How Illinois College used Spirion to pass their GLBA audit and automate their data protection practices
“Spirion’s data discovery and classification platform is quite robust and may seem a bit complicated initially, but it’s very powerful. It needs to be powerful to do the full job that it does.”
Marc Benner, Assistant Chief Information Officer
Short-term, Illinois College needed to ensure the privacy of students’ personally identifiable data to comply with GLBA audit objectives. Long-term, they needed to move beyond manually identifying and securing sensitive data to a more proactive approach to help them stay compliant with changing regulatory requirements.
Illinois College took the critical first step towards data security and privacy by implementing Spirion to accurately and persistently discover, classify, and protect identity-centric data according to compliance regulations and campus rules.
Spirion not only aided Illinois College’s compliance with the GLBA Safeguards Rule on a tight deadline, but it equips them with greater business agility to meet new compliance standards.
Industry Challenge: Protect student privacy by safeguarding personally identifiable information (PII)
According to the National Center for Education Statistics, almost 20 million students are enrolled in colleges and universities across the United States, providing a rich target for hackers. Educational institutions rank fourth only behind finance, healthcare, and public administration in the sheer volume of data breaches. This has led lawmakers to further regulate how large institutions collect and secure student data.
To protect student privacy, in 2018, the Department of Education’s Office of Federal Student Aid (FSA) began requiring Title IV higher education institutions that process U.S. federal student aid to conduct audits to assess their compliance with the Gramm-Leach-Bliley Act (GLBA). The GLBA law governs how colleges and universities effectively collect, store, use, and safeguard sensitive financial records that contain PII of students and their guardians, such as social security numbers, tuition payments, financial aid, and bank accounts.
The Need: Move beyond manual identity centric data protection
While GLBA regulation itself is not recent, audits to ensure information security safeguards are in place is a new requirement. To meet both GLBA audit objectives and to comply with future regulatory measures, Marc Benner, Assistant Chief Information Officer at Illinois College, knew they needed to move beyond manually identifying and securing sensitive data to a more proactive approach. “A key driver behind our decision was the simple fact that we don’t have a large staff to manually secure identity-centric data,” Benner explained. “Trying to comply manually inevitably led us to stumble across sensitive information. It also meant having to convince the administrative staff to get rid of restricted data.”
In preparing for their upcoming audit, the college needed to identify the location of the personal information of students, their guardians, faculty, and administration so they could ensure its privacy. Benner and his team began implementing several new security controls and practices, including identifying and assessing the risk of sensitive PII, designing and testing PII safeguards, and implementing a Spirion-First approach to secure their data. Spirion accurately and persistently discovers, classifies, and protects sensitive data across campus—from the network to the cloud— including students’ personally identifiable data, protected health information, and credit card numbers.
The Solution: A Spirion-first approach to persistent data detection and classification
Benner has followed a staged approach to automating the college’s security and compliance programs. His initial focus concentrated on getting all data privacy processes automated through Spirion’s data discovery and persistent classification capabilities. Spirion was implemented in 2018 as a joint effort between the IT department and the Office of Financial Aid. Once deployed, the system scanned 28 terabytes of data on servers and approximately 250 faculty, staff, and lab endpoints, performing fast and accurate searches of both structured and unstructured data. This critical first step towards data security and privacy enabled Benner and his team to automatically locate, inventory, and classify all the college’s data according to compliance regulations and campus rules.
“Spirion provided full visibility into where all of our sensitive data lived, surfacing PII, bank account, and confidential budget information in hard-to-find files located on several computers,” Benner recalled. “From there, we were able to define and automate protection options for the data. Knowing the location of the data allowed us to take necessary remediation actions, including electronically shredding unnecessary information while securing the data we still needed to use.” Near-term, he plans to establish additional policies for remediation actions, including automatically quarantining files to a more secure location. Spirion will simplify this task by allowing the IT team to set triggers that will automatically notify them by email of policy violations for immediate response.
The Results: Persistent data protection provides greater agility
Spirion has helped Illinois College take its privacy program to the next level by putting persistent data discovery, classification, and protection at the front-end of their security and compliance programs. “Such a proactive approach gives us full visibility to better understand, control, and protect sensitive data without burdening our staff or risking human error,” Benner explained. “Furthermore, by reducing our sensitive data footprint, we can better focus our limited resources and data security spend.”
Spirion not only aided Illinois College’s compliance with the GLBA Safeguards Rule on a tight deadline, but it fortifies their data privacy management program, giving them greater business agility to proactively meet new compliance standards in the future.