With new Gramm-Leach-Bliley Act (GLBA) requirements in effect for just over five months now, how well has your school conformed to the changes?
On June 9, updates were made to the Standards for Safeguarding Customer Information (Safeguards Rule). The Safeguards Rule includes seven elements that schools must address when maintaining information on 5,000 or less students, and there are nine elements for schools maintaining information on 5,000 or more students. (The specific breakdown of these elements can be found here.)
For those schools not yet in compliance with the new requirements, this article is intended to help get you up to speed. Some common issues we’ve seen involve the following:
- Not making major updates to bring the plan up to a satisfactory level
- Not using proper risk assessments as the basis of the policy
- Not designating a qualified individual to oversee the plan
Let’s dig into those specifically:
Element 1 Requirements: Designating a Qualified Individual
Element 1 requires institutions to designate a qualified individual responsible for overseeing, implementing and enforcing your information security program. You may use an outside provider to fulfill this obligation; however, you must still retain responsibility for compliance. As a lot of school staff do not have much experience in IT or cybersecurity, this means providing additional training to current staff or leveraging an outside servicer with the proper qualifications to form and implement the required plan.
Element 2 Standards for Information Security Programs
Element 2 is the crux of these requirements for many. It requires schools’ information security programs be based on a “risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks,” according to the rule. Many preceding elements after this rely on these risk assessments to properly identify and test the safeguards to control the risk identified in Element 2.
A proper risk assessment is going to include, but is not limited to, the following:
- Risk Identification, which can be further broken down into:
- Control Evaluation – An evaluation of your controls against a subset of security requirements specified in GLBA, interviewing key personnel, reviewing policies/processes/procedures, examining information to evaluate implemented security controls, and documenting control gap vulnerabilities.
- Control Validation – Validation testing of controls implemented by the school and audit controls to ensure they match standards in the organization and industry best practices.
- Risk Analysis, which documents the likelihood and impact of threats, leveraging any vulnerabilities identified, developing acceptable risk criteria and acceptance, and formalizing risks into a register.
Security Breach Reporting
Additionally, non-bank financial institutions are required to report security breaches involving the information of at least 500 people. Make sure to review your plan if this applies to you and you have not included this information in your GLBA policy. The Federal Trade Commission (FTC) released information on reporting data security breaches for support in this reporting.
Be sure you’re engaging an IT or cybersecurity firm that understands the entire process and can provide an in-depth risk assessment based on NIST 800-171 or a similarly rigorous framework if your entity doesn’t have personnel with the knowhow to perform a risk assessment. The Department of Education fully expects to identify findings regarding GLBA implementation this year, so the best step you can take is to start planning now to bring your policies up to date before the next audit cycle.
As auditors, we are tasked with making sure your plan contains all the required elements. You will need to make sure your plan covers this, while also ensuring it has the backbone to pass when its functionality is tested.
For More Information
Making no attempt to update an outdated policy is a much more severe finding than a school updating its policies but not implementing it in a timely manner. If you know your policy is deficient, please reach out to your Title IV auditor to discuss expectations. You can also contact Sikich’s cybersecurity team to assess if your plan currently meets requirements.