trainer; DCL ID GEN-15-18; National Institute of Standards and Technology (NIST) Special Publications; Department of Homeland Security Handbook for Safeguarding Sensitive Personally Identifiable Information.

Special Thanks to Parham Bridges, Executive Director of Infrastructure and Support – Global Financial Aid Services, for maintaining, protecting, testing, monitoring and training our staff in the critical nature of protecting PII.