The Office of the Inspector General (OIG) released its 2023 Title IV Audit Guide for proprietary schools and third-party services in early March. The 2023 Office of Management and Budget (OMB) Compliance Supplement for Single Audits has not yet been released but, based on previous years, this should be made available over the next several weeks. CampusGuard has completed an initial review of the 2023 Audit Guide and implications related to the Gramm-Leach Bliley Act (GLBA) Safeguards Rule.
The Audit Objective: Determine whether the school designated an individual to oversee, implement, and enforce the school’s information security program, and whether the school’s written information security program addresses six additional required elements.
The Audit Guide does specifically mention the amendment to the Safeguards Rule and the electronic announcement from February 9, 2023, establishing the effective date of June 9, 2023. The seven elements outlined in the Guide are:
Element 1: Designates a qualified individual responsible for overseeing and implementing the school’s or servicer’s information security program and enforcing the information security program.
If your organization has not already formally designated someone as the qualified individual, this is a critical step prior to your FY audit. This is often the Chief Information Security Officer within the institution, but the Rule does not specify a role/qualifications. The FTC states that it can be an employee of the organization or work for an affiliate or service provider and needs the real-world know-how suited to the organization’s environment. Once the individual is confirmed, be sure to document the decision so you can check this requirement as done.
Element 2: Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks.
Your organization should perform (and document) your risk assessment process. Inventory all systems and data so you know where in-scope information is located. From there, determine and document all internal and external risks/threats in a Risk Register, prioritize those risks, and document the mitigation strategy.
Element 3: Provides for the design and implementation of safeguards to control the risks the school or servicer identifies through its risk assessment. At a minimum, the written information security program must address the implementation of the minimum safeguards identified in 16 C.F.R. 314.4(c)(1) through (8).
Previous communications from the Department of Ed referenced the use of the NIST SP 800-171 for outlined safeguards and security controls. Element 3 now explicitly includes:
- Access control, and limiting access only to authorized users and the information they need to perform their duties and functions. Review access on a regular basis.
- Identifying and managing the data, personnel, devices, systems, and facilities involved. Keep an up-to-date inventory.
- Encrypting all customer information in transit over external networks and at rest.
- Adopting secure development practices for any applications in use.
- Implementing Multi-factor Authentication for any individual accessing any information system.
- Implementing procedures for secure disposal no later than two years after the last date the information is used. Reviewing data retention policies.
- Adopting procedures for change management.
- Implementing procedures and controls to monitor and log the activity of authorized users and detect unauthorized access.
Element 4: Provides for the school or servicer to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented.
This testing should include either continuous monitoring or periodic penetration testing and vulnerability assessments. Annual penetration testing will be based on the risks identified in accordance with the risk assessment and vulnerability assessments should be done at least every six months. For more details, review our previous article regarding GLBA pen testing.
Element 5: Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program.
This element includes providing personnel with security awareness training that is updated to reflect identified risks, providing information security personnel with updates and training to address relevant security risks, and verifying that key information security personnel maintain knowledge of current and changing threats and countermeasures. Documentation is critical for GLBA compliance so ensuring your information security program consists of clearly defined policies and procedures will be necessary.
Element 6: Addresses how the school or servicer will oversee its information system service providers.
This element requires organizations to ensure selected third parties are capable of implementing appropriate safeguards to protect customer information, requiring service providers to maintain those safeguards, and periodically assessing third parties to ensure they remain in compliance. It is important that during these reviews, your team understands and documents how customer data is flowing to and from your systems and any identified third-party applications. For more information, visit our more detailed guidance for GLBA requirements and third parties.
Element 7: Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the information security program.
This ensures organizations continue to adjust their program based on the required vulnerability assessments and penetration testing, and any new or evolving risks/threats to customer data.
It is interesting that the Audit Guidance did not specifically address the final two elements of Part 314.4, establishing a written incident response plan (and the specific items that must be covered in your plan, as well as regularly testing the IRP) and requiring the qualified individual to provide an annual written report to the board of directors regarding the overall status of the organization’s information security program.
However, the Single Audit Compliance Supplement in 2022 only addressed three elements, so the current thought is that this year’s Single Audit Compliance Supplement for 2023 will expand to the seven elements listed above (if not all nine) and better define what auditors will be reviewing as they assess college and university information security programs.
Under an institution’s Program Participation Agreement and the GLBA, institutions must protect student financial aid information, and the consequences for failing to do so are growing. Most organizations have taken steps to address the new requirements from the updated Safeguards Rule, but if your organization is struggling with how and where to start with any of the above-required elements, please don’t hesitate to reach out to us.
Additional feedback from our Security Advisor Services Manager:
[Hobby]: For several years the Department of Education has been reminding Title IV institutions of their responsibility to comply with the GLBA, but the practical implications of GLBA compliance remain challenging. As discussed in the article above, colleges and universities must implement and maintain a written information security program addressing the nine elements.
In their recent electronic announcement, the Department clarified that for purposes of GLBA compliance “customer” and “customer information” mean “information obtained as a result of providing financial services to a student (past or present).” For colleges and universities, this means that the Department views the scope of GLBA compliance to be primarily limited to student financial aid information.
Additionally, the Department confirmed that any findings of noncompliance will be addressed through normal administrative processes, and “GLBA-related findings will have the same effect on an institution’s participation in the Title IV programs as any other determination of non-compliance.”
CampusGuard recommends institutions heed the Department’s guidance and review their information security program and practices to ensure the elements are addressed, paying particular attention to the guidance regarding the oversight of their service providers.
