In response to the continued increase in cyberattacks, ransomware, and data breaches, the Federal Trade Commission (FTC) recently announced new information security requirements for institutions subject to the Gramm-Leach-Bliley Act (GLBA). These new requirements are being incorporated into the GLBA Safeguards Rule and the majority of the changes will go into effect one year after their publication to the Federal Register (which has not yet occurred).
Organizations are being encouraged to assess their current information security programs now and structure the necessary plans to achieve compliance with the amended requirements.
As we shared before, the Safeguards Rule applies to any entity that engages in an activity that is financial in nature, which includes colleges and universities that are issuing and administering FSA funds, student loans, etc. Previous guidance from the U.S. Department of Education Federal Student Financial Aid Office (FSA) had outlined the standards colleges and universities were required to follow in a 2016 “Dear Colleague Letter” and had encouraged the use of the NIST Special Publication 800-171 as a reference. In December 2020, the Department also announced the Campus Cybersecurity Program (CCP), but no further details have been shared regarding the CCP assessment process or any additional requirements beyond the NIST SP 800-171. At this point, it is still unclear if and how the FSA will address the recent changes to the Safeguards Rule.
We’ve defined which organizations must comply with the Safeguards Rule. Keep in mind that within the updates to the new Rule, there is now also a built-in Small Business Exception for those institutions with less than 5,000 customers that allows them to forego adherence to some of the compliance requirements.
The updated Rule is more prescriptive, providing more guidance on how to develop and implement an information security program, whereas the previous Safeguards Rule allowed institutions to exercise discretion by referring to data protection in higher level generalities. Although organizations still have flexibility to design their programs as appropriate to the size and complexity of their institutions and the sensitivity of the customer information, it is these more prescriptive requirements that may have an impact on information security programs that had been previously considered compliant.
Updates to the Safeguards Rule include:
- Written Information Security Program
Organizations must implement a comprehensive, written program that includes administrative, technical, and physical safeguards as appropriate to the institution’s size and complexity, and the sensitivity of the customer information being handled. This was part of the previous rule, but the amendment includes more detailed requirements and safeguards that must be addressed by the program (more details in the bullets following).
- Designation of a Qualified Individual
An individual appointed to oversee, implement, and enforce the information security program. Previous requirements were for one or more individuals to oversee the program, not a single person. While this is typically the Chief Information Security Officer if an institution has such a position, the Rule does not dictate that the Qualified Individual reside in that role.
- Written Reports to the Board of Directors
In an effort to improve the overall accountability of the program, the Qualified Individual must create a written report, at least annually, outlining the overall status of the information security program, compliance status with the Safeguards Rule, and submit it to the board of directors or other governing body so that senior management is aware of the program status and any accepted risks.
- Periodic Risk Assessments
More defined requirements for performing documented (written) risk assessments, evaluating and categorizing security risks and threats, assessing the confidentiality, integrity, and availability of the institution’s information systems and customer information, and requirements for mitigating or accepting identified risks. The Rule does not require an institution to mitigate every risk identified, but instead allows organizations to accept a risk if the assessment reveals that the chance the risk will produce a security event is low, the consequences are minimal, or the cost of mitigating the risk far outweighs the benefits. There is no set schedule for the risk assessments, so there is still some leeway in what is termed “periodic”.
- Data Inventorying and Classification
Identify and manage customer data and identify all systems on which that data is collected, stored, or transmitted. Organizations must look at all systems in order to accurately identify the systems that do contain customer information or that are connected to systems that do. It is also impossible to perform the above required risk assessments if you don’t know where the sensitive information is located.
- Access/Authentication Controls
Implement, and periodically review, access and authentication controls to limit access by authorized individuals and prevent unauthorized access, using the principle of least privilege for all customer information, in both electronic and physical locations.
- System Monitoring
Procedures to monitor and log the activity of authorized users and detect unauthorized access or use of customer information. The Commission did note that user monitoring can be automated.
- Data Retention and Disposal
Secure disposal of customer information no later than 2 years after the last date of use unless retention is necessary for a legitimate business purpose.
