Information security threats to educational institutions and their data assets have worsened significantly over the past few years. The rich data stores of institutional research are especially vulnerable, and threats from security breaches represent no small risk. New genres of threat require new kinds of controls if the institution is to prevent data loss. Nevertheless, risk from traditional threats must not be ignored, and traditional security planning based on risk is still the foundational strategy. Governance of the security function must be clearly established. Under three areas--human factors, software applications, and server infrastructure--this article examines a sampling of basic information security threats new and old to educational data assets, along with corresponding controls that will reduce risk. Finally the basics of a security plan are described. (Contains 4 tables.)