DIY Information Security Program: It Takes the Full Village to Effectively Steward Our Data

Not able to create a dedicated Chief Information Security Officer or cybersecurity team in your environment? Or are you uncertain about whether such an investment would yield the desired programmatic risk-mitigation results? It didn’t make sense in our context to prioritize creation of a CISO or new dedicated information security roles. We have taken an alternative path at Bryn Mawr College to prioritizing information security at the institutional level and to designing and developing a holistic campus program with a strong sense of shared ownership across constituent groups.

This do-it-yourself (DIY) guide explains how you can put the key elements of a robust program in place with or without a dedicated security officer or team, leveraging all relevant existing members of your IT organization and the full “village” of your institution.  

Bryn Mawr College, like every organization with systems and data connected to the internet, is vulnerable to data breaches. The college has a robust information security program to mitigate against the risks of continuous breach attempts and of accidental data exposure. We articulate that program as a set of elements that represent our required due diligence, areas of excellence in our current practice, and additional measures the institution intends to implement as the standards for information security are evolving.

The first tool in the DIY guide is to learn what standards are currently relevant to your institution. We do this in two ways. We look at formal standards and have adopted the NIST framework as our primary reference point, while also studying UK guidelines and other security and privacy laws and developments in the EU as part of informing ourselves about the national and international terrain. We connect informally with colleagues who have established strong models, both in terms of holistic information security programs, and when we’re seeking templates, we can adapt for particular components of our own program.

The second tool is the concept that risk mitigation in the cybersecurity realm requires “the whole village.” It’s relatively simple to mitigate against attacks on our networks and our systems. It’s a more significant quest to reduce the risk brought by every individual with credentials and access to data in our systems, and, of course, the people are the most frequent vector for breaches. Cyber criminals focus efforts on leveraging computing resources to find vulnerabilities in firewalls and databases, but the easiest target for bad actors is the social engineering that causes well-meaning citizens of our communities to give away their credentials and the keys to our data kingdoms.

For this reason, we focused early at Bryn Mawr on education for all, accountability for all, and working together to learn the terrain and to enact best practices. We invested significantly in information security education as a regular program for all members of the community, as well as more focused training for those who steward particular kinds of data. We also invested in education to enhance awareness and practice across campus, such as PCI compliance for those involved with e-commerce, FERPA and HIPAA training, financial aid requirements, and GDPR awareness and protocols. We also created a College Data Handling Policy to articulate expectations for the responsibilities that we all hold for educating ourselves and stewarding institutional data across classifications with appropriate care.

In 2014, I convened a group of representatives from across academic and administrative areas of the institution to form our Information Stewardship Council (ISC), a group that is always co-chaired by a colleague from another area of the institution to signify that information stewardship is not just an IT issue; it’s an issue for all of us, campus-wide. This ISC is endorsed by our institution’s president because information security is an institutional priority. Senior leaders from across the institution are ex officio members of the ISC, and they identify ISC representatives from their divisions who have key roles in data stewardship. We pointedly charged this group to focus on information stewardship broadly for the institution—not only information privacy and security, but also stewardship of our critically important digital assets, which range from unique special collections and archives assets to research data produced at the institution. We think holistically about how to manage, protect, and ensure appropriate availability of this full set of institutional assets for which we’re collectively responsible.

The local institutional village doesn’t stand alone. For our technical teams, we connected with REN-ISAC to ensure early awareness of new threats and developments in this space. We learn from what others are doing via EDUCAUSE and share best practices in smaller higher education IT networks. We talk regularly with trusted peers to share experiences and to figure out appropriate models for implementing particular policies, technological measures, and processes.

Below are key components of our information security program that we continuously review and update as part of due diligence.

