With new information security regulations emerging almost every year, universities face an ever-growing range of compliance requirements. For each new regulation, institutions often form a project team to implement the new security procedures.
A university chief information security officer (CISO) needs to integrate overlapping regulations into their information security governance framework. If they don’t do this, competing project priorities can negatively impact compliance program effectiveness across the entire campus.
This article is the third in a four-part series exploring common information security governance mistakes at higher education institutions and how to avoid them. Other series topics include:
- Creating data security silos
- Treating cybersecurity as a compliance mandate
- Approaching each new security requirement as a separate project
- Framing cybersecurity regulations as an aspirational goal
Avoid approaching each new security requirement as a separate project
Technology staff and researchers often find new cybersecurity mandates daunting. To help them meet new regulatory and contractual obligations to protect data, many higher education institutions create cross-functional project teams to implement the required security processes.
For example, many universities established a project team to safeguard credit card information based on the Payment Card Industry Data Security Standards (PCI-DSS), another to protect healthcare records based on HIPAA and HITECH, and yet another to secure sensitive research data by implementing NIST 800-171.
By creating working groups focused on individual mandates, teams can narrow their attention to the systems and data that fall explicitly under the new directive. Unfortunately, by creating these overlapping compliance projects, universities can inadvertently undermine their overall information security effectiveness.
Overlapping compliance programs increase cost and complexity
Creating separate compliance programs to manage each data security obligation can backfire if management doesn’t integrate the projects into a broader governance process.
Like in a Rube Goldberg Machine, each individual compliance project is relatively simple. However, the resulting mix of programs increases complexity and costs across the institution in a manner that can outweigh the intended risk management benefits.
Increased cost of implementing security
Many regulations have overlapping requirements, which institutions already addressed while implementing previous data security programs.
With separate project teams, it’s common for universities to create new capabilities rather than leverage existing investments. This can drive up the cost of information security exponentially.
Suppose a university creates a project to comply with NIST 800-171 standards for safeguarding research data. The campus already had a patient health information protection program in place to comply with HIPAA and HITECH.
Because of internal politics, the university creates a new group to develop cybersecurity strategies that protect research data rather than expanding the capabilities already in place to protect healthcare data. This increases costs and duplicates compliance effort across the campus.
Increased complexity for risk management and compliance
Besides the additional investment needed for overlapping security tools and support processes, creating parallel compliance projects also means the institution must develop additional risk assessment and audit processes. Instead of adapting existing risk assessments to cover the new data protection rules, the institution must coordinate multiple overlapping compliance efforts.
Each new security program makes it increasingly difficult for the CISO to ensure each department consistently follows risk management procedures. Decentralized programs create information security silos. These silos limit central visibility into compliance status and can even hinder timely incident response if an attack occurs within one area of the campus.
Overlapping security programs make it difficult for the board and senior leadership to understand the overall compliance posture of the university. Information security status reports often devolve into reports about each individual program, making it difficult for campus leadership to manage risk holistically.
Maintain a customized information security controls framework
Higher education institutions should develop a unified information security governance framework that incorporates all their data protection controls needed across the campus. Rather than creating projects to comply with each new mandate, universities can then map new security standards against the framework they’ve already established.
When building their consolidated control list, institutions should start with the most stringent standards they must comply with as the foundation. In the past, they might have started by protecting credit card data using PCI-DSS, since this was one of the first mandates that forced universities to update their security practices. Today, NIST 800-171 provides a good starting point. Higher education institutions must follow these NIST guidelines to support contracts involving sensitive research data and to protect student financial information.
Once an institution establishes its custom framework, the CISO should assess each new regulation against these core controls. This helps minimize waste and duplicated effort. Rather than creating new project teams for each requirement, the institution should evaluate any gaps between their current data security controls and the proposed standards. By leveraging existing capabilities, the institution can contain costs and improve information security effectiveness.
Leverage tools to streamline mapping your security requirements
Mapping dozens of security standards to a single custom framework can be difficult and time-consuming for any organization. Some institutions form working groups to develop and maintain a unified framework, but there are resources available that can simplify the process.
- The Secure Controls Framework (SCF) is a free security and privacy “metaframework” that is maintained by a group of volunteers. After registering for a free account, users can download a spreadsheet and then customize the controls list based on their own regulatory obligations.
- The Unified Compliance Framework (UCF) offers both free and paid subscriptions. Rather than providing a download that users then customize, the UCF provides an online portal where users collaborate to customize a list of standards that apply to the organization. The UCF tool produces a common control set based on the selected standards. The portal also allows institutions to track compliance status against the consolidated controls list.
By using resources like the SCF or UCF, institutions can easily create and maintain consolidated data security frameworks that support the compliance needs of the entire organization.
Improve information security governance with a single customized information security framework
Universities may spend extra time and money if they build competing security compliance programs. These overlapping programs can also inadvertently increase the risk they were meant to reduce.
To maintain an effective information security governance strategy in higher education institutions, CISOs should start by building a common framework of security controls that address all their statutory and contractual obligations.
Online compliance consolidation tools can help security and compliance teams simplify the process of building a custom controls framework. Universities can use these tools to map new regulations against their custom framework, then identify opportunities to leverage existing capabilities before implementing new capabilities.
In the next article of this series, learn why institutions should avoid framing cybersecurity regulations as an aspirational goal when describing their program objectives.