Higher Education

Protecting Personal Information of Students, Faculty & Staff

Colleges and universities process are under extreme pressure to protect the large amounts of personal information they collect from students, faculty, staff and the general public. These institutions collect and process personal information through their daily business of admissions, research, student loans, campus retail establishments and other business conducted on campus. The shear volume of this sensitive data makes colleges and universities prime targets for security breaches.

Many well-publicized incidents of security breaches of campus technology networks exist. The Privacy Rights Clearinghouse indicates that since February 2005, over 50 million people have had their personal information potentially exposed by unauthorized access to the networks, and that 50% of all reported security breaches have occurred at colleges and universities.

There are several pieces of federal and industry regulations are directly applicable to higher education:

• Family Educational Rights and Privacy Act (FERPA) - designed to protect privacy rights and accuracy of student education records.
• Gramm-Leach-Bliley Act (GLBA) - defines requirements for how financial institutions protect personal financial information.
• Health Insurance Portability and Accountability Act of 1996 (HIPAA) - defines requirements for access to and transfer of health data for any institution that collects medical records.
• Payment Card Industry Standard (PCI) - defines merchant requirements for securing cardholder information.

Educational institutions need access to a lot of critical personal information in order to provide the student and faculty experiences expected today. However, the shear volume of this information and the volatility of a campus network makes securing this information significantly more complex than some public companies. In order for colleges and universities to ensure they are protecting their constituents personal information, they must employ a solution that safeguards their information systems against unauthorized access, fraud and data theft.

How Nexpose Helps

Nexpose can help educational institutions ensure that the confidentiality, integrity, and availability of electronic personal information, whether admissions records, financial data or health information,is maintained. Nexpose scans Web servers, databases, operating systems, and network devices to locate threats to the environment, then devises a remediation plan to address and remove those threats. Through regular audits of your IT environment, you are able to identify and prioritize vulnerabilities based on the risk they present to your institution, enabling you to better utilize resources fixing the more critical issues.

Nexpose provide reports that help you evaluate compliance with defined security policies. Rapid7 has also successfully completed the PCI Standards Council Vendor Compliance Testing Program, which certifies us to help colleges and universities achieve compliance with the Payment Card Industry (PCI) Data Security Standard.

How Metasploit Pro Helps

Metasploit Pro can help educational institutions to actively test if its security systems are effective in keeping out intruders. Based on the industry-leading Metasploit Framework, Metasploit Pro makes penetration testing more efficient and easier. Using Metasploit Pro, IT staff in higher education can:

• Verify that security systems are protected against attacks from overzealous students and cyber criminals
• Reduce the remediation costs by verifying that a vulnerability poses a real threat before patching it
• Overcome push-back from application owners to patch systems by demonstrating that certain vulnerability poses a real risk
• Carry out penetration tests required by PCI DSS 11.3, providing the IT security professional has received training in penetration testing and is organizationally separate from the network operations team

Rapid7 Professional Services

Rapid7 Professional Services has developed service offerings that can help you get to compliance with these regulations more quickly. Our audit services provides an overview of the effectiveness of the security controls you have in place, including adherence to the requirements outlined in the regulations listed above. We ensure that your network is properly configured to safeguard the integrity of your constituents confidential information and records. Some of our professional services offerings include:

• PCI Compliance Testing
• Penetration Testing
• Best Practices Consulting
• Social Engineering

Want to learn more?

Watch our virtual round table "Managing Security Challenges in Higher Education: Real-world solutions for Colleges and Universities" featuring three higher education security practitioners.

Need more info? Talk to us!

If you're interested in talking to us about how we can help you with your higher education needs, please phone us at 617.247.1717 or contact us online!