CMMC: Is it time for your cybersecurity program to grow up?

More and more emphasis is being put on cybersecurity by companies of all sizes. Whether it’s the news headlines of notable IT incidents, greater emphasis on the value of data, or the monetization of certain types of attacks, an increasing amount of energy and money is going towards security. Security has the attention of leadership and the board and it is not going away. One of the biggest risks to and vulnerabilities of any organization’s security continues to be its people. Innovative approaches and new technology can reduce risk but they still don’t prevent the damage that can be inflicted by an employee simply opening an attachment or following a link. This is more likely to happen than you may think.

Technology also doesn’t prepare a management team for how to handle the IT response, communication effort, and workforce management required during and after an event. Technology doesn’t lessen the operational impact that your organization will feel when, not if, you experience an event.

So let’s examine the human and operational side of cybersecurity. Below are three factors you should address to reduce risk and prepare your organization for an event:

1. People: Create and maintain a vigilant workforce
   Ask yourself, “How prepared is our workforce when it comes to security threats and protecting our data? How likely would it be for one of our team members to click on a link or open an attachment that appear to be from our CFO? Would our team members look closely enough at the email address and notice that the organization name is different by one letter?”
    

   According to the 2016 Verizon Data Breach Report, 30% of phishing messages were opened by the target across all campaigns and 12% went on to click on the attachment or link.

   Phishing email attacks directed at your company through your team range from very obvious to extremely believable. Some attempts are sent widely and are looking for just one person to click, while others are extremely targeted and deliberate. In either case, it is vital that each employee takes enough time to realize that the email request is unusual. Perhaps there are strange typos in the request or it is odd the CFO is emailing while on vacation. That moment your employees take to pause and decide whether to click on the link/attachment could mean the difference between experiencing an event or not.
   
   So how do you create and cultivate this type of thought process in your workforce? Lots of education and awareness efforts. This goes beyond just an annual in-service training on HIPAA. It may include education sessions, emails with tips and tricks, posters describing the risk, and also exercises to test your workforce against phishing and security exploits. It also takes leadership embracing security as a strategic imperative and leading the organization to take it seriously. Once you have these efforts in place, you can create culture change to build and maintain an environment where an employee is not embarrassed to check with the CFO’s office to see if they really did send an email from Bora Bora.

2. Plan: Implement a disaster recovery and incident response plan 
   Through the years, disaster recovery plans have been the usual response. Mostly, the emphasis has been on recovering data after a non-security IT event, often discussed in context of a fire, power loss, or hardware failure. Increasingly, cyber-attacks are creeping into the forefront of planning efforts. The challenge with cyber-events is that they are murkier to understand – and harder for leadership – to assist with.
   
   It’s easier to understand the concept of a fire destroying your server room and the plan entailing acquiring new equipment, recovering data from backup, restoring operations, having good downtime procedures, and communicating the restoration efforts along the way. What is much more challenging is if the event begins with a suspicion by employees, customers, or vendors who believe their data has been stolen without any conclusive information that your company is the originating point of the data loss. How do you take action if you know very little about the situation? What do you communicate if you are not sure what to say? It is this level of uncertainty that makes it so difficult. Do you have a plan in place for how to respond to an incident? Here are some questions to consider:
    
   1. How will we communicate internally with our staff about the incident?
   2. How will we communicate with our clients? Our patients? Our community?
   3. When should we call our insurance company? Our attorney?
   4. Is reception prepared to describe what is going on if someone visits our office?
   5. Do we have the technical expertise to diagnose the issue?
   6. Do we have set protocols in place for when to bring our systems off-line and are our downtime procedures ready to use?
   7. When the press gets wind of the situation, who will communicate with them and what will we share?
   8. If our telephone system and network is taken offline, how we will we communicate with our leadership team and workforce?

By starting to ask these questions, you can ascertain how ready you may, or may not be, for a cyber-attack when it comes.

