As the expectation is that colleges and universities will continue to be a target of hackers, the U.S. Department of Education has emphasized the importance of taking appropriate measures to protect sensitive data and is now including the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule audit objective in the federal single audit process. Among the many challenges presented in 2020, colleges and universities also saw an increase in the frequency and financial impact of cyber and ransomware attacks targeted at their institutions. Verizon’s 2020 Data Breach Investigations Report (DBIR) revealed that ransomware attacks represented 80% of the 819 incidents logged for the educational services sector.
As the expectation is that colleges and universities will continue to be a target of hackers, the U.S. Department of Education has emphasized the importance of taking appropriate measures to protect sensitive data and is now including the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule audit objective in the federal single audit process. All institutions participating in Federal Student Aid (FSA) programs must be prepared to demonstrate compliance with the Safeguards Rule.
The GLBA Safeguards Rule requirements include:
- Developing a written plan that describes the methodologies used to protect customer information.
- Designating one or more employees responsible for coordinating the information security program.
- Implementing a program to identify and assess current risks to customer information in each relevant area of informational systems, and evaluating the effectiveness of the way these risks are being mitigated and/or controlled.
- Establishing safeguards for potential risks and routinely testing and monitoring.
- Verifying third-party service providers are qualified to maintain appropriate safeguards. Vendor contracts should include requirements to maintain safeguards and oversee the handling of sensitive customer information.
- Evaluating and adjusting the information security plan to ensure constant alignment with business operations or as the result of security testing.
Colleges and universities who fail to meet these requirements may not only be risking the loss of their Title IV funding, but more importantly they are failing to protect the information of their constituents and putting themselves at risk of greater loss in the event of a successful breach.
If your institution has not adopted a formal compliance program for GLBA, one of the first steps in this process will be to form a GLBA Committee. This working group will be responsible for developing compliance goals, identifying relevant departments and processes, and championing GLBA compliance across campus. Organizations that are able to achieve and maintain their compliance program typically have a team with representation from the following areas:
Leadership: You will need buy-in at the executive level in order to receive the support necessary to dedicate time, allocate funding, and implement change across campus. These C-level individuals are not typically involved in weekly or monthly meetings, but rather brought in quarterly for updates so the committee can fill them in on progress, discuss any barriers the team is facing, and prioritize next steps.
Finance and Administration: Finance typically oversees the day-to-day processes within relevant departments, implements financial policies and procedures, provides training, etc. so will bring that knowledge to the team. Possible positions/departments to consider include the VP of Finance, Treasurer, Controller, and representatives from Treasury, Bursar’s Office, Financial Aid, Registrar’s Office, etc.
Information Technology/Security: Many of the requirements from the NIST SP 800-171, which can be used to demonstrate compliance with the Safeguards Rule, are technology-related so the Committee will need IT representation to understand and appropriately implement the necessary security controls.
Internal Audit: Internal Audit should be involved so that any changes to policies and/or procedures are discussed and adjusted to fit the organization. Since Internal Audit typically leads the annual risk assessment effort, they will also help the Committee plan for this effort and discern potential impact(s) of proposed changes.
Procurement/General Counsel: As outlined earlier, ensuring all relevant third-party vendors are maintaining appropriate safeguards is required. General Counsel and/or Procurement staff will provide expertise and guidance when reviewing applicable contract agreements.
Once you have elected your committee members, we recommend scheduling regular meetings in order to make sure you are continually progressing towards compliance. During these meetings you can provide updates on progress, define campus-wide strategies, and track assigned tasks.
Each organization is different and compliance responsibilities may fall to individuals with various job titles and positions. Regardless of who is leading the project, ensuring ongoing collaboration amongst the committee members, as well as having the support at the executive level, will be critical in order to achieve and maintain your program objectives over time. To request CampusGuard’s GLBA Committee Charter template, contact your designated Customer Advocate Team.
Some additional guidance from CampusGuard’s Security Advisor Team:
[King]: Establishing a GLBA Committee that has the ability to effect change and meets regularly is the single most important step an organization can take in managing compliance. The GLBA Committee is responsible for understanding gaps in compliance and security, developing a security plan, and implementing effective controls. While it is important to have some members knowledgeable about the security framework and participants will need an understanding of the GLBA Safeguard Rules, this knowledge will be developed in the process and prior knowledge should not be a driving factor in determining committee involvement. As noted in the article, participation should span across areas of finance, technology, compliance, and legal. Executive support and inclusion of data stewards are imperative to ensure progress and garner adoption across the organization. Organizations will need to consider the ability impact and communicate security initiatives at the organization when selecting members for this essential Committee.