Challenge
The College of the Canyons recognized the growing need for an effective cyber risk management program to safeguard its digital environment against the backdrop of an increasingly perilous cyber landscape and make progress towards meeting various regulatory compliance requirements, like the Safeguards Rule.
Key Results
With FortifyData, College of the Canyons saw a radical transformation in its cybersecurity operations. The automated weekly scanning and asset identification facilitated a proactive stance on security threats. Additionally, they have been able to meet stringent regulatory requirements, including the GLBA Safeguards Rule and NIST SP 800-171. Independent audits found the College of the Canyons to be in compliance with all 9 of the GLBA Safeguards Rule requirements.
Background
College of the Canyons, part of the California Community College System, has been providing higher education options in the outskirts of Los Angeles, California for over half of a century and has grown to an average student enrollment of 15,000 students per semester.
Hsiawen Hull, Executive Director of Infrastructure and Information Security, has participated first-hand in the College’s technological evolution for 26 years. The college recognized the growing need for an effective cyber risk management program to safeguard its digital environment against the backdrop of an increasingly perilous cyber landscape and make progress towards meeting various regulatory compliance requirements (e.g. GLBA, NIST SP 800-171).
The Challenge
Initially, the college’s cybersecurity efforts were sporadic, with a single sys admin, limited resources and a mix of DIY security tools. “We kind of had a very ad hoc security process,” Hull admitted. “We did an annual vulnerability assessment and that was pretty much it. And that included internal and external scans and a list of things that you should fix.”
The college accepted the challenge of elevating its cybersecurity from a once-a-year vulnerability assessment to a continuous, dynamic defense mechanism.
Solution Evaluation
In their search for a more comprehensive and automated way to identify and manage cybersecurity risk, College of the Canyons considered various first-generation security ratings providers. However, these providers fell short in their offerings and didn’t bring efficiencies in applying context and vulnerability prioritization to the management of the disparate tool findings.
One security rating provider had “really overly complicated reports” which were hard to understand for non-technical stakeholders. Another offered services that identified outdated assets with vulnerabilities that were not reflective of their current security posture, plus it didn’t give any understanding of whether they were making any headway. Hull expressed the need for a solution that provided an easy way to communicate cybersecurity risk while tracking whether remediations were successful and improving their security posture over time.
FortifyData’s Solution
FortifyData was introduced to College of the Canyons during their critical evaluation period. The platform was chosen for its ability to automate the translation of cybersecurity risks into a clear numeric scoring system that resonated with the college’s executive team. “It’s zero to 900, like a credit score. Everybody knows that 600 is not good, but it’s better than 300,” Hull elucidated, highlighting the intuitive nature of FortifyData’s risk assessment scale. “And if I show that I moved from a 300 to a 700, they can comprehend the level of effort that it took to get from one to another because we can contextualize it.”
College of the Canyons uses FortifyData’s platform to conduct automated continuous asset discovery and external vulnerability assessments. The platform enables the College to classify those assets by criticality and when the asset findings are enriched with cyber threat intelligence produces a risk-based prioritization of the most severe risks facing the College. This is a continuous process to ensure IT asset inventory is continuously found and accounted for from a cyber risk perspective.
Implementation and Impact
With the implementation of FortifyData, the College witnessed a radical transformation in its cybersecurity operations. The automated weekly scanning and asset identification facilitated a proactive stance on security threats.
Hull was also pleased with the asset identification. “One of the biggest challenges facing educational institutions is managing our asset inventory,” he commented. “FortifyData will tell you exactly what you have touching the Internet. It will tell you what operating systems they are running, what CVEs are out there, and what you are presenting to the outside world. That’s what we were using FortifyData for in the beginning – the external visibility and understanding.”
The platform was not only a technical success but also ensured compliance with stringent regulatory requirements, including the GLBA Safeguards Rule and NIST SP 800-171. Independent audits conducted on the College for GLBA gap analysis found the College of the Canyons to be in compliance with all 9 of the GLBA Safeguards Rule requirements.
“Part of our requirements for GLBA and NIST is not just a scanning tool, but a program for risk assessment and vulnerability remediation,” Hull stated. “So, we need to scan, remediate vulnerabilities, and then prove they are remediated. And that’s where FortifyData comes in from an external perspective. We use FortifyData exclusively for our external threat assessments on top of our regular annual scans.”
FortifyData also excelled in customer support, a critical component for the college’s small but dedicated team. “Responses are really, really quick. So that’s been the best part about using the product,” Hull praised.
Looking Ahead
The college plans to delve deeper into additional capabilities within FortifyData’s platform, especially its GRC and third-party risk management capabilities, to further mature its cybersecurity posture. Hull envisions leveraging the full spectrum of the platform’s automated and integrated functionalities to maintain and enhance the college’s cyber risk management program.
Testimonial
Reflecting on the journey, Hull stated, “FortifyData has been instrumental in transforming our security from reactive to proactive. The ability to move the needle and watch the needle actually move is really huge.”
He further emphasized the strategic advantage provided by FortifyData, saying, “I’m paying for these weekly scans to show me where my threats are and if we are addressing those threats and vulnerabilities, that is worth its weight in gold.”