3. Practice: Prepare your team with table top exercises  
   Given the complexity and diversity of the threats people are encountering today, no single written plan can account for all of the possible combinations of cyber-attacks. A plan can give guidance, set communication protocols, and structure your approach to your response. But by conducting exercises against hypothetical situations, you can test your plan, identify weaknesses in the plan, and also provide your leadership team with insight and experience – before it counts.
   
   A table top exercise entails one team member (perhaps from IT or from an outside firm) coming up with a hypothetical situation and a series of facts and clues about the situation that are given to your leadership team over time. Your team then implements the existing plans to respond to the incident and make decisions. There are no right or wrong answers in this scenario. Rather, the goal is to practice the decision-making and response process to determine where improvements are needed.
   
   Maybe you run an exercise and realize that you have not communicated to your staff that no mention of the event should be shared by employees on social media. Maybe the exercise makes you realize that the network administrator who is on vacation at the time is the only one who knows how to log onto the firewall. You might identify specific gaps that are lacking in your cybersecurity coverage. There is much to learn that can help you prepare for the real thing.

As you know, there are many different threats and risks facing organizations. Some are from inside an organization while others come from outside. Simply throwing additional technology at the problem will not sufficiently address the risks. While your people continue to be one of the biggest threats, they can also be one of your biggest assets, in both preventing issues from occurring and then responding quickly and appropriately when they do. Remember focus on your People, Your Plan, and Your Practice.

Best practices for financial institution contracts with technology providers

As the financial services sector moves in an increasingly digital direction, you cannot overstate the need for robust and relevant information security programs. Financial institutions place more reliance than ever on third-party technology vendors to support core aspects of their business, and in turn place more reliance on those vendors to meet the industry’s high standards for information security. These include those in the Gramm-Leach-Bliley Act, Sarbanes Oxley 404, and regulations established by the Federal Financial Institutions Examination Council (FFIEC).

On April 2, 2019, the FDIC issued Financial Institution Letter (FIL) 19-2019, which outlines important requirements and considerations for financial institutions regarding their contracts with third-party technology service providers. In particular, FIL-19-2019 urges financial institutions to address how their business continuity and incident response processes integrate with those of their providers, and what that could mean for customers.

Common gaps in technology service provider contracts

As auditors of IT controls, we review lots of contracts between financial institutions and their technology service providers. When it comes to recommending areas for improvement, our top observations include:

• No right-to-audit clause
  Including a right-to-audit clause encourages transparency and provides greater assurance that vendors are providing services, and charging for them, in accordance with their contract.
• Unclear and/or inadequate rights and responsibilities around service disruptions
  In the event of a service incident, time and transparency are vital. Contracts that lack clear and comprehensive standards, both for the vendor and financial institution, regarding business continuity and incident response expose institutions to otherwise avoidable risk, including slow or substandard communications.
• No defined recovery standards
  Explicitly defined recovery standards are essential to ensuring both parties know their role in responding and recovering from a disaster or other technology outage.

FIL-19-2019 also reminds financial institutions that they need to properly inform regulators when they undertake contracts or relationships with technology service providers. The Bank Service Company Act requires financial institutions to inform regulators in writing when receiving third-party services like sorting and posting of checks and deposits, computation and posting of interest, preparation and mailing of statements, and other functions involving data processing, Internet banking, and mobile banking services.

Writing clearer contracts that strengthen your institution

Financial institutions should review their contracts, especially those that are longstanding, and make necessary updates in accordance with FDIC guidelines. As operating environments continue to evolve, older contracts, often renewed automatically, are particularly easy to overlook. You also need to review business continuity and incident response procedures to ensure they address all services provided by third-parties.

Senior management and the Board of Directors hold ultimate responsibility for managing a financial institution’s relationship with its technology service providers. Management should inform board members of any and all services that the institution receives from third-parties to help them better understand your operating environment and information security needs.

Not sure what to look for when reviewing contracts? Some places to start include:

• Establish your right-to-audit
  All contracts should include a right-to-audit clause, which preserves your ability to access and audit vendor records relating to their performance under contract. Most vendors will provide documentation of due diligence upon request, such as System and Organization Control (SOC) 1 or 2 reports detailing their financial and IT security controls.
  
