To protect student information, colleges and universities are required to comply with the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA). While the GLBA primarily regulates financial institutions, higher education institutions also are required to adhere to certain components of the GLBA due to the large volumes of lending activity that flow through the institutions.
The U.S. Department of Education (ED) recently proposed adding a GLBA compliance check to the audit requirements for the student financial assistance cluster in the 2018 Office of Management and Budget Compliance Supplement. Subsequently, the National Association of College and University Business Officers (NACUBO) reached out to the ED regarding the proposed requirement. Based on those discussions, NACUBO is recommending institutions evaluate their current compliance with the Safeguards Rule, and offers these suggestions:
- Designate an employee or employees to coordinate the information security program
- Identify reasonable, foreseeable internal and external risks to the security, confidentiality and integrity of customer information that could result in the unauthorized disclosure, misuse, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks
- At a minimum, such a risk assessment should include consideration of risks in each of the following operational areas:
- Employee training and management
- Information systems, including network and software design as well as information processing
- Storage, transmission and disposal
- Detection and prevention of and response to attacks, intrusions or other system failures
- Design and implement information safeguards to control the risks identified through risk assessment and regularly test or monitor the effectiveness of the safeguards’ key controls, systems and procedures
- Oversee service providers by taking steps to select and retain providers capable of maintaining appropriate safeguards for customer information
- Contractually require service providers to implement and maintain such safeguards
- Periodically evaluate and adjust the information security program, based on the results of the testing and monitoring mentioned above, any material changes to operations or any other circumstances known to have or that may have a material effect on the information security program
At this time, we’re not yet certain of the extent to which auditors will be required to test institutions’ GLBA compliance. However, we encourage institutions to begin evaluating their compliance and take necessary steps to comply with GLBA. We’ll continue monitoring the situation and pass on updates to the proposed requirement as more information becomes available.
BKD IT Risk Services division is dedicated to helping higher education institutions assess their cybersecurity risks, improve protections and respond to breaches. Learn more about how BKD can help or contact your trusted BKD advisor today.