UPDATE: In November 2022, the FTC extended this deadline for compliance by six months to June 9, 2023.
Cybersecurity incidents such as ransomware and credential theft within higher ed institutions continue to rise, and the Federal Student Aid (FSA) Office is paying attention.
They have also announced that they are fully committed to ensuring institutions of higher education are protecting all Controlled Unclassified Information (CUI) used in the administration of federal student aid programs. In FY19, the FSA added the Safeguards Rule objective to the federal single audit process, requiring that auditors confirm the following:
- Institution has appointed an individual or team to coordinate its information security program
- Institution has conducted a data security risk assessment that covers employee training and management, covered networks and information systems, and incident response
- Institution has implemented safeguards to address the risks that are identified in its assessment
The US Department of Education encouraged the use of a standard security framework and recommended that organizations utilize the NIST SP 800 171 Rev 2, and adhere to their obligations under the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule. The Safeguards Rule was recently updated and the requirements are now expanding considerably before the end of this year. The audit objective for the FY22 process did not change. However, we do expect the FSA to take into account the new Safeguards Rule requirements in the near future, so we would encourage organizations to focus time and resources on ensuring their programs align with the updated rule as we approach the December 2022 deadline.
Is your organization preparing for an upcoming FSA or state GLBA audit? What exactly will the auditors be looking for, and how can you prepare?
Below is a quick compliance checklist to help your organization plan for a GLBA compliance assessment and/or audit.
1. Define Your GLