I find it interesting that we have recently seen a notable uptick in visitors/leads from major universities relating to ISO 27001 content on our website. During a weekly audit team call, I made note of this.
One of our auditors, who has done a fair amount of work in the higher education vertical, responded that he was not surprised based on the challenges universities face in dealing with the Family Educational Rights and Privacy Act (FERPA), as well as HIPAA and PII in general. He also noted that several recent, high-profile data breaches at universities were likely driving their Boards to push for “demonstrable” security.
Another one of our auditors, who has done a lot of work in the clinical research/pharmaceutical, vertical noted that universities conducting joint research with big pharma companies and/or receiving government grants are increasingly being asked for stronger attestation that this “sensitive” research data is being appropriately secured.
The challenges of securing and providing compliance validation for student, medical, and credit card data that traverse a typical university environment; especially those that include a “university hospital,” are a compelling argument for considering ISO 27001 certification. Its “fundamental” Information Security Risk Management centric approach is ideal for understanding the risks associated with different classes of data/data flows and ensuring that the risk treatments applied to each are differentiated in a manner consistent with managing the risk and addressing a university’s unique compliance requirements.
The well-vetted “recipe” that ISO 27001 embodies—which distills the requirements of diverse regulatory requirements (e.g., FERPA, HIPAA, state-level PII laws, PCI) into a single, repeatable Information Security Management System—simplifies much of the inherent complexity of overlapping and ambiguous regulations.
I was intrigued and wondered if the “magnitude” and importance of research funding issue was enough to drive ISO 27001 into universities. So I grabbed a copy of Princeton University’s annual report. In 2012, they received almost $276 million for “sponsored research” from a diverse group of public/private sources, including the Department of Energy, National Institutes of Health, NASA, Office of Naval Research, Glaxo, Novartis, Unilever, BASF, and Haliburton. Having reviewed recent RFPs and contracts from these entities for other clients, I know that many of them are pushing for ISO 27001 or an equivalent security attestation if sensitive information is going to be shared. Needless to say, most research (especially $266 million worth!) is going to be considered “sensitive.”
Is ISO 27001 certification “right” for a university? In short, yes.
I think that universities conducting joint research are going to be driven to ISO 27001 by the organizations providing the funding. Clever universities may recognize that they can use ISO 27001 as a competitive differentiator to increase their share of research funding. Over the longer haul, they will also recognize its value as a mechanism to address the pain of dealing with a myriad of regulatory compliance standards and the unique challenges of securing information assets while maintaining the “openness” that higher education demands.