Higher Ed Cybersecurity – MOVEit Hack
Episode description
The recent hack of MOVEit has serious implications for higher education. MOVEit, an application used by the National Student Clearinghouse and many other institutions to move large files, directly affects numerous higher ed institutions and solution providers. This, coupled with the Gramm-Leach-Bliley Act going into effect in early June of 2023, has (should have) put cybersecurity at the top of mind for college and university decision-makers.
In his latest podcast episode, Dr. Drumm McNaughton once again speaks with virtual chief information security officer Brian Kelly, who this time returns to Changing Higher Education to discuss the ramifications of MOVEit getting compromised, tools that can help higher ed institutions protect themselves, all nine elements of the GLBA that colleges and universities must be in compliance with to receive financial aid, what GLBA enforcement could look like, and an online hub that states and higher ed can emulate to ensure students enter the cybersecurity field.
Highlights
§ MOVEit, a third-party tool used by the National Student Clearinghouse and others to move large data pieces, was recently compromised, compromising institutional data. This is having a downstream impact on higher ed since many institutions engage with the NSC.
§ In addition to performing triage and internal assessments, higher ed institutions must reach out to all of their vendors and contractors and ask if they use MOVEit and, if they are, what they are doing to protect their data.
§ It is important to have a process in place for vetting third-party risk. EDUCAUSE’s HECVAT can help address this and future problems. It’s a standard set of questions that institutions can ask third-party vendors about security and privacy. Over 150 colleges and universities use HECVAT version 3.0’s questionnaire in their procurement process. Large vendors like Microsoft and Google have completed it.
§ HECVAT makes it easier for vendors since they don’t have to answer bespoke questionnaires from numerous institutions that might have their nuances and differences. It also allows the community of CISOs and cybersecurity privacy practitioners in higher ed to have a conversation around a grounded standardized set of questions.
§ The Federal Trade Commission’s Safeguards Rule, which changed the standards around safeguarding customer information, went into effect on December 9th, 2021. The Gramm-Leach-Bliley Act that took effect in early June of 2023 required higher education institutions to meet the elements of those rule changes. There are nine elements.
§ The primary rule change is designating a CISO or a qualified individual responsible for protecting customer information or student financial aid data. The second is to perform a risk assessment at least annually by a third party or internally.
§ The third involves access review controls. Institutions must annually vet employees granted access to information and ensure more people haven’t been granted access. Institutions must know where all data resides and that all incoming data is identified. Institutions must ensure data is protected and encrypted when it's being stored and in use, ensure the coding or development of any software that interacts with the Department of Education’s data follows secure practices, ensure data that institutions should no longer have or that has aged out has been properly disposed of, and ensure change management has been implemented. Institutions must identify who has access to customer information and annually review their logs.
§ The fourth ensures that institutions annually validate that these controls are in place and working as intended. The fifth mandates that the individuals who interact with the Department of Education and use customer information are appropriately trained and aware of the risks involved. The sixth ensures institutions have a program and process to address and test for third-party risks. Seventh mandates having a prescriptive plan for responding to incidents, regularly testing and validating the plan to see if it’s working, and identifying the lessons learned. The ninth mandates that the CISO annually reports to the board or president.
About Our Podcast Guest
Brian Kelly supports the safeguarding of information assets across multiple verticals against
unauthorized use, disclosure, modification, damage, or loss by developing, implementing,
and maintaining methods to provide a secure and stable environment for clients' data and related systems.
Before joining Compass, Brian was the CISO at Quinnipiac University and, most recently the
Cybersecurity Program Director at EDUCAUSE. Brian is also an Adjunct Professor at
Naugatuck Valley Community College, where he has developed and teaches cybersecurity courses.
Brian has diverse experience in information security policy development, awareness training, and regulatory compliance. He provides thought leadership on information security issues across industries and is a recognized leader in his field.
Brian holds a bachelor’s degree from the University of Connecticut and a master’s degree from
Norwich University. He has served in various leadership roles on the local boards of the ISSA,
InfraGard, and HTCIA chapters. Brian is also a retired Air Force Cyber Operations Officer.
About the Host
Dr. Drumm McNaughton, the host of Changing Higher Ed®, is a consultant to higher ed institutions in governance, accreditation, strategy and change, and mergers. To learn more about his services and other thought leadership pieces, visit his firm’s website, https://changinghighered.com/.
The Change Leader’s Social Media Links
- LinkedIn: https://www.linkedin.com/in/drdrumm/
- Twitter: @thechangeldr
- Email: [email protected]
#HigherEducation #HigherEdCybersecurity #MOVEitHack