Challenge
Ohio University’s (OU’s) Information Security Office (ISO) engaged BerryDunn’s higher education consulting team to conduct security risk assessments for three departments within the University. These departments are required to be in compliance with the Gramm-Leach-Bliley Act (GLBA) per the US Department of Education’s (ED’s) requirements. The assessments used the NIST 800-171 Rev. 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST 800-171) framework and included consideration of relevant GLBA controls.
Approach
BerryDunn completed the first assessment for the Office of Student Financial Aid and Scholarships (OSFAS) in 2018 and additional assessments for the Bursar’s Office and Heritage College of Osteopathic Medicine (HCOM) in May 2020.
Over the course of these security risk assessments, the BerryDunn higher education consulting team reviewed the university’s information security policies, procedures, and standards, and engaged members from the respective departments, before planned on-site meetings, to prepare for the engagement and obtain an initial understanding of the systems and controls in scope. The assessments were completed on-site, where team members met with OU ISO, Office of Information Technology (OIT), department leadership, and staff teams.
Outcomes
The scope of these security risk assessments involved evaluating the systems, processes, and practices against the requirements in the NIST 800-171 framework for adherence. BerryDunn’s deliverables for each assessment included:
- Completed NIST risk assessment workbook that documented BerryDunn procedures and the assessed unit’s adherence status towards NIST compliance.
- A report providing an overview of the scope of the assessment, the processes followed, risk assessment outcomes, risk mitigation plans, and recommendations for next steps.
BerryDunn's higher education consultants developed prioritized remediation plans that addressed gaps identified and, where needed, recommended the implementation of new controls, policies, procedures, and practices. BerryDunn included important considerations to help leadership understand the implementation of remediating activities.