How about the changes to the GLBA Safeguard Rule that just went into effect? Have you heard? The changes were published in December of 2021 with an effective date of January 10th, 2022… Did you miss it?
Institutions that did catch the update may be asking, “How will these changes affect our compliance and security programs?” There are some significant changes and most institutions will need to make updates to their information security program to comply.
Let’s start by noting that many controls remain much the same as those in place under the previous Safeguard Rule. Those institutions with a strong GLBA program in place will need to prepare for some new requirements while others may find themselves playing catch up this year. Some requirements take affect one year after publish date allowing institutions until December of this year to implement necessary controls.
There are four major changes to the rule included in the update.
- Exemptions are provided for smaller institutions with less than 5k records to remove some requirements but these exemptions will impact few educational institutions that receive federal financial aid. Changes that expand the types of financial activities covered under the Act are not likely to impact colleges and universities which are already required to comply. The most important changes for educational institutions fall under the new accountability requirements and additional guidance provided on how to implement an information security program.
- Accountability for GLBA compliance is bolstered with a requirement to appoint a Qualified Individual to coordinate the compliance efforts and to provide reports to the institution’s governing body. While compliance may be governed by a committee, a single individual with the appropriate qualifications must lead efforts. This individual will be responsible for reporting the state of the information security program to the board of directors or governing body periodically and at least annually. Minimum requirements for information to be included in reports are outlined in the Rule.
- Development of an information security program appropriate for the institution relies heavily on an institution’s risk assessment. All institutions are required to perform a risk assessment periodically and most are now required to perform a written risk assessment. Institutions should use the risk assessment to develop appropriate administrative, technical, and physical controls for their environment. When developing an information security program institutions should address access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response.
- Finally, institutions will need to implement elements of the information security program according to their risk assessment. This means performing a risk assessment early in the process to identify and implement controls to address each risk appropriately prior to the deadline. Additional controls on the horizon that institutions will want to focus on prior to the December deadline include monitoring and testing requirements, training, assessment of service providers, and a written Incident Response Plan.
Whether your institution is in the position of playing catch up this year or simply fine tuning your GLBA program to comply with the updated rule, CampusGuard is glad to be your partner in achieving your institution’s cybersecurity and compliance initiatives.