  Many right-to-audit clauses also include a provision allowing your institution to conduct its own audit procedures. At a minimum, don’t hesitate to perform occasional walk-throughs of your vendor’s facilities to confirm that your contract’s provisions are being met.

• Ensure connectivity with outsourced data centers
  If you outsource some or all of your core banking systems to a hosted data center, place added emphasis on your institution’s business continuity plan to ensure connectivity, such as through the use of multiple internet or dedicated telecommunications circuits. Data vendors should, by contract, be prepared to assist with alternative connectivity.

• Set standards for incident response communications 
  Clear expectations for incident response are crucial  to helping you quickly and confidently manage the impact of a service incident on your customers and information systems. Vendor contracts should include explicit requirements for how and when vendors will communicate in the event of any issue or incident that affects your ability to serve your customers. You should also review and update contracts after each incident to address any areas of dissatisfaction with vendor communications.

• Ensure regular testing of defined disaster recovery standards
  While vendor contracts don’t need to detail every aspect of a service provider’s recovery standards, they should ensure those standards will meet your institution’s needs. Contracts should guarantee that the vendor periodically tests, reviews, and updates their recovery standards, with input from your financial institution.
  
  Your data center may also offer regular disaster recovery and failover testing. If they do, your institution should participate in it. If they don’t, work with the vendor to conduct annual testing of your ability to access your hosted resources from an alternate site.

As financial institutions increasingly look to third-party vendors to meet their evolving technology needs, it is critical that management and the board understand which benefits—and related risks—those vendors present. By taking time today to align your vendor contracts with the latest FFIEC, FDIC, and NCUA standards, your institution will be better prepared to manage risk tomorrow.

For more help gaining control over risk and cybersecurity, see our blog on sustainable solutions for educating your Board of Directors and creating a culture of cybersecurity awareness.
 

Focus on the people: How higher ed institutions can successfully make an ERP system change

The enterprise resource planning (ERP) system is the heart of an institution’s business, maintaining all aspects of day-to-day operations, from student registration to staff payroll. Many institutions have used the same ERP systems for decades and face challenges to meet the changing demands of staff and students. As new ERP vendors enter the marketplace with new features and functionality, institutions are considering a change. Some things to consider:

1. Don’t just focus on the technology and make change management an afterthought. Transitioning to a new ERP system takes considerable effort, and has the potential to go horribly wrong if sponsorship, good planning, and communication channels are not in place. The new technology is the easy part of a transition—the primary challenge is often rooted in people’s natural resistance to change.  
2. Overcoming resistance to change requires a thoughtful and intentional approach that focuses on change at the individual level. Understanding this helps leadership focus their attention and energy to best raise awareness and desire for the change.
3. One effective tool that provides a good framework for successful change is the Prosci ADKAR^® model. This framework has five distinct phases that align with ERP change:

These phases provide an approach for developing activities for change management, preparing leadership to lead and sponsor change and supporting employees through the implementation of the change.

The three essential steps to leveraging this framework:

1. Perform a baseline assessment to establish an understanding of how ready the organization is for an ERP change
2. Provide sponsorship, training, and communication to drive employee adoption
3. Prepare and support activities to implement, celebrate, and sustain participation throughout the ERP transition

Following this approach with a change management framework such as the Prosci ADKAR^® model can help an organization prepare, guide, and adopt ERP change more easily and successfully. 

If you’re considering a change, but need to prepare your institution for a healthy ERP transition using change management, chart yourself on this ADKAR framework—what is your organization’s change readiness? Do you have appropriate buy-in? What problems will you face?

You now know that this framework can help your changes stick, and have an idea of where you might face resistance. We’re certified Prosci ADKAR^® practitioners and have experience guiding Higher Ed leaders like you through these steps. Get in touch—we’re happy to help and have the experience and training to back it up. Please contact the team with any questions you may have.

