NIST Privacy Framework : Our Essential Data Protection Guide

Close

CASE STUDY

Kent State University Dramatically Improves Incident Resolution Time with Spirion

About Kent State

Kent State University is one of 76 public higher-research universities, as categorized by the Carnegie Foundation for the Advancement of Teaching, and is ranked in the first-tier list of Best National Universities by U.S. News & World Report. With eight campuses, Kent State is one of Ohio’s leading public universities and a major educational, economic and cultural resource far beyond the Northeast Ohio region it has served since 1910.

Challenge

With multiple tools available for data protection, many universities struggle with choosing the best ones for various facets of privacy in our data-driven world. As schools offer more remote classes, and many university staff work from home, the importance of the right tools to protect student, faculty, and staff privacy substantially increases. In addition to finding the best tools for their specific needs, affordability is a high priority, especially with tight budgets.

Bob Eckman, Chief Information Security Officer at Kent State, says that from a higher education perspective, privacy refers to a three-pronged approach: data security, data compliance, and data governance. He says that for a higher education institution to maintain a robust privacy program, the school must implement those three parts in a complex environment that often spans multiple campuses and locations.

To develop a reliable privacy program, institutions must adhere to many stringent privacy regulations related to education. An alphabet soup of laws such as FERPA, GLBA, PII, and HIPAA strictly defines personal information and the process for managing and protecting data.

For this reason, Kent State adopted a data governance approach that applies appropriate controls to data one time but allows for the re-use of these controls in many areas. The school needed a consistent way to discover and protect sensitive personal data across all departments and devices.

Solution

To understand and meet data protection needs and regulations, the university’s chief data officer implemented a data governance council to evaluate data classification standards for publicly available information, confidential information that is not public, regulated data not requiring notifications, and critical data. These types of data include personal data, sensitive personal data, Protected Health Information (PHI), and student financial information.

“It’s often easy to overlook that data protection means going beyond just protecting regulated data,” Eckman says. We also need to classify and protect intellectual property, patents, designs, and research.

Kent State turned to Spirion to help derive the data classification standard and apply a governance structure. Because they don’t want to be the data police handing out tickets, their goal is supportable instead of enforceable. Eckman says his team started by using the tool in the forensic space for incident response on files and devices. He plans to use Spirion for data protection in the cloud and to discover personal and sensitive data on endpoints.

“We’ve used Spirion to hunt malware, the remnants of malware, and particular data. And like a good hound dog, it finds it wherever it lives,” says Eckman. “We’re very pleased with it in the forensic space and with the changes that have come down the pipe relative to dashboard visuals.”

While Kent State was getting up to speed on the solution, Spirion representatives visited the
university’s Kent Campus to help Eckman’s team understand its needs and show how to best use the tool in its environment. “You don’t often see vendors substantively engage with customers the way Spirion has partnered with Kent State,” Eckman observes. “They invest time in customers, listen to feedback, and then demonstrate how they are taking the ideas to improve the product.”


Results

Spirion gave Kent State the visibility it needs to effectively manage its overall data protection processes and initiatives. The single-pane-of-glass view to understand what is happening in all spaces and devices in the environment is game-changing. “Spirion provides Kent State the visibility into what we have in file shares, where it’s moving, and who has access to it— allowing us to control access in the future,” Eckman explains.

By using Spirion, Eckman’s team was able to mitigate cyber risks by searching devices remotely. The team quickly identified the issue as malware, remediated the problem, and protected the data. Spirion’s cloud-based architecture simplifies issue resolution for remote workers.

Eckman estimates that Spirion shortens the mean time to resolution of malware incidents by at least 30 percent. His team also sees improvements in interacting with data and endpoints, especially as the university’s data becomes more cloud-based. When he used other tools, Eckman encountered countless false positives, such as flagging any set of digits as credit card numbers. But he says Spirion reduces the false positives and noise so his team can better focus on the real issues.

“False positives are absolutely evil in the game of data science,” Eckman says. “Being able to trust the data we see on the dashboards has been pivotal with a direct impact on time and cost savings.”