Higher Ed Cybersecurity MOVEit Hack

Published: July 11, 2023, 7 p.m.

The recent hack of MOVEit has serious implications for higher education. MOVEit, an application used by the National Student Clearinghouse and many other institutions to move large files, directly affects numerous higher ed institutions and solution providers. This, coupled with the Gramm-Leach-Bliley Act going into effect in early June of 2023, has (should have) put cybersecurity at the top of mind for college and university decision-makers.

\xa0

In his latest podcast episode, Dr. Drumm McNaughton once again speaks with virtual chief information security officer Brian Kelly, who this time returns to Changing Higher Education to discuss the ramifications of MOVEit getting compromised, tools that can help higher ed institutions protect themselves, all nine elements of the GLBA that colleges and universities must be in compliance with to receive financial aid, what GLBA enforcement could look like, and an online hub that states and higher ed can emulate to ensure students enter the cybersecurity field.

\xa0

\xa0

Highlights

\xa0

\xa7\xa0 MOVEit, a third-party tool used by the National Student Clearinghouse and others to move large data pieces, was recently compromised, compromising institutional data. This is having a downstream impact on higher ed since many institutions engage with the NSC.

\xa0

\xa7\xa0 In addition to performing triage and internal assessments, higher ed institutions must reach out to all of their vendors and contractors and ask if they use MOVEit and, if they are, what they are doing to protect their data.

\xa0

\xa7\xa0 It is important to have a process in place for vetting third-party risk. EDUCAUSE\u2019s HECVAT can help address this and future problems. It\u2019s a standard set of questions that institutions can ask third-party vendors about security and privacy. Over 150 colleges and universities use HECVAT version 3.0\u2019s questionnaire in their procurement process. Large vendors like Microsoft and Google have completed it.

\xa0

\xa7\xa0 HECVAT makes it easier for vendors since they don\u2019t have to answer bespoke questionnaires from numerous institutions that might have their nuances and differences. It also allows the community of CISOs and cybersecurity privacy practitioners in higher ed to have a conversation around a grounded standardized set of questions.

\xa0

\xa7\xa0 The Federal Trade Commission\u2019s Safeguards Rule, which changed the standards around safeguarding customer information, went into effect on December 9th, 2021. The Gramm-Leach-Bliley Act that took effect in early June of 2023 required higher education institutions to meet the elements of those rule changes. There are nine elements.

\xa0

\xa7\xa0 The primary rule change is designating a CISO or a qualified individual responsible for protecting customer information or student financial aid data. The second is to perform a risk assessment at least annually by a third party or internally.

\xa0

\xa7\xa0 The third involves access review controls. Institutions must annually vet employees granted access to information and ensure more people haven\u2019t been granted access. Institutions must know where all data resides and that all incoming data is identified. Institutions must ensure data is protected and encrypted when it's being stored and in use, ensure the coding or development of any software that interacts with the Department of Education\u2019s data follows secure practices, ensure data that institutions should no longer have or that has aged out has been properly disposed of, and ensure change management has been implemented. Institutions must identify who has access to customer information and annually review their logs.

\xa0

\xa7\xa0 The fourth ensures that institutions annually validate that these controls are in place and working as intended. The fifth mandates that the individuals who interact with the Department of Education and use customer information are appropriately trained and aware of the risks involved. The sixth ensures institutions have a program and process to address and test for third-party risks. Seventh mandates having a prescriptive plan for responding to incidents, regularly testing and validating the plan to see if it\u2019s working, and identifying the lessons learned. The ninth mandates that the CISO annually reports to the board or president.

\xa0

\xa0

\xa0Read the podcast transcript \u2192

\xa0

About Our Podcast Guest

\xa0

Brian Kelly supports the safeguarding of information assets across multiple verticals against

unauthorized use, disclosure, modification, damage, or loss by developing, implementing,

and maintaining methods to provide a secure and stable environment for clients' data and\xa0related systems.

\xa0

Before joining Compass, Brian was the CISO at Quinnipiac University and, most recently the

Cybersecurity Program Director at EDUCAUSE. Brian is also an Adjunct Professor at

Naugatuck Valley Community College, where he has developed and teaches cybersecurity\xa0courses.

\xa0

Brian has diverse experience in information security policy development, awareness training, and regulatory compliance. He provides thought leadership on information security issues across\xa0industries and is a recognized leader in his field.

\xa0

Brian holds a bachelor\u2019s degree from the University of Connecticut and a master\u2019s degree from

Norwich University. He has served in various leadership roles on the local boards of the ISSA,

InfraGard, and HTCIA chapters. Brian is also a retired Air Force Cyber Operations Officer.

\xa0

About the Host

\xa0

Dr. Drumm McNaughton, the host of Changing Higher Ed\xae, is a consultant to higher ed institutions in governance, accreditation, strategy and change, and mergers. To learn more about his services and other thought leadership pieces, visit his firm\u2019s website, https://changinghighered.com/.

\xa0

The Change Leader\u2019s Social Media Links

\xa0

\xa0

#HigherEducation #HigherEdCybersecurity #MOVEitHack

\xa0