Higher education institutions have been required to comply with the Safeguards Rule of the Gramm-Leach Bliley Act (GLBA) for more than a decade to protect the collection, storage, and use of student financial aid information. Beginning with the 2019 release of the Office of Management and Budget (OMB) Compliance Supplement, external auditors have been required to test certain aspects of compliance when testing the Student Financial Assistance cluster as part of a single audit. Both the compliance requirements for institutions and the testing to be performed by auditors recently changed.
For a refresher on where we stood before the most recent changes, review this article.
Changes to compliance requirements
The previous compliance requirements remain in place; however, the Federal Trade Commission issued final regulations (Final Rule) that either expanded or clarified the previous guidance. Both the Final Rule and the full text of the Safeguard Rule are linked below. The Final Rule was issued Dec. 9, 2021, with most of the changes to the Safeguards Rule becoming effective June 9, 2023.
The changes effective June 9, 2023, applied to the elements required to be developed, implemented, and maintained as part of an information security program developed by the school. There are nine elements, which can be found in their entirety in the Code of Federal Regulations within Section 314.4 as items (a) through (i). For a summary version of the nine elements, Dear Colleague Letter dated Feb. 9, 2023, is a helpful resource.
Changes to auditors’ testing
The 2023 release of the Compliance Supplement requires auditors to:
- Verify that the institution has designated a qualified individual responsible for implementing and monitoring the institution’s information security program.
- Verify that the institution has a written information security program and that the written information security program addresses the remaining six required minimum elements.
While external audit firms will complete this limited testing, institutions will have to demonstrate compliance with the underlying nine requirements. Note that there are only seven elements listed above compared to the Code of Federal Regulations and the Dear Colleague letter, which cites nine elements. The two excluded elements apply to institutions maintaining student information on 5,000 or more consumers. The revised requirements:
- Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)).
- Provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term “customer information” applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)).
- Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows:
- Implement and periodically review access controls.
- Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted.
- Encrypt customer information on the institution’s system and when it’s in transit.
- Assess apps developed by the institution.
- Implement multifactor authentication for anyone accessing customer information on the institution’s system.
- Dispose of customer information securely.
- Anticipate and evaluate changes to the information system or network.
- Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
- Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)).
- Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)).
- Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)).
- Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)).
Action items
Institutions should first verify they are following the Safeguard Rules and then should determine what documentation is in place to show auditors that the institution is compliant.
Our cybersecurity team has years of experience assisting organizations with GLBA Safeguards Rule concerns and expectations. Please reach out to a cybersecurity team member if you have any questions.