Recent news of large scale data breaches present cautionary tales of the risks associated with storing and maintaining sensitive information. What you may not be aware of is that institutions of Higher Education are increasingly being targeted not only because of their rich troves of sensitive information, but also because many of them are inadequately protected.
In an effort to reduce these risks in the Higher Education space, the Department of Education recently announced that meeting data security requirements will be included in the annual A-133 audit beginning in 2018. On the one hand, this is great news as it will lead to an overall increase in data security and bring accountability to those institutions that do not take these responsibilities seriously. On the other hand, many schools may find they are woefully unprepared for these new requirements and potentially subject to audit findings, financial penalties, and perhaps worst of all, damage to their reputations.
So, who is responsible to meet these requirements? The short answer is: Everyone.
While the announcement of these new requirements occurred at the 2017 Federal Student Aid Conference it is important to understand that this is not a Financial Aid specific issue. Many institutions view data security as an Information Technology issue, but that is inaccurate as well. While both Financial Aid and Information Technology departments play critical roles in maintaining data security, the protection of sensitive information is a responsibility that must be practiced and promoted at all levels the institution. A point that was reiterated over and over during the announcement of these new requirements is that ultimately, the responsibility for meeting these standards lies with the President of the institution, and they will be held accountable if the standards fail to be met.
Are you and your institution adequately prepared to meet these new requirements? Based on the reactions of attendees at the Federal Student Aid Conference, many (if not most) are not. Your institution may have excellent cyber-security in place, but it is worthless if users are careless with credentials. Your users may be excellent data stewards, but that’s meaningless if a resource-taxed IT staff is unable to keep up with security updates.
Would you be willing to stake your and your institution’s reputations on how secure your data is today? Are you confident that your current policies will meet the new standards required in the A-133 audit?
If you answered “No” to either of those questions, the good news is there is still time, and Ferrilli can help.