Any institution with federal funding of $750,000 or more, which includes student financial aid, is required to conduct a federal audit annually. Inclusion of the audit requirement for Gramm-Leach-Bliley Act (GLBA) Safeguards Rule compliance was initially intended to be added to the Fiscal Year (FY) 2017 audit process, but implementation was delayed until this year’s FY18 audit.
To ensure institutions of higher education are securing student information, the US Department of Education has added GLBA compliance draft language to their FY18 audit following two Dear Colleague Letters sent in July 2015 (GEN-15-18) and July 2016 (GEN-16-12). The letters state that the DOE will require the examination of evidence of GLBA compliance. The new audit objective will determine whether the institution has a designated individual to coordinate the information security program, performed a risk assessment that addresses the three areas noted in 16 CFR 314.4 (b), and documented safeguards for identified risks.
The GLBA Safeguards Rule mandates that institutions develop a written information security program that includes the following elements:
- Designating an employee or employees to coordinate the information security program.
- Identifying reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of customer information, and assessing the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include:
- consideration of risks in operational areas, including employee training and management
- information systems, including network and software design, as well as information processing, storage, transmission and disposal
- detecting, preventing and responding to attacks, intrusions, or other systems failures
- Designing and implementing information safeguards to mitigate the risks identified in the required risk assessment, and regularly testing and monitoring the effectiveness of those safeguards.
- Overseeing service providers by taking reasonable steps to select and retain service providers that are capable of implementing and maintaining appropriate safeguards for the customer information at issue.
- Evaluating and adjusting the information security program in light of changed circumstances.
Institutions are required to conduct a risk assessment as outlined above. While not implicitly required, the Dear Colleague Letters reference use of the NIST Special Publication 800-171, titled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”, when performing the assessment. On a related note, NIST SP 800-171 compliance is also the standard used for compliance with the Defense Federal Acquisition Regulation Supplement (DFARS) clause that impacts institutions or research departments accessing controlled unclassified information and/or specific defense information.
Similar to PCI, the first step in GLBA compliance will be defining your GLBA scope and determining where non-public information (NPI) is stored, transmitted, or handled. Relevant financial transactions may include student loans, grants, federal work-study programs, debt collections, financial programs, and health insurance provisioning. From here you can start to gain an understanding of what information systems are in scope and begin your risk assessment process.
One critical element to keep in mind is that even though PCI, GLBA, HIPAA, DFARS, GDPR, etc. are all separate standards with unique requirements, there is a significant amount of overlap in the way information needs to be protected. Many of the security controls you have put in place to protect cardholder data can also be utilized for protecting information under the GLBA Safeguards Rule, so it is important for departments to collaborate on these efforts and combine campus resources.
Some additional guidance from our Security Advisor team below:
[Campbell]: To continue and clarify my comments from last month’s GDPR article, CampusGuard certainly recommends that you leverage your lessons learned through a compliance and remediation effort, such as PCI DSS, including reusing tools and security controls, since there is often a fair amount of overlap between programs. You should find that each succeeding compliance program is easier and more efficient than the last. You will, however, likely want to keep actual environments for each compliance program separate, rather than mixed, so that any assessments, audits, breach notifications, or investigations will only include those data, systems, and environments relevant to a particular program. Think of it like having systems in PCI scope that do not need to be there, and the costs/complexities this can cause. Finally, as you see these programs pile on and ratchet up in demands, CampusGuard encourages you to strive to identify dedicated compliance personnel resources, and of course to remain engaged with us to keep abreast of the latest developments.