What is required?
One of the new requirements the Federal Trade Commission (“Commission”) has included in its final rule (“Final Rule”) calls for a qualified individual to report to the board of directors (or equivalent governing body) or senior officer on the organization’s information security program and compliance with the Standards for Safeguarding Customer Information (“Rule”). The Final Rule states the report must include the following:
- The overall status of the information security program and your compliance with this part; and
- Material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management’s responses thereto, and recommendations for changes in the information security program.
The introduction of this requirement shouldn’t translate to significant changes for institutions with established information security programs and leadership. Most of the colleges and universities that we work with are already reporting this information to the board in some fashion. However, the updated Rule now underscores the necessity of this activity by stipulating that a written report on the information security program and Safeguards Rule compliance be given at least annually to the board or other governing body.
Who is responsible for reporting to the board?
The Final Rule mandates that a single individual be designated to oversee and implement an organization’s information security program. The Commission states that this single “Qualified Individual” report to the board. Who this person is depends upon the structure and complexity of the institution and its information security program. Again, this designation may not result in a disruption of existing operations or hierarchy. For many colleges and universities, this person will be a CISO who is already in place. The Commission does not offer specifics within the Rule as to what level of training or experience makes an individual qualified to oversee the program and report to the board. This is intended to encourage accountability through a single, authoritative source.
How should the report be structured?
Although, as noted previously in this article, the Final Rule summarizes what must be included in the report and provides examples, it is not overly specific. The Commission writes:
“The Commission does not believe these requirements call for overly detailed reports” while also stating that “the primary purpose of the required report is to encourage communication between information security personnel and senior management, not to show compliance with the Rule.”
This means that the qualified individual and the institution will have the flexibility to customize the report to best support the flow of communication on matters of information security, and to do so at a minimum level of detail appropriate for a board.
That said, many of our customers have asked for specific guidance on how to structure the reports. Based upon examples of material components of an information security program and feedback from our higher education colleagues, we suggest that your reports include the following items (modified as appropriate for your institution):
1. Executive Summary
- Include a high-level overview of what is covered in the report and why the board is receiving it.
2. Significant developments and status updates since the previous report
- Focus on relevant changes/developments that occurred since you last presented to the board.
3. Overall status of the information security program
- Provide a summary of current policies and procedures in place, and any pending changes or exceptions to policy.
- Share statistics on awareness training and/or results from phishing simulations.
- Give an overview of the vulnerability management program.
- Summarize security trends and events, such as the number of intrusion attempts, and the time it took to detect and respond to any potential threats.
- Include details regarding how the organization is addressing third-party risks (a frequent source of data breaches).
4. Status of compliance items
- Provide an overview of the institution’s compliance with the Rule.
This could be summarized by noting the percentage of 800-171 controls that are being met across the organization. For example, you can report that you have implemented X% of the controls under the NIST framework, note why certain controls were prioritized, and provide a for compliance with the remaining controls.
- Give updates on current or future audits or other compliance initiatives.
This could include research data compliance, PCI DSS, CMMC, etc. and any upcoming compliance needs.
5. Updates or findings from any risk assessments, audits, or penetration tests
- If you have any recent risk assessments, a quick overview of the results, the plan of action, and any milestones for risk mitigation/remediation (this is also a GLBA requirement, so as this relates to GLBA, this may be included here or in the previous section).
- Baseline assessments with documented percentages can also be used in this section to document/reference over time and show growth and maturity of the program.
6. Overview of recent cybersecurity tabletop exercises
- If the team had any tabletop or business continuity exercises, share a quick overview of what went well and any gaps identified, as well as plans to address those gaps.
- Testing your incident response plan can help all parties assess how quickly your organization would be able to respond to an attack and/or resume normal operations, and what that projected timeline might mean in financial terms.
7. Updates on any ongoing or future projects
- Quick update on any projects the team is working on to prevent, detect or remediate any cyber risks; if the projects are on time, and on budget.
- If additional resources are needed, be prepared to explain why and how resources will be used.
8. Assessment of trending risks or critical threats, particularly in similar organizations
- Do your research. The board has likely seen high profile cyber threats like ransomware and supply chain weaknesses discussed in the news. Reporting on threats that are currently trending and how your organization is working to prevent these types of risks is important.
9. Areas of concern and recommended changes
- Are there particular challenges you face? This can be an opportunity for redirected resources. Note: Make sure you also bring possible solutions/resources to the table.
The written report should be kept brief—no more than 2-4 pages—and should highlight key areas where sensitive information may be at risk, and what controls have been (or will be) implemented to combat these risks. It is highly recommended that a presentation by your Qualified Individual accompany the written report. Visual representations of statistics, compliance percentages, etc., will be essential. Time will be limited, so the presentation should be brief.
This reporting event is a great opportunity to track progress your team has made and to celebrate successes. It should also be used to increase overall understanding of risks to your environment and make a case for additional budget or other resources that may be needed to improve the organization’s overall security posture.
Below is some additional guidance from the CampusGuard Security Advisor Team:
With the Final Rule, the Commission believes they are allowing for greater flexibility by providing less detailed guidance on the components and structure of the report. This may be helpful for financial organizations accustomed to regular reporting and where operations, risks, and available resources are known and can be modeled. However, in higher ed, a lack of thorough guidance can present reporting challenges for under-resourced, decentralized information security programs focused on preventing and responding to compromises. Rather than shifting the burden to higher ed institutions to spend time and resources defining what components should be included in a regular report to a board of directors, it would be helpful for the Commission to provide clearer guidance on what is or isn’t required. Hopefully, the guidance CampusGuard provides can help our community in this regard.
It should be noted that because this report is written, a record is created of all items, including compliance gaps, security incident details, and any decisions made by the qualified individual or the board. The intention behind this is to increase accountability and monitor information security program effectiveness over time. Consider your approach carefully. You should consult the Freedom of Information Act (FOIA) officer at your institution and any legal staff to understand liabilities, what information will be shared (and with whom), and what is subject to release under FOIA.
With the reporting requirement, the Commission may have just created an incredible opportunity. Rather than being left out due to a growing list of competing agenda items (unless there’s a data breach or other major incident), information security across higher ed will have a recurring presence at a meeting where key resourcing and strategic decisions are made. If leveraged effectively (and carefully), this requirement could strengthen your information security program.
Regulatory requirements are often written without a great deal of consideration given as to how universities will achieve compliance. Remember that through CampusGuard, your institution has access to compliance resources designed specifically for the unique needs of higher ed. We understand your challenges, and we’re here to help.