Data Security at Postsecondary Institutions: The Federal Standards Every Title IV Institution Should Follow to Protect Student Information
The U.S. Department of Education recently met with interested stakeholders to discuss data security protocols issued by the National Institute of Standards and Technology (“NIST”). The NIST is tasked with developing consistent security standards and guidelines for processing, storing, and transmitting “Controlled Unclassified Information” (“CUI”) managed by nonfederal organizations.
Relevant to higher education, postsecondary institutions must comply with NIST standards when receiving and handling student information from the Department of Education as part of administering Title IV federal student financial aid. Recall that colleges and universities—pursuant to their Participation Agreement, Student Aid Internet Gateway Enrollment Agreement, and the Gramm-Leach-Bliley Act—must protect this information and ensure that all system users are aware of requirements to protect and secure data from federal sources. While the Department has not issued any recent enforcement actions on NIST noncompliance, the Department’s meeting with stakeholders perhaps indicates a brighter spotlight on postsecondary institutions’ efforts to protect student information from federal sources.
Title IV institutions should specifically review and comply with NIST Special Publication 800-171, which sets forth standards for protecting CUI. Requirements include:
- Limiting information system access to authorized users;
- Limiting information system access to the types of transactions and functions that authorized users are permitted to do
- Ensuring that system users are aware of security risks associated with their activities and are properly trained to carry out their assigned duties and responsibilities;
- Creating information system audit records and ensuring that actions by individual system users can be uniquely traced;
- Establishing and maintaining baseline configurations and inventories of information systems;
- Identifying and authenticating users appropriately;
- Establishing incident-handling capability;
- Performing appropriate maintenance on information systems;
- Protecting media containing sensitive information;
- Screening individuals prior to authorizing access;
- Limiting physical access to information systems;
- Assessing security controls periodically and implementing action plans;
- Monitoring, controlling, and protecting organizational communications; and
- Identifying, reporting, and correcting information flaws in a timely manner.
Postsecondary institutions should work closely with their Information Technology Directors to ensure that their Title IV federal student financial aid information system complies with NIST Special Publication 800-171, as well as important guidance from the Department’s Dear Colleague Letters from July 29, 2015 and July 1, 2016. Should you have any questions or concerns about meeting these federal requirements, please feel free to contact HMBR’s Higher Education Group at 312-946-1800.