Think about compliance - whether in your organization or beyond, and the litanyof regulations from PCI to GLB to CA SB1386 and more come to mind. Are these initiatives helping your organizationstay out of the headlines? You could be a retailer or a healthcare provider butwhat if your organization was four ormore regulated organizations in one? Would you be more “secure?”
If you're not a member of a compliance team inhigher education, you probably don't think of universities and colleges. Withstudents and faculty now back to school, IT managers at universities arefaced with complying with multiple regulations that affect industries beyondjust education.
A bank? A health care organization? A retailer? These are all roles thatinstitutions serve, in addition to the primary function of providing education.
- The bank : As many of us know, universities and colleges are involvedin the business of lending and collecting money. While not the bankitself, universities facilitate loans and disperse funds. Among compliancerequirements, this means universities fall under the Gramm-Leach-Bliley Act (GLBA) and must protect the privacy ofcustomers (students
- The health care provider : Almost all higher educationinstitutions with students living on campus have a health center and are facedwith protecting patient data under HIPAA.
- The retailer : Not only can you buy your books with a creditcard, but you can also pay your tuition. This all means that as every othermerchant that accepts credit cards, universities and colleges must meet therequirement of the Payment Card Industry (PCI) Data Security Standard (DSS).
- The educationalinstitution :Last but certainly not least, institutions provide educational services. And inthe end, this means students receive grades. The Family Educational Rights and Privacy Act (FERPA) controls who can access student grades. If grades are beingdistributed or stored electronically, they must be secured.
Beyond these federal compliance requirements, universitiesand colleges must comply with state data breach notification such as CaliforniaSB 1386. In over 30 states, if a lost laptop, flash drive or tape haspersonally identifiable information stored unencrypted, the impactedindividuals will need to be notified. And this means unhappy parents, alums,and boards of directors.
While an interesting case study in compliance, these examples help illustratean important point. While most institutions are compliant with GLB, PCI,HIPAA, FERPA and other regulations, the number of institutionsinvolved in data breaches does not seem to be on the decline. It's this pointthat makes higher education a lesson for all organizations.
Compliance sets a bar that's important for auditors and government, but when itcomes to really protecting our businesses, agencies, and institutions, a higherbar for defending data must be set. Many organizations, including universitiesand colleges, are starting to protect data wherever it goes, utilizing astrategy called enterprise data protection.
This unique strategy offers a new evolutionary layer of technologiesthat manages data, controls data access, detects data at risk, and protectsdata. With it, security is built in, starting with data creation and followingdata as it is modified, transferred, stored, and archived. At the core of thisapproach is the protection of data using encryption, everywhere it goes.Encryption serves to provide the encompassing protection layer that obscuresdata from unauthorized access. If encrypted data is somehow lost or stolen, itremains useless.
By defining a strategy for Enterprise Data Protection,protecting, identifying, controlling access, and managing data, theseorganizations are ready to meet the bumps along the way related to complianceand keep their organizations out of the headlines.
- Kevin Bocek is a Sr. Manager of Product Marketing forPGP Corporation.
