Learn More about Data Loss Prevention (DLP) & eDiscovery with Microsoft & Forsyte I.T. Solutions
The job of data protection is getting tougher every day and minor mistakes can cost any organization thousands of dollars. What steps are you taking to protect your organization?
This blog will cover:
- Threats that educational institutes face in the case of a data breach or data loss.
- How Microsoft tools like Data Loss Prevention (DLP) and eDiscovery help in overcoming these threats and saving your organization from all sorts of legal obligations.
Let us first understand how data breaches or data theft affects educational institutions.
Malicious and accidental breaches are on the rise and educational institutions are no exception to these threats.
It has become quite common for parents/guardians, employees, and students to file lawsuits against educational institutions and organizations for breach of data and privacy.
Recently, data of millions of students in the UK was breached and found in the hands of a betting company.
What happened next? Mass litigation and parents suing the educational institute for thousands of dollars.
Surprised by Education Organizations Data (Prevention/Protection) Policies
A recent survey in 2020 pointed out that only 19% of organizations track data sharing amongst employees. The others are not even aware or use manual processes which leaves the vulnerability landscape open. (Source: Netwrix – https://www.netwrix.com/download/collaterals/2020_data_risk_security_report.pdf)
The survey also found that only 4% of the educational institutions have a data retention program.
As per this survey, “Educational organizations also suffer from weak access controls. One quarter (24%) of them admit granting access rights based solely on user requests, and another 22% said they don’t know how exactly access rights are granted in their organizations — the highest percentage among all industries. To make matters worse, 63% of educational organizations don’t review permissions regularly.”
What makes the picture even more anxious for the Educational Organizations?
With more edtech products/services into the lives of students, it becomes even more challenging to manage such a wide data and a minor leakage can be a dent on schools’ reputation. It will be hard to quantify the loss when the data and sensitive information gets into the wrong hands. On the other hand, it is still a developing area of law hence having an intense eye from class-action lawyers can invite lawsuits for a data breach, loss of trust, and loss of reputation. It is undoubtedly a challenging issue and it is highly important to ensure that the core defense of your institution is solid so that you are protected from skyrocketing claims.
What can you do as a CIO/CISO/Compliance officer to shield your educational organization.?
The best way to get started is by laying down the data loss prevention policies based on your state laws to protect the stakeholder’s data.
Every state has different law and you can start working on your DLP (Data Loss Prevention) policies along with your legal advisor keeping them in sync with
>Student expectations of privacy,
>GLBA (Gramm-Leach-Bliley Act),
>PPRA (The Protection of Pupil Rights Amendment)
>FERPA (Family Educational Rights and Privacy Act),
>Payment Card Industry Data Security Standard (PCI DSS),
>Health Insurance Accountability and Portability Act (HIPAA) etc.
Once you have laid down your policies, it is important to ensure that rules are made for these policies.
Here are a few major things to keep in mind while jotting down your data loss protection policy:
• Identify Sensitive Information: E.g – student health records, student academic records, financial information, any other private information that ideally should be shared only with their parents/guardians, staff critical information like bank account details, SSN, etc.
• Avoid Accidental Sharing of Information: E.g – You can prevent accidental sharing of sensitive information outside your organization. You can block access or block email from being sent or restrict the sharing of certain information only within a certain department or group members.
• Monitor and Protect Sensitive information. With the Data Loss Protection policy in your compliance and security center, you can now identity, monitor, and automatically protect sensitive data.
Manual compliance interaction is nearly impossible with a larger percentage of data exposed to vulnerabilities and breaches. Since time is of the essence, you do not want to spend years developing a system that may become outdated with time. It is better to take advantage of tools that help your entire organization in complying with the policies.
You can only trust the brand which respects user privacy & security.
Microsoft offers office 365 education that can help you to implement your DLP (Data Loss Prevention) policies. It ensures that the policies you have laid down are implemented and are being followed by users in your institute. It gives you more control over the data and reduces the chances of a data breach and makes you prepared for any further obligations.
Let’s take a quick look at the macrostructure.
When you use Office 365, you can:
> Create multiple policies
> Define rules (Each policy can have multiple rules)
> Define Action when the rule criteria are met (i.e understanding content as well as context to trigger alerts, notifications, or taking other actions like implementing restriction, blockage, disallowing, record capturing, etc)
> Set these policies & rules across different channels whether its the chat system or MS office applications or One Drive etc.
> Include/exclude groups at ease which maybe your complete department or users based on hierarchy. (Microsoft DLP gives the flexibility to customize as per your requirement, make the system robust, and scalable).
To understand how a rule is structured, let us analyze the below image.
If specific conditions are matched, actions are taken by the system with the option to generate user notifications.
For example, if someone emails a piece of confidential information, such as SSN outside the organization, you can set the alert to notify the user and at the same time, define this to be captured into the records.
This is an ever-evolving process and needs to be a participatory effort by the whole organization. Users should have the option to override if doing so makes sense and in the end, ensure the compliance officers have the necessary reports to make further data-backed decisions.
There are a lot of advanced level customizations that can be done within the system to implement and monitor your policies.
Proactive Role of a Compliance Officer in the Educational Institute
As a compliance officer, it is very important to:
> Understand the critical data you have in your educational institute.
> Prioritize in terms of the sensitivity of the data.
> Know who, when, where, and what in terms of Data accessibility, sharing, etc.
If you don’t have answers to these questions or don’t have access to make data-based decisions and policy evaluations, you are keeping your students and employees at risk.
This is where Microsoft eDiscovery comes into play.
Your compliance officer can use eDiscovery by Microsoft to search for content in different channels like chats, drive, sites, mailbox, etc, and identify, hold, export cases that can be used in legal lawsuits or as a piece of evidence.
You also have the ability to manage your legal team and create your own workflows for communications with custodians of the case. Embracing the maintenance of E-discovery information is essential and necessary but sometimes overlooked by some organizations.
However, eDiscovery among school administrators and counsel can lead to productive plans and enhance policies surrounding how electronically stored information is managed.
Wrapping Up
Preventing data loss goes a long way in saving your educational institute from the lawsuit charges by parents/guardians and employees. Protect your brand, protect your students, and protect your employees. Keep your data safe with Microsoft DLP and eDiscovery tools.
Role of Forsyte
Forsyte I.T. Solutions is a Microsoft Gold Partner helping large organizations and educational institutions implement DLP and eDiscovery tools to protect and secure sensitive data. We understand the intricacies involved in the education sector and work around the clock to implement best practices for data loss prevention to help safeguard against legal claims and suits.
For more information on how Forsyte helps in protecting against data theft or information on licensing, please get in touch with our team.