1. Cyber Liability Insurance and Financial Plan for potential data breaches: This insurance assists in the case of costs associated with breach investigation, notification and remediation for potentially impacted individuals, regulatory investigation, litigation by breached individuals, litigation by shareholders, business interruption caused by the breach, and the cost of recovering corrupted data and/or responding to cyber extortion. Cyber liability insurance will not necessarily cover all expenses associated with a breach, and the institution will pay a deductible in any event, so it is also important for your institution to have a holistic financial plan for such contingencies.
2. Contract services to augment in-house information security expertise: Be prepared to engage experts to assist with building particular facets of your program. At Bryn Mawr, for instance, we brought in PCI compliance experts with a focus on higher education in order to accelerate our learning about requirements in this arena and to assist us with developing an appropriate plan of action.
3. Data map and regular data weeding practices across the organization: It is important to establish a data inventory and to update it regularly so that those with key responsibilities for risk mitigation at the institution (CIO, Data Privacy Officer, General Counsel, Chief Financial Officer/Chief Administrative Officer) have a clear picture of the types of data we’re stewarding, where and how we’re doing that, and what protective measures we have in place for data in the active or archived part of its lifecycle. At Bryn Mawr, we instituted regular File Clean-up Days in 2017 as part of ongoing weeding of data beyond its useful lifecycle so that we reduce the terrain of risk at the institution. We hold three File Action Days annually, conducted by an Information Stewardship Council working group. These sometimes have themes, such as “email reduction” or “paper shredding,” but the guidance always allows community members to choose among the array of data stores that would be meaningful for them to review and cull.
4. “Table stakes” documents: It’s important to have a few key documents in place institutionally as part of due diligence. Some of these documents can be maintained internally, shared with all who steward data at the institution, and produced for external reviewers as needed.
   1. Privacy Policy
   2. Data Handling Policy and any subsidiary policies relevant to the types of data your institution handles, such as a PCI/credit card policy or GDPR policy
   3. Incident Response Plan
   4. Written Information Security Plan: This might follow a template specific to your state, but it generally includes all of the components your institution has in place for ensuring information security and for handling any potential breaches.
5. Incident Response Team and associated protocol: In our case, the core response team includes myself as chief information officer, our chief financial officer, who is also the main institutional risk officer, and our college counsel. We bring into the team any other relevant members of senior staff when appropriate, and experts from the IT organization are activated to manage facets of the analysis and response as appropriate. The protocol involves immediately shutting down any known vulnerabilities, notifying the insurance agent, and, through them, connecting with cybersecurity legal expertise, and, typically through the legal firm, connecting with cybersecurity forensics expertise. The protocol also includes institution-specific guidance for stakeholders associated with the institution who need to be kept informed (e.g., president, board chair, chair of the audit committee, chief communications officer) and guidance for remediation once the analysis is complete.
6. Project portfolio review by senior institutional leadership and board as part of enterprise risk management: As part of IT governance, ensuring that senior staff and relevant board committees are kept abreast of the investments we’re making to continuously mitigate against risks and improve our information stewardship profile.
7. Project charter template and checklist that includes information security plans for all new services and platforms that are implemented: For particular projects, we ensure that we address security requirements at all relevant junctures.
8. Vendor contract terms, developing and integrating into the contract review process standard language to address institutional standards and requirements: Our IT organization has a manager of procurement who reviews all campus contracts that involve data and/or technology as a regular part of the contract review workflow led by our counsel’s office.
9. Information Stewardship Council: It has been immeasurably valuable to have a campus body that brings together ambassadors representing all areas of the college. Regular meetings ensure broad input into policies and practices and broad adoption of information security enhancements.
10. Information Security Education Program: This is an annual program required for all community members via our data handling policy that includes written and video guidance and is part of the necessary periodic training for employees and students concerning information security risks and responsibilities.
11. Annual training for senior staff and board on cybersecurity and breach response: I provide regular updates for senior staff on any relevant new developments, and senior staff participate in the ISC. In partnership with our president, the secretary of the college, and the board chair, we have arranged for regular updates to the Audit Committee of the Board of Trustees on our college information security program, and we provide brief updates and education for the overall Board on how to respond if approached about a potential breach at the institution.

As I continue to read about developments in the field and to learn about models that colleagues have built at other institutions, I continue to reflect on the relative merits of dedicated security resources as compared to the integrated “village-wide” model we have adopted thus far. Through engaging the full community from the start, we’ve developed a shared mindset among constituents that we each have responsibility and that we collectively learn the terrain and enhance our policies and practices in an ongoing way as a community. I’m not sure a CISO introduced into our institutional culture could have moved the community to this place of shared investment and responsibility. I hope this model resonates for other smaller institutions or for institutions of any size that are grappling with questions about how best to invest in this critical area.