Higher Ed Cybersecurity – MOVEit Hack episode artwork

EPISODE · Jul 11, 2023 · 32 MIN

Higher Ed Cybersecurity – MOVEit Hack

from Changing Higher Ed · host Dr. Drumm McNaughton

The recent hack of MOVEit has serious implications for higher education. MOVEit, an application used by the National Student Clearinghouse and many other institutions to move large files, directly affects numerous higher ed institutions and solution providers. This, coupled with the Gramm-Leach-Bliley Act going into effect in early June of 2023, has (should have) put cybersecurity at the top of mind for college and university decision-makers.   In his latest podcast episode, Dr. Drumm McNaughton once again speaks with virtual chief information security officer Brian Kelly, who this time returns to Changing Higher Education to discuss the ramifications of MOVEit getting compromised, tools that can help higher ed institutions protect themselves, all nine elements of the GLBA that colleges and universities must be in compliance with to receive financial aid, what GLBA enforcement could look like, and an online hub that states and higher ed can emulate to ensure students enter the cybersecurity field.     Highlights   §  MOVEit, a third-party tool used by the National Student Clearinghouse and others to move large data pieces, was recently compromised, compromising institutional data. This is having a downstream impact on higher ed since many institutions engage with the NSC.   §  In addition to performing triage and internal assessments, higher ed institutions must reach out to all of their vendors and contractors and ask if they use MOVEit and, if they are, what they are doing to protect their data.   §  It is important to have a process in place for vetting third-party risk. EDUCAUSE's HECVAT can help address this and future problems. It's a standard set of questions that institutions can ask third-party vendors about security and privacy. Over 150 colleges and universities use HECVAT version 3.0's questionnaire in their procurement process. Large vendors like Microsoft and Google have completed it.   §  HECVAT makes it easier for vendors since they don't have to answer bespoke questionnaires from numerous institutions that might have their nuances and differences. It also allows the community of CISOs and cybersecurity privacy practitioners in higher ed to have a conversation around a grounded standardized set of questions.   §  The Federal Trade Commission's Safeguards Rule, which changed the standards around safeguarding customer information, went into effect on December 9th, 2021. The Gramm-Leach-Bliley Act that took effect in early June of 2023 required higher education institutions to meet the elements of those rule changes. There are nine elements.   §  The primary rule change is designating a CISO or a qualified individual responsible for protecting customer information or student financial aid data. The second is to perform a risk assessment at least annually by a third party or internally.   §  The third involves access review controls. Institutions must annually vet employees granted access to information and ensure more people haven't been granted access. Institutions must know where all data resides and that all incoming data is identified. Institutions must ensure data is protected and encrypted when it's being stored and in use, ensure the coding or development of any software that interacts with the Department of Education's data follows secure practices, ensure data that institutions should no longer have or that has aged out has been properly disposed of, and ensure change management has been implemented. Institutions must identify who has access to customer information and annually review their logs.   §  The fourth ensures that institutions annually validate that these controls are in place and working as intended. The fifth mandates that the individuals who interact with the Department of Education and use customer information are appropriately trained and aware of the risks involved. The sixth ensures institutions have a program and process to address and test for third-party risks. Seventh mandates having a prescriptive plan for responding to incidents, regularly testing and validating the plan to see if it's working, and identifying the lessons learned. The ninth mandates that the CISO annually reports to the board or president.      Read the podcast transcript →   About Our Podcast Guest   Brian Kelly supports the safeguarding of information assets across multiple verticals against unauthorized use, disclosure, modification, damage, or loss by developing, implementing, and maintaining methods to provide a secure and stable environment for clients' data and related systems.   Before joining Compass, Brian was the CISO at Quinnipiac University and, most recently the Cybersecurity Program Director at EDUCAUSE. Brian is also an Adjunct Professor at Naugatuck Valley Community College, where he has developed and teaches cybersecurity courses.   Brian has diverse experience in information security policy development, awareness training, and regulatory compliance. He provides thought leadership on information security issues across industries and is a recognized leader in his field.   Brian holds a bachelor's degree from the University of Connecticut and a master's degree from Norwich University. He has served in various leadership roles on the local boards of the ISSA, InfraGard, and HTCIA chapters. Brian is also a retired Air Force Cyber Operations Officer.   About the Host   Dr. Drumm McNaughton, the host of Changing Higher Ed®, is a consultant to higher ed institutions in governance, accreditation, strategy and change, and mergers. To learn more about his services and other thought leadership pieces, visit his firm's website, https://changinghighered.com/.   The Change Leader's Social Media Links   LinkedIn: https://www.linkedin.com/in/drdrumm/ Twitter: @thechangeldr Email: [email protected]   #HigherEducation #HigherEdCybersecurity #MOVEitHack  

Episode metadata supplied by the publisher feed · Published Jul 11, 2023

NOW PLAYING

Higher Ed Cybersecurity – MOVEit Hack

0:00 32:30

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

Solving for Change MOBIA Technology Innovations Solving for Change welcomes business and technology leaders to share stories of bold business transformation within complex organizations. In an era when technology and markets are changing around businesses, the key to staying competitive is to evolve in response to those changes.  MOBIA’s Mike Reeves and Marc LeBlanc investigate business transformation, deconstructing the challenges, ambitions, and market disruptions that drive companies to embark on transformation journeys, and exploring their unique approaches to achieving meaningful outcomes.  What sparks leaders to pursue business transformation? How do they overcome the challenges along the way? What are the keys to creating enduring change?  Through in-depth conversations with business and technology leaders, Mike and Marc answer these questions and explore how businesses evolve by pulling four key transformation levers: people, process, technology, and culture. The Lee Olsen Show Lee Olsen CJF I want to help you improve all areas of your life by 3 types of podcasts!👉Blood, Sweat & Blessings-Interviews of normal people that have achieved BIG things!👉Series!!! For Love of the Horse- Brad Jackman DVM & Lee Olsen CJF, how to help your horse!👉Business Tips- Proven Life Changing Business Strategies with Lee Olsen CISO Perspectives (public) N2K Networks This season on CISO Perspectives, host Kim Jones explores some of the challenges of leading through uncertainty. We explore the complexity of the changing nature of regulation and working with the federal government, the evolution of privacy and fraud, and how emerging technologies like AI and quantum computing are changing cyber. When you don’t know what questions to ask, you’re afraid to ask, or don’t know who to ask, CISO Perspectives provides the foundation for learning in this brave new world. La Finanza in Soldoni Massimo Famularo - Hypercast Podcast e newsletter indipendente di informazione ed educazione finanziaria.Nessuno mi paga per vendervi niente e voi non mi pagate per dirvi in cosa investire. Newsletter http://lafinanzainsoldoni.substack.com/Youtubehttps://www.youtube.com/c/MassimoFamularoBloghttps://massimofamularo.com/X(ex-Twitter)https://x.com/MassimoFamularo---Questo podcast fa parte di Hypercast Network — 📧 Per proposte commerciali scrivi a: [email protected]

Frequently Asked Questions

How long is this episode of Changing Higher Ed?

This episode is 32 minutes long.

When was this Changing Higher Ed episode published?

This episode was published on July 11, 2023.

What is this episode about?

The recent hack of MOVEit has serious implications for higher education. MOVEit, an application used by the National Student Clearinghouse and many other institutions to move large files, directly affects numerous higher ed institutions and solution...

Can I download this Changing Higher Ed episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!