- Encryption of Customer Information at Rest and in Transit
The requirement for encryption is new, although organizations can still adopt effective compensating controls if they are unable to implement encryption that can sufficiently prevent the deciphering of information in most circumstances. This requirement does not include data in use or data transmitted over internal networks at this time.
- Multifactor Authentication
MFA must be implemented for any individual accessing systems that contain customer information, for both internal and external users accessing the system. MFA has always been strongly recommended by infosec professionals as this authentication method helps to prevent widespread attacks like those focused on using stolen passwords obtained from phishing, social engineering, etc.
- Penetration Testing and Vulnerability Scanning
Requirements to perform annual penetration testing and bi-annual vulnerability scanning for those systems that contain customer information or are connected to systems that contain customer information. Scanning should also be performed when there is an elevated risk for new vulnerabilities. If possible, vulnerability scans should be performed on a more regular basis (e.g. monthly). This updated requirement is one that received push back during the initial Request for Comments period due to the expected cost of annual penetration testing, but the FTC did note that, similar to a segmented payment card environment, institutions can help mitigate costs by segmenting networks that house impacted information systems.
- Secure Development Practices
Adopt secure development practices for in-house developed applications used for transmitting, accessing, or storing customer information, and implement requirements for evaluating and testing the security of externally developed applications when third-party applications are used to handle customer information. Defining how these third-party assessments will be performed is important for institutions that have outsourced systems.
- Change Management Procedures
Requirement to develop procedures to assess the security of devices, networks or other systems added to the environment, or the effect of removing such items or otherwise modifying the information systems.
- Incident Response Plan (IRP)
Development of a written IRP that addresses internal response processes, clearly defined roles and responsibilities, as well as decision making authority, external and internal communications, and the evaluation and revision of the IRP following a security event, and specifically called out ransomware attacks. The FTC is also issuing a Notice of Supplemental Rulemaking that proposes adding a requirement for institutions to notify the Commission of detected security events.
- Employee Training
Provide personnel with security awareness training that has been updated to reflect the evolving risks identified by the risk assessment. Training is only required to be updated as necessary, and allows for the use of third-party training programs. The updates to the Rule also require organizations to provide information security personnel with security updates and training sufficient to address relevant security risks, and document that training requirements have been met.
- Vendor Management
The amended Rule requires institutions to take “reasonable” steps to ensure vendors maintain proper safeguards, have appropriate contract language in place to ensure all third-party service providers have instituted such safeguards, and periodically evaluate selected providers on the adequacy of their safeguards based on perceived risk. The Ponemon Institute has found that more than 50 percent of organizations have experienced a third-party vendor breach, and 2021 has seen some of the largest third-party breaches to date (e.g. SolarWinds, Kaseya, Accellion, etc.). One of the most important steps organizations can take to protect their data is to thoroughly vet third-parties before signing on the dotted line.
While GLBA compliance has been largely self-regulated in the past, the shift from the Department of Education in recent years, as well as continued enhancements to requirements like these updates to the Safeguards Rule, continue to make it apparent that ensuring your information security program can meet the requirements from a baseline compliance standard (like the NIST SP 800-171) should be a priority for your senior leaders.
If your institution has questions regarding how the updates to the Safeguards Rule may impact your current information security program or would like to discuss how to begin assessing your environment against the NIST SP 800-171, your dedicated CampusGuard Team can schedule time with your team to review.
For a more in-depth analysis as to how the revised Rule impacts higher education, refer to the recent EDUCAUSE blog: Policy Analysis: Revised, Highly Prescriptive Safeguards Rule.
Additional Guidance from our Security Advisor team:
[Ko]: While the list of updates is large, the application of these changes to your environment should be relatively small. The concepts spelled out within the rule changes should be viewed as clarifications of the tenets of all great information security programs.
As stated in the beginning of this article, institutions will have some grace period to implement these changes, again, the majority of them becoming effective one year after publication into the Federal Register, and the others having only 30 days after publication.
With that in mind, now is not the time to sit back and wait for the updates to be published to the Federal Register so the clock can start. Now is the time to evaluate your current programs and make sure you have a plan to be compliant with the changes ahead of the effective date.