CASE STUDY

Major State University System Finds and Protects Personal Data Across Multiple Campuses

About this Major State University System

This public, four-year higher education institution has multiple campuses, over 100,000 students, and 10,000 faculty and staff.

“We have over 100,000 students, multiple campuses, and 10,000 employees. Protecting the data of that many people keeps me busy with different challenges every day.”
–CISO, Major State University System

Challenge 

When higher education institutions collect personal information, they possess the most invaluable assets of their student body, faculty, and administration. A student’s file offers an extensive view into their existence, including personal demographics, academic records, financial details, and medical data. This data inevitably puts their security at risk. It can also paralyze performance and have a crippling effect on campus-wide efficiency.

Educational institutions rank fourth only behind finance, healthcare, and public administration in the sheer volume of data breaches. This has led lawmakers to further regulate how large institutions collect and secure student data.

While data protection is essential across business, higher education institutions must maintain a careful balance between freedom and access to allow for education innovation and the often-conflicting data privacy regulations.

In 2015, a major state university system confronted their extremely cumbersome information auditing process. While the team was asking the right questions to staff, faculty, and students — What kind of data do you have? What do you use it for? How do you protect it? — they needed a more efficient and accurate method of identifying and protecting server and endpoint data.

We have over 100,000 students, multiple campuses and 10,000-plus employees,” says the Chief information and Security Officer at the university system. Protecting the data of that many people keeps me busy with different challenges every day.” A more accurate and secure data protection program was needed.

Solution 

Initially, Spirion was implemented as a more mature and systematic automated discovery process. The initial discovery phase was lengthy, especially because endpoints can go missing, the CISO explained. “It is not unusual for a laptop or tablet to be left in a vehicle or in the back seat of an airplane. We have a lot of endpoints, and many are mobile, therefore at higher risk for being lost.”

After searching the endpoints, a large amount of sensitive data in unexpected places was revealed. When we first implemented Spirion, I expected to find personal data on finance and HR endpoints, but the discovery of nine million social security numbers on a research department employee’s laptop was a shock. Fortunately, by following the path statement, I could see exactly where the data was on the endpoint.” The detection of this large trove of vulnerable data was not an isolated incident. Spirion also discovered 20 million credit card numbers on another endpoint.

Automating personal data discovery addressed a significant challenge across all campuses, but finding the data brought a new set of questions to the forefront: What type of data? How should it be safeguarded? Who has access? How can we adequately protect it?

The university system’s information security team worked with Spirion to develop rules and regulations for engaging with and protecting data across the entire university system. It was important to clearly communicate the purpose and outcomes of data protection, while maintaining the balance between academic freedom and protection of personal data and intellectual property.

In addition to moving data that is inappropriately stored on the endpoint, they needed to protect data that belonged on the endpoint. The university system improved their endpoint protection by using Spirion on a regularly scheduled basis for automated personal data discovery. Spirion’s search capabilities allow them to change their strategy in response to the varying data privacy and regulatory requests.

Results 

Locating, classifying, and protecting data has become a routine part of the cybersecurity program at this major state university system. It all goes back to a simple idea: If you don’t know what you have, you can’t protect it. The beauty of the new processes is the ability to quickly respond to auditors with accurate data inventory and movement reports that span all university campuses, and all environments. Instituting the data protection program was a large endeavor, but the CISO and his team are committed to preventing misuse and reducing the risk associated with personal data.

“You can’t avoid an important project just because it is difficult,” says the CISO. “I don’t want to find myself on a witness stand saying, ‘Oh, I didn’t implement the most optimal security procedures because it was hard.’” Higher education institutions must have an open flow of information that is protected from intentional and unintentional misuse. With Spirion, the the university system’s security team simplified a complex and inadequate process with the ability to find, identify, and quantify data. They are fully prepared for audits and successfully comply with the extensive education, financial, and state regulatory requirements.