¹Prosci ADKAR^®from http://www.prosci.com

“The world is one big data problem,” says MIT scientist and visionary Andrew McAfee.

That’s a daunting (though hardly surprising) quote for many in data-rich sectors, including higher education. Yet blaming data is like blaming air for a malfunctioning wind turbine. Data is a valuable asset that can make your institution move.

To many of us, however, data remains a four-letter word. The real culprit behind the perceived data problem is our handling and perception of data and the role it can play in our success—that is, the relegating of data to a select, responsible few, who are usually separated into hardened silos. For example, a common assumption in higher education is that the IT team can handle it. Not so. Data needs to be viewed as an institutional asset, consumed by many and used by the institution for the strategic purposes of student success, scholarship, and more.

The first step in addressing your “big” data problem? Data governance.

What is data governance?

There are various definitions, but the one we use with our clients is “the ongoing and evolutionary process driven by leaders to establish principles, policies, business rules, and metrics for data sharing.”

Please note that the phrase “IT” does not appear anywhere in this definition.

Why is data governance necessary? For many reasons, including:

1. Data governance enables analytics. Without data governance, it’s difficult to gain value from analytics initiatives which will produce inconsistent results. A critical first step in any data analytics initiative is to make sure that definitions are widely accepted and standards have been established. This step allows decision makers to have confidence in the data being analyzed to describe, predict, and improve operations.
    
2. Data governance strengthens privacy, security, and compliance. Compliance requirements for both public and private institutions constantly evolve. The more data-reliant your world becomes, the more protected your data needs to be. If an organization does not implement security practices as part of its data governance framework, it becomes easier to fall out of compliance. 
    
3. Data governance supports agility. How many times have reports for basic information (part-time faculty or student FTEs per semester, for example) been requested, reviewed, and returned for further clarification or correction? And that’s just within your department! Now add multiple requests from the perspective of different departments, and you’re surely going through multiple iterations to create that report. That takes time and effort. By strengthening your data governance framework, you can streamline reporting processes by increasing the level of trust you have in the information you are seeking. Understanding the value of data governance is the easy part/ The real trick is implementing a sustainable data governance framework that recognizes that data is an institutional asset and not just a four-letter word.

Stay tuned for part two of this blog series: The how of data governance in higher education. In the meantime, reach out to me if you would like to discuss additional data governance benefits for your institution.

As a new year is upon us, many people think about “out with the old and in with the new”. For those of us who think about technology, and in particular, blockchain technology, the new year brings with it the realization that blockchain is here to stay (at least in some form). Therefore, higher education leaders need to familiarize themselves with some of the technology’s possible uses, even if they don’t need to grasp the day-to-day operational requirements. Here’s a high-level perspective of blockchain to help you answer some basic questions.

Are blockchain and bitcoin interchangeable terms?

No they aren’t. Bitcoin is an electronic currency that uses blockchain technology, (first developed circa 2008 to record bitcoin transactions). Since 2008, many companies and organizations utilize blockchain technology for a multitude of purposes.

What is a blockchain?

In its simplest terms, a blockchain is a decentralized, digital list (“chain”) of timestamped records (“blocks”) that are connected, secured by cryptography, and updated by participant consensus.

What is cryptography?

Cryptography refers to converting unencrypted information into encrypted information—and vice versa—to both protect data and authenticate users.

What are the pros of using blockchain?

Because blockchain technology is inherently decentralized, you can reduce the need for “middleman” entities (e.g., financial institutions or student clearinghouses). This, in turn, can lower transactional costs and other expenses, and cybersecurity risks—as hackers often like to target large, info-rich, centralized databases.

Decentralization removes central points of failure. In addition, blockchain transactions are generally more secure than other types of transactions, irreversible, and verifiable by the participants. These transaction qualities help prevent fraud, malware attacks, and other risks and issues prevalent today.

What are the cons of using blockchain technology?

