To protect student information, colleges and universities are required to comply with the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA). While the GLBA primarily regulates financial institutions, higher education institutions also are required to adhere to certain components of the GLBA due to the large volumes of lending activity that flow through the institutions.
In recent years, the U.S. Department of Education (ED) has proposed adding a GLBA compliance check to the audit requirements for the student financial assistance cluster in the Office of Management and Budget Compliance Supplement. In response to this, the National Association of College and University Business Officers (NACUBO) reached out to the ED regarding the proposed requirement. Based on those discussions, NACUBO is recommending institutions evaluate their current compliance with the Safeguards Rule, and offers these suggestions:
- Designate an employee or employees to coordinate the information security program
- Identify reasonable, foreseeable internal and external risks to the security, confidentiality and integrity of customer information that could result in the unauthorized disclosure, misuse, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks
- At a minimum, such a risk assessment should include consideration of risks in each of the following operational areas:
- Employee training and management
- Information systems, including network and software design as well as information processing
- Storage, transmission and disposal
- Detection and prevention of and response to attacks, intrusions or other system failures
- Design and implement information safeguards to control the risks identified through risk assessment and regularly test or monitor the effectiveness of the safeguards’ key controls, systems and procedures
- Oversee service providers by taking steps to select and retain providers capable of maintaining appropriate safeguards for customer information
- Contractually require service providers to implement and maintain such safeguards
- Periodically evaluate and adjust the information security program, based on the results of the testing and monitoring mentioned above, any material changes to operations or any other circumstances known to have or that may have a material effect on the information security program
While the final 2019 Compliance Supplement has not yet been made publicly available, it’s expected that this version will include testing requirements for auditors to consider related to GLBA compliance. We encourage institutions to begin evaluating their compliance and take necessary steps to comply with GLBA.
BKD IT Risk Services division is dedicated to helping higher education institutions assess their cybersecurity risks, improve protections and respond to breaches. Learn more about how BKD can help or contact your trusted BKD advisor today.