Registrars and enrollment managers play central roles in an institution’s cybersecurity posture. The choices they make each day directly affect student data security. That's why the session "Where is your student data stored and how is it being secured?" addressed those important questions at AACRAO's 2019 Annual Meeting.
Each of the presenters -- Ed Hudson, Chief Information Security Officer (CISO), California State University (CSU); Mike Reilly, Executive Director, AACRAO; and John Ramsey, CISO, National Student Clearinghouse (NSC) -- shared an incident of a security breach and the response to the breach. They pointed out both the vulnerability and what they learned from the breach. (Read the joint whitepaper, Why Cybersecurity Matters
, that formed the foundation of the panel.)
They noted that it is imperative that registrars and enrollment managers are in lockstep with the IT department with respect to the institution’s cybersecurity efforts, to guard against cyberthreats.
Recommendations: Data minimization, risk minimization, and relationships
Each presenter provided recommendations for risk minimization and cybersecurity. Reilly emphasized the importance of an incident plan, a purge plan, and the restriction of administrative access.
Hudson explored sectoral data versus GDPR, particularly in terms of data minimization/purpose limitation. He also emphasized the importance of multi-factor authentication, the awareness of multiple delivery methods and noted that students are the targets of nation state actors, so we need to consider our responsibility for training and educating students around data security.
Ramsey talked about the relationship with the CISO -- and important questions to ask him or her, including: a) are we safe?, b) can we stop the bad guys?, and c) how can I help? Ramsey also indicated it's important to stop the lateral movement of data.
The presenters addressed the question of electronic vs hard copy data, specifically what gets retained as part of the student record.
The role of change management
A final recommendation: attend to change management, which is key for buy in to good cybersecurity and data protection. Appoint a specific change management group that handles the issue of addressing “this is why we are doing this.” The CISO needs to prioritize convincing users that the change is in their best interest. Users can kill a project faster than anyone, so they must be on board.
Go deeper into discussions about technology and student data at the 2019 AACRAO Technology and Transfer Conference, July 14-16, 2019, in Las Vegas.