When a technology related security incident occurs, everyone clamors for the IT department to find the breach and fill the gaps. That’s what we’re paid to do after all, put up the best defense to keep attackers out. Every time IT fills a new gap or builds a bigger, better, and probably more expensive wall, someone else is assembling a bigger ladder or waiting for the wall to crumble. Perhaps a different strategy is warranted.
To decide on the best course of action, we need to ask a few basic questions: What data do I have that is valuable and why is it valuable? Institutions will have varying answers to the questions but when considering transcript processing, it comes down to three data elements: payment, transcript and delivery. Payment data is the most valuable of the three. It is so important that Credentials is fully compliant with the Payment Card Industry Data Security Standard (PCI DSS) and is voluntarily externally audited for that compliance annually. At the opposite end of the spectrum, you have delivery or directory information. While not saved by Credentials, other providers do collect and use this information for other purposes. Then we have transcript data. Sure the B+ received in freshman year English Comp. is not intrinsically valuable. However, the transcript’s value is based on its representation of an individual and if the data is compromised, it could be used on its own or as part of a portfolio of information to impersonate that individual.
Historically, Higher Ed has been a soft target since there isn’t money to steal like a bank, so security has been more lax. But we do have information that could be used to impersonate an individual or group of individuals to retrieve money from a high risk target more easily. Here at Credentials we hold ourselves to the highest standards and will never be an easy target.
So how do we keep this data secure and make sure it doesn’t fall into the wrong hands? It’s not just IT’s responsibility, as everyone in an organization or institution should take responsibility for data security. As a Registrar or Admissions staff member, you may not know the latest in security compliance standards, encryption algorithms, firewalls, or intrusion detection systems, but you can ask questions about how your data is used and control how you personally use it. For example, have you ever emailed an unencrypted transcript containing an unredacted Social Security number or other personal information outside your organization? Taking a few minutes to erase that part of the image or black it out before scanning just increased the difficulty to steal that data. Receive a strange email and don’t recognize the sender? It would be best not to open attachments, links, or the entire email on a computer that can access sensitive student information. Push your IT staff to keep systems and services up to date and at the highest levels of configurable security. They know where the problems are and can always use support when getting resources to plug security holes. How are your vendors keeping data secure? Scrutinize their practices, processes, and procedures. If you don’t already have a procedure for vetting vendors, create one. If they’re not following the same high standards, then they’re vulnerable and therefore, so are you.
It’s time to change the culture of security. Every bit of input from everyone involved helps keep sensitive data more secure. A big wall put up by IT and lots of smaller walls put up by everyone else makes all the difference. Evaluate your data, purge what you can, secure what you can’t, and continuously improve. Think about how you use data and the role you have in ensuring its security.