On February 28, 2020, the U.S. Department of Education’s Office of Federal Student Aid published  new guidance  on how auditors should evaluate data security compliance at colleges and universities. This article is the second in a series of five on how to avoid an adverse audit finding regarding data security. The first installment can be found here . This installment focuses on training and managing employees, which–as a quick reminder from our initial installment–is one of the three critical areas that institutions must focus on pursuant to the Gramm-Leach-Bliley Act (GLBA) and related regulations.

Why The Focus On Employees For Data Security?

When many of us think of “data security,” there is a tendency to dismiss the subject as “an IT issue.” But there is good reason to focus on employee behavior throughout an organization. According to Gartner’s 2020 Audit Plan Hot Spots Report: Risk Areas To Watch, “careless employee security behavior” continues be a “hot spot” for risk, increasing cybersecurity vulnerabilities. Common email phishing scams, which target ordinary email users, remain one of the most common methods of cybersecurity attack according to the 2020 IBM Security X-Force Threat Intelligence Index. (For those whose training needs some brushing up, “phishing” refers to the use of an innocent-looking email to trick the recipient to click on a deceptive link and give hackers access to their information or a network. “Spear-phishing” refers to targeting a particular individual for the same purpose.)

This is a threat that could readily be eliminated, or at least significantly reduced, with appropriate employee training and management on how to avoid falling prey to a phishing scam. And, according to the IBM Report, higher education remains one of the top 10 industries targeted in cybersecurity attacks given their rich troves of intellectual property and personally identifiable information. Thus, this is not an area colleges and universities can afford to ignore.

What Are The Suggested Employee Training Requirements?

In its July 1, 2016 Dear Colleague letter, ED encouraged institutions to follow the National Institute of Standards and Technologies (NIST) Special Publication 800-171 recommended security requirements. In turn, SP 800-171 advises institutions to focus on three main principles regarding awareness and training:

  1. ensure that managers, system administrators and users know the risks associated with their activities and are familiar with applicable polices, standards and procedures;
  2. ensure that personnel are trained to carry out assigned information security-related duties; and
  3. provide security awareness training on recognizing and reporting potential indicators of internal security threats.

While these points may seem obvious, it bears noting that the successful cyberattack on the Democratic National Committee’s servers during the 2016 election was the result of a common phishing scam, reports The New York Times. More concerning is that the FBI repeatedly alerted the DNC about the cyberattack but the person fielding the calls did not take the calls seriously. Consider: if your campus received a call from the FBI, how would it be routed? Would the person on the receiving end know how to respond? Or, perhaps more commonly, if an employee contacted your help desk about a suspicious-looking link they accidentally clicked on, would the help desk know how to respond? Does your campus have training, policies or procedures in place addressing either situation?

As one can imagine, the level of training and awareness required to meaningfully reduce an institution’s risk will not be achieved on a “one and done” basis. SP 800-171 recommends using a variety of training opportunities beyond formal sessions, including: offering supplies inscribed with security reminders; generating email advisories; displaying logon screen messages; displaying security awareness posters; and conducting information security awareness events. The real estate on the back of an employee’s security badge is a prime spot for important security reminders as (ideally) it’s something employees carry constantly and see regularly on other employees.

How Can Institutions Assess Additional Risks?

The GLBA regulations require–and auditors will be looking for–evidence not just of actual training, but of a documented, comprehensive risk assessment along with development of safeguards for each risk identified. A gold standard risk assessment would include conducting a campus-wide survey for security gaps and issues. But a good starting point is to review industry reports like the Gartner Report to identify common issues plaguing others. For instance, there is a universal trait of higher education institutions identified in the Gartner Report that underlies several discrete “hot spots” for auditors to focus on in 2020: their organizational complexity.

Organizational complexity can mean many things, including strategic workforce planning and the use of part-time, contract, or remote workers. At no time has this been felt more keenly than now, during the Covid-19 pandemic when nearly all employees are being asked to work from home. While common, the Gartner Report highlights employee behavior leading to cybersecurity vulnerability as one of 12 identified “hot spots” on which auditors should focus. An institution’s IT department can go a long way to thwarting careless employee behavior, such as disabling ports on an institution-issued device that would otherwise allow an employee to download sensitive information from a secure online system to an unsecured thumb drive. But query whether that solution is sufficient for an institution that permits employees–or indeed expects contractors–to log onto systems using their own personal devices?

Organizational complexity can also include the increasing use of third parties to conduct essential institutional functions through cloud-based software solutions and otherwise. These third parties are gaining increasing access to sensitive information, yet institutions remain responsible for the security of such information. Query whether your institution has retained the contractual right to audit security measures of third parties and to require third parties to promptly report data breaches so that the institution can meet its obligation to report such breaches to the Department.

A careful review of Gartner Report and others like it will go a long way towards helping your institution identify common risks and brainstorm solutions for remediating them.


Stay tuned for Parts 3 to 5 of this article series, which will address three other areas for institutional focus to ensure a clean audit.

Rathje Woodward‘s online contact form may be found here.