About this Case Study
Spirion worked closely with a CISO of a large U.S. state university as he led his organization through a significant transition to secure its data. In an in-depth conversation, he shared details about the university’s data governance plan, some of the best practices his staff implemented, and how the Spirion Data Platform helps them meet state, federal and PCI regulatory compliance requirements. Download the PDF to read the full interview.
“If you’re working in information security, you know it’s just a matter of when and not if you’ll deal with an incident. By knowing where the information is and where your weak spots are, you can address the areas that would be an easy target.”
— University’s CISO
Challenge
As the Chief Information Security Officer (CISO) of a major university, this seasoned IT professional knows first-hand the immense challenges educational institutions face when securing sensitive data, particularly Social Security numbers (SSNs) across 14,000 endpoints. The university employs a centralized approach, managed by Information Security Services, to run security programs centrally and schedule routine scans for viruses, malware, and phishing. Data governance needed to be a crucial aspect to their approach, involving the creation of an SSN protection policy and a data access plan to secure sensitive information. They had a goal to reduce SSNs in the enterprise and needed a comprehensive solution.
Solution
The university implemented the Spirion Data Platform to identify and secure SSNs, focusing on a centralized approach for deployment scanning and remediation. A data governance plan was developed concurrently with the deployment, emphasizing secure storage of SSNs and validation of data security policies. The CISO also highlighted the importance of collaboration with business units to determine legitimate data access needs— ensuring a balance between security and operational requirements.
Results
Because of Spirion, the university proactively stays on top of sensitive data security by conducting weekly scans of assets— compiling and sending monthly reports to IT directors. Semester trends are also analyzed to identify spikes in sensitive data identification. Initially focusing on SSNs, the initiative expanded to include credit card numbers, as well.
The CISO emphasized how compliance with state, federal, and PCI regulatory requirements is easier with help from Spirion. Metrics are used to demonstrate the effectiveness of the program, showing trends in SSN matches, unsecured files, and secured files. A cost estimate is also provided for credit protection based on unique SSNs.
Scalability, metrics, and accuracy are crucial for the success of the program, requiring a flexible, reliable, and collaborative approach with volunteers across campus. False positives in data classification can complicate the task, necessitating adjustments to exclusion lists and continuous fine-tuning of the system. With Spirion, false positives have been substantially reduced.
The program is presented as a risk reduction practice rather than a punitive measure, encouraging cooperation from end-users and IT directors. In the future, the university plans to reassess and potentially expand the scan parameters for sensitive data elements. Cloud storage scanning using the Spirion Data Platform is also considered for the next phase. According to the CISO, the ongoing nature of the data security requires continuous adjustments and improvements for effective protection.
Download the PDF to read the full, in-depth interview.
