The Office of Management and Budget (OMB) released the FY23 federal single audit compliance supplement at the end of May. This updated supplement includes a revised version of the Gramm-Leach-Bliley Act (GLBA) compliance requirements and the Safeguards Rule audit objective intended to better align with the revised Rule, which took effect on June 9, 2023. Any institutions that participate in Title IV educational assistance programs (financial aid), are subject to GLBA and must agree to comply within their Program Participation Agreements with the Department of Education.
The revised Safeguards Rule provided significant updates for the requirements that organizations must meet under GLBA, and established minimum security standards that should be in place no later than June 9. For institutions with fewer than 5,000 customers, there are seven elements that must be addressed within the organization’s written information security program. For any organization with over 5,000 customers, there are nine required elements. Review a summary of the updated elements here.
The FY23 Audit Objectives are as follows:
- Determine whether the institution designated a Qualified Individual responsible for implementing and monitoring the institution’s information security program.
- Determine whether the institution’s written information security program addresses the required minimum seven (or nine) elements.
Suggested Audit Procedures:
- Verify that the institution has designated a Qualified Individual responsible for implementing and monitoring the institution’s information security program.
- Verify that the institution has a written information security program and that the written information security program addresses the remaining required minimum elements.
If you have not already done so, the first step for meeting these outlined audit objectives is obviously to determine who will be your organization’s Qualified Individual. From there, it will be important to review and identify the people, systems, and processes in scope for GLBA.
As you approach your institution’s scheduled audit, being able to provide a detailed, written information security program and demonstrate your efforts to mitigate any identified risks will be critical. Learn how to prepare for an upcoming GLBA assessment and/or audit. Or reach out to your dedicated CampusGuard team to request our GLBA Compliance Planning Checklist.
Additional feedback from one of our Security Advisors:
[Lewis]: The term “Qualified Individual” might not be a clear definition to everybody. The Department of Education is giving latitude in determining who is qualified. Having specific training, experience, or certifications is the common definition, but higher education institutions should consider more than this. The qualified individual should be considered as someone with knowledge of GLBA requirements and will retain responsibility for the entire information security program. Additionally, the QI will work to achieve GLBA compliance by using administrative/technical/physical controls or secure and risk tolerant reliable solutions. This individual will represent the entire institution like a Chief Information Security Officer (CISO) and have ultimate responsibility for implementing and maintaining GLBA compliance.