Each blockchain transaction requires signature verification and processing, which can be resource-intensive. Furthermore, blockchain technology currently faces strong opposition from certain financial institutions for a variety of reasons. Finally, although blockchains offer a secure platform, they are not impervious to cyberattacks. Blockchain does not guarantee a hacker-proof environment.

How can blockchain benefit higher education institutions?

Blockchain technology can provide higher education institutions with a more secure way of making and recording financial transactions. You can use blockchains to verify and transfer academic credits and certifications, protect student personal identifiable information (PII) while simultaneously allowing students to access and transport their PII, decentralize academic content, and customize learning experiences. At its core, blockchain provides a fresh alternative to traditional methods of identity verification, an ongoing challenge for higher education administration.

As blockchain becomes less of a buzzword and begins to expand beyond the realm of digital currency, colleges and universities need to consider it for common challenges such as identity management, application processing, and student credentialing. If you’d like to discuss the potential benefits blockchain technology provides, please contact me.

Your government agency just signed the contract to purchase and implement a shiny new commercial off-the-shelf (COTS) software to replace your aging legacy software. The project plan and schedule are set; the vendor is ready to begin configuration and customization tasks; and your team is eager to start the implementation process.

You are, in a word, optimistic. But here comes the next phase of the project—the gap analysis, in which your project team and the vendor’s project team test the new software to see how well it fulfills your requirements. Spending sufficient time and energy on the gap analysis increases the likelihood the resulting software is configured to support the desired workflows and processes of the agency, while taking advantage of the software’s features and benefits. Yet this phase can be stressful because it will identify some gaps between what you want and what the software can provide.

While some of the gaps may be resolved by simple adjustments to software configuration, others may not—and can result in major issues impacting project scope, schedule, and/or cost. How do you resolve these major gaps?

Multiple Methods. Don’t let your optimism die on the vine. There are, in fact, multiple ways to address major gaps to keep you on schedule and on budget. They include:

Documenting a change request through a formal change control process. This will likely result in the vendor documenting the results of the new project scope. This, in turn, may impact the project’s schedule and cost. It promotes best practice by formally documenting approved changes to project scope, including any impact on schedule and cost. However, the change request process may take longer than you may originally anticipate, as it includes:

Collaborating with the vendor on a solution that fits within the confines of the selected software. With no actual customization required, this may result in a functionality compromise, and may also involve compromise by the project team and the vendor. However, it does not require a formal process to document and approve a change in scope, schedule or cost, since there are no impacts on these triple constraints.

Collaborating with the vendor and internal project stakeholders to redefine business processes. This may or may not result in a change request. It also promotes best practice, as the business processes become more efficient, and are supported by the selected software product without customization. This will require a focus on organizational change management, since the resulting processes are not reflective of the “way things are done today.”

Accepting the gap—and doing nothing. If the gap has little or no impact on business process efficiency or effectiveness, this method is likely the least impactful on the project, as there are no changes to scope, schedule, or cost. However, the concept of “doing nothing” to address the gap may have the same organizational change ramifications as the previous point.

Of course, there are other methods for addressing major software gaps. The BerryDunn team brings experience in facilitating discussions with agencies and their vendors to discuss gaps, their root causes, and possible solutions. We leverage a combination of project management discipline, organizational change management qualifications, and deep expertise to help clients increase the success likelihood for COTS software implementations—while maintaining their vital relationships with vendors.

Cloud services are becoming more and more omnipresent, and rapidly changing how companies and organizations conduct their day-to-day business.

Many higher education institutions currently utilize cloud services for learning management systems (LMS) and student email systems. Yet there are some common misunderstandings and assumptions about cloud services, especially among higher education administrative leaders who may lack IT knowledge. The following information will provide these leaders with a better understanding of cloud services and how to develop a cloud services strategy.

What are cloud services?

Cloud services are internet-based technology services provided and/or hosted by offsite vendors. Cloud services can include a variety of applications, resources, and services, and are designed to be easily scalable, cost effective, and fully managed by the cloud services vendor.

What are the different types?

