NIST Privacy Framework : Our Essential Data Protection Guide

Close

CASE STUDY

Spirion Makes Data Privacy Program Smarter at State College

About the State College

This state college needed to immediately ensure the privacy of students’ personally identifiable data to comply with GLBA audit objectives. Long-term, they needed to move beyond manually identifying and securing sensitive data to a more proactive approach to help stay compliant with changing regulatory requirements.

“Spirion’s data discovery and classification platform is quite robust and may seem a bit complicated initially, but it’s very powerful. It needs to be powerful to do the full job that it does. When it comes to protecting what matters the most, you don’t want fast and easy; you want accurate and persistent.” 

— College’s Assistant Chief Information Officer 

Challenge 

According to the National Center for Education Statistics, almost 20 million students are enrolled in colleges and universities across the United States, providing a rich target for hackers. Educational institutions rank fourth only behind finance, healthcare, and public administration in the sheer volume of data breaches. This has led lawmakers to further regulate how large institutions collect and secure student data.

To protect student privacy, in 2018, the Department of Education’s Office of Federal Student Aid (FSA) began requiring Title IV higher education institutions that process U.S. federal student aid to conduct audits to assess their compliance with the Gramm-Leach Bliley Act (GLBA). The law governs how colleges and universities effectively collect, store, use, and safeguard sensitive financial records that contain PII of students and their guardians, such as social security numbers, tuition payments, financial aid, and bank accounts.

While GLBA regulation itself is not recent, audits to ensure information security safeguards are in place is a new requirement. To meet GLBA audit objectives and to comply with future regulatory measures, an assistant chief information officer (CIO) at this U.S. state college knew they needed to move beyond manually identifying and securing sensitive data and to a more proactive approach. “A key driver behind our decision was the simple fact that we don’t have a large staff to manually secure identity-centric data,” they explained. “Trying to comply manually inevitably led us to stumble across sensitive information. It also meant having to convince the administrative staff to get rid of restricted data.”

In preparing for their upcoming audit, the college needed to identify the location of the personal information of students, their guardians, faculty, and administration so they could ensure its privacy. The search for an automated solution began.

Solution 

After an extensive analysis of the college’s needs and the industry’s top data governance solutions, the CIO and team began implementing several new security controls and practices, including identifying and assessing the risk of sensitive PII, and designing and testing PII safeguards. They also chose and implemented a Spirion-First approach to secure their data. Spirion accurately and persistently discovers, classifies, and protects sensitive data across their campus—from the network to the cloud—including students’ personally identifiable data, protected health information, and credit card numbers.

The assistant CIO has followed a staged approach to automating the college’s security and compliance programs. Their initial focus concentrated on getting all data privacy processes automated through Spirion’s data discovery and persistent classification capabilities. Spirion was implemented as a joint effort between the IT department and the Office of Financial Aid. Once deployed, the system scanned 28 terabytes of data on servers and approximately 250 faculty, staff, and lab endpoints— performing fast and accurate searches of structured and unstructured data. This critical first step towards data security and privacy enabled the assistant CIO and their team to automatically locate, inventory, and classify all the college’s data according to compliance regulations and campus rules.

“Spirion provided full visibility into where all our sensitive data lived, surfacing PII, bank account, and confidential budget information in hard-to-find files located on several computers,” they recalled. “From there, we were able to define and automate protection options for the data. Knowing the location of the data allowed us to take necessary remediation actions, including electronically shredding unnecessary information while securing the data we still needed to use.”

Results 

Spirion has helped the state college take its privacy program to the next level by putting persistent data discovery, classification, and protection at the front-end of their security and compliance programs. “Such a proactive approach gives us full visibility to better understand, control, and protect sensitive data without burdening our staff or risking human error,” the assistant CIO explained. “Furthermore, by reducing our sensitive data footprint, we can better focus our limited resources and data security spend.”

Near-term, the assistant CIO plans to establish additional policies for remediation actions, including automatically quarantining files to a more secure location. Spirion will further simplify this task by allowing the IT team to set triggers that automatically notify them by email of policy violations for immediate response.

Spirion not only aided this state college’s compliance with the GLBA Safeguards Rule on a tight deadline, but it fortifies their data privacy management program, giving them greater business agility to proactively meet new compliance standards in the future.