8 Things to Prepare for GLBA Safeguards Rule Audit Objective
Over the last several years, the Department of Education (ED) has clarified that Colleges and Universities (EDUs) are considered Financial Institutions in their capacity to administer Federal Student Aid (FSA). As such, they are required by the Gramm-Leach-Bliley Act (GLBA) to protect customer information as it pertains to FSA administration. More specifically, EDUs must comply with the Federal Trade Commission’s (FTC) GLBA Safeguards Rule. Keep reading for the GLBA Safeguards Rule audit objective checklist.
New to FY19, the ED added a GLBA Safeguards Rule audit objective as part of the yearly federal Single Audit process. This includes the following requirements:
- The institution must designate an individual to coordinate its information security program.
- The institution must perform a risk assessment that addresses three required areas described in 16 C.F.R. 314.4(b)2:
- Employee training and management;
- Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and
- Detecting, preventing, and responding to attacks, intrusions, or other systems failures.
- The institution must document a safeguard for each risk identified.
GLBA Safeguards Rule Audit Objective Checklist
If you’re in charge of spearheading GLBA Safeguards Rule compliance, here are the eight (8) things to prepare for the ED audit objective.
- Designate an individual to coordinate the campus information security program.
- Identify all campus units that work with “customer” (student or parent) information related to the FSA program administration.
- Have an efficient and effective process for conducting risk assessments.
- Conduct a risk assessment of identified units that includes the areas outlined in 16 CFR 314.4(b). Many campuses are using CIS 20 or NIST 800-171 as the basis for their risk assessments. Contact us to learn more.
- Document safeguards for each risk that were identified during the risk assessment.
- Prioritize the most critical risks and are working with the units to mitigate them.
- Create reports with supporting documentation to demonstrate to auditors identified risks and safeguards.
- Repeat the process year-over-year and include previous data to demonstrate year-over-year improvements.
The Future of the GLBA
The FTC plans to continue expanding its requirements. Some proposed changes include the designation of a Chief Information Security Officer (CISO), encryption of all data customer data, and security testing of all applications handling customer data. However, there was some pushback from the community. Jarret Cumming, EDUCAUSE Senior Advisor for Policy and Government Relations, mentions, “The FTC listened to the initial public comments and agreed to explore in greater detail the financial and operational impacts of its proposals. We look forward to the FTC revisiting some of their proposed requirements.”
One thing is for sure, the GLBA Safeguards Rule audit objective is here to stay. You’ll need to continue demonstrating to ED and the FTC how your institution is actively protecting “customer” (student or parent) data and what it’s doing to mitigate identified risks.
In response to COVID-19, the Office of Management and Budget (OMB) released several memos providing short term relief. It recently released memo M-20-26 which extends the submission of the Single Audit up to six (6) months for audits with normal due dates from March 30, 2020 through June 30, 2020), and up to three (3) months for Audits with normal due dates from July 31, 2020 through September 30, 2020.
What’s your plan for demonstrating compliance with the GLBA Safeguards Rule? We wrote the GLBA Mini Handbook for Higher Education. It includes what was covered in this post, a risk assessment sample template, and details how our Governance, Risk, and Compliance (GRC) Surveying Platform, Isora GRC, can help you demonstrate GLBA Safeguards Rule compliance and gain continuous risk insights.