Every college and university should have a cybersecurity strategy, regardless of the size of the school. Cybersecurity is a sustainable program of processes and controls that are interdependent. To be effective, a cybersecurity strategy should include specific components. It’s helpful to have a template to use either as a starting point for building a strong program or to compare against for enhancing an existing cybersecurity strategy.
The college uses technology to collect, store and manage information, which also produces risks in the form of data breaches, human error and system malfunction, which can cause harmful financial damage and risk the college’s reputation.
A strong cybersecurity strategy will reduce risks and ensure that the college is prepared in the event of fraud, a data breach or other allegations of harm.
A successful cybersecurity strategy incorporates the following seven characteristics:
- Endorsed by management
- Relevant to the organization
- Realistic and makes sense
- Attainable and can be implemented
- Adaptable enough to accommodate change
- Enforceable and compliant with laws
- Inclusive and incorporates all relevant parties
Cybersecurity Strategy Template for College Boards
This template covers the basics of cybersecurity strategy and should be considered a starting point for a college cybersecurity strategy.
Create a cybersecurity policy brief. Include the purpose, outline, guidelines and provisions for preserving the college’s data and technology infrastructure. The policy should address how to handle confidential data including unpublished financial information, patents, formulas, customer lists and data of customers, vendors and partners.
Establish the Scope of Whom the Policy Pertains To
Consider carefully to whom the college’s cybersecurity policy refers. Consider students, board directors, risk managers, senior management, ISO, compliance teams, physical security officers, audit teams, incident response teams, employees, IT staff, information owners, etc. The policy should apply to anyone who has temporary or permanent access to systems and hardware.
Protect Personal and Company Devices
Provide training for employees on security for personal and company electronic devices. This training should include password protection, use of antivirus software, leaving devices unattended, staying current with electronic updates, using secure and private networks for company business, and not using the devices of others.
Safe Email Awareness
Train employees to look for signs of scams and malicious software. They should be aware of opening attachments without clear need, steer clear of clicking on prize links, ensure the emails they’re getting are from legitimate individuals or groups, and note inconsistencies in grammar and capitalization, or an excessive number of letters, numbers or symbols.
Proper Password Management
Instruct employees to use strong passwords and not to share them with anyone else. Passwords should have a combination of upper-case, lower-case, numbers and symbols. They shouldn’t use information that someone could easily guess. Users should change their passwords every couple of months. They should also consider using a password management tool that generates and stores passwords.
Secure Transferring of Data
A common strategy for hackers is to break into data as it’s being transferred. Ask employees to avoid transferring sensitive data, such as employee records or customer information, to other devices or accounts unless it’s absolutely necessary.
Employees should be prohibited from sharing confidential data over the company network, public Wi-Fi and private connections. Employees should also be trained on how to verify the identities of recipients to ensure that they’re duly authorized and that they have adequate security policies as well.
Report Suspicions of Breaches, Scams and Hacking Break-ins
Ensure that employees know how to report scams, privacy breaches and hacking attempts. Employees shouldn’t hesitate to report perceived attacks, suspicious emails and phishing encounters at their earliest opportunity. Organizations should have a plan for IT specialists to investigate right away, resolve the issue(s) and issue a companywide alert, if necessary.
Classify Information and Manage Records
A cybersecurity plan should classify information and manage records for procedures, systems and practices according to the regulations. This element means that college representatives should be aware of information ownership, how it’s allowed to be distributed, clarify what data is considered protected or confidential, how long to retain data, what data can be destroyed, and coordinating data with business continuity planning.
Risk Management Policy
Establish the guidelines for a risk management policy that identifies, monitors, measures and controls information security risks. This should involve input from risk managers, the board of directors, the risk management committee, the CIO, department managers, risk officers, the compliance officer, legal counsel and various employees.
Data Breach Response Plan
Create, document, communicate and test an incident management and response plan. Determine how to assess theft of unauthorized access to customer accounts and personal information. Outline details of how or if to respond to hackers, and how to communicate the details of the breach to stakeholders and the public.
Detail Security Plans for Electronic Banking and Online Payments
Ensure security for electronic banking, online payments, monitoring electronic banking activity, linking to third-party sites and services, fraud prevention, cryptographic controls, authentication, risk management, administrative access, disaster recovery and business continuity.
Controls for Social Media and Internet Access
Ensure that employees turn off their computers and lock their devices when leaving their workspace. Have a policy that requires employees to report stolen or damaged equipment as soon as possible. Have policies in place to change passwords for missing devices or devices from terminated employees. Establish a policy for employees regarding internet and social media usage at work. Train employees to detect suspicious links and websites. Be sure to include policies for remote employees.
Policy for Disregarding Security Policies
Establish a policy that addresses consequences for employees who are found to be disregarding security policies even if it doesn’t result in a breach.
Final Thoughts on Cybersecurity for College Boards
While this is not a comprehensive template for a cybersecurity strategy plan for college boards, it includes many of the important areas that will help protect against cybercrime.
Technology is dynamic, which means that college boards need to be able to prepare for and adapt to continually evolving conditions so they can recover quickly from disruptions and be sustainable. An effective cybersecurity program protects the organization, its employees, its vendors and partners, and its students from harm that results from intentional or unintentional damage, misuse or disclosure of information.
BoardEffect is a board management software program that takes a modern approach to cybersecurity. It provides the most efficient way for boards to conduct all aspects of board business to ensure good governance all year round.