Cloud services are generally categorized by what they provide. Today, there are four primary types of cloud services:

Cloud services can be further categorized by how they are provided:

1. Private cloud services are dedicated to only one client. Security and control is the biggest value for using a private cloud service.
2. Public cloud services are shared across multiple clients. Cost effectiveness is the best value of public cloud services because resources are shared among a large number of clients.
3. Hybrid cloud services are combinations of on-premise software and cloud services. The value of hybrid cloud services is the ability to adopt new cloud services (private or public) slowly while maintaining on-premise services that continue to provide value.

How do cloud services benefit higher education institutions?

Higher education administrative leaders should understand that cloud services provide multiple benefits.
Some examples:

What possible problems do cloud services present to higher education institutions?

At the dawn of the cloud era, many of the problems were technical or operational in nature. As cloud services have become more sophisticated, the problems have become more security and business related. Today, higher education institutions have to tackle challenges such as cybersecurity/disaster recovery, data ownership, data governance, data compliance, and integration complexities.

While these problems and questions may be daunting, they can be overcome with strong leadership and best-practice policies, processes, and controls.

How can higher education administrative leaders develop a cloud services strategy?

You should work closely with IT leadership to complete this five-step planning checklist to develop a cloud services strategy: 

Need assistance?

BerryDunn’s higher education team focuses on advising colleges and universities in improving services, reducing costs, and adding value. Our team is well qualified to assist in understanding the cloud “skyscape.” If your institution seeks to maximize the value of cloud services or develop a cloud services strategy, please contact me.

The late science fiction writer (and college professor) Isaac Asimov once said: “I do not fear computers. I fear the lack of them.” Had Asimov worked in higher ed IT management, he might have added: “but above all else, I fear the lack of computer staff.”

Indeed, it can be a challenge for higher education institutions to recruit and retain IT professionals. Private companies often pay more in a good economy, and in certain areas of the nation, open IT positions at colleges and universities outnumber available, qualified IT workers. According to one study from 2016, almost half of higher education IT workers are at risk of leaving the institutions they serve, largely for better opportunities and more supportive workplaces. Understandably, IT leadership fears an uncertain future of vacant roles—yet there are simple tactics that can help you improve the chances of filling open positions.

Emphasize the whole package

You need to leverage your institution’s strengths when recruiting IT talent. A focus on innovation, project leadership, and responsibility for supporting the mission of the institution are important attributes to promote when recruiting. Your institution should sell quality of life, which can be much more attractive than corporate culture. Many candidates are attracted to the energy and activity of college campuses, in addition to the numerous social and recreational outlets colleges provide.

Benefit packages are another strong asset for recruiting top talent. Schools need to ensure potential candidates know the amount of paid leave, retirement, and educational assistance for employees and employee family members. These added perks will pique the interest of many candidates who might otherwise have only looked at salary during the process.

Use the right job title

Some current school vacancies have very specific job titles, such as “Portal Administrator” or “Learning Multimedia Developer.” However, this specificity can limit visibility on popular job posting sites, reducing the number of qualified applicants. Job titles, such as “Web Developer” and “Java Developer,” can yield better search results. Furthermore, some current vacancies include a number or level after the job title (e.g., “System Administrator 2”), which also limits visibility on these sites. By removing these indicators, you can significantly increase the applicant pool.

Focus on service, not just technology

Each year, institutions deploy an increasing number of Software as a Service (SaaS) and hosted applications. As higher education institutions invest more in these applications, they need fewer personnel for day-to-day technology maintenance support. In turn, this allows IT organizations to focus limited resources on services that identify and analyze technology solutions, provide guidance to optimize technology investments, and manage vendor relationships. IT staff with soft skills will become even more valuable to your institution as they engage in more people- and process-centric efforts.

Fill in the future

It may seem like science fiction, but by revising your recruiting and retention tactics, your higher education institution can improve its chances of filling IT positions in a competitive job market. In a future blog, I’ll provide ideas for cultivating staff from your institution via student workers and upcoming graduates. If you’d like to discuss additional staffing tactics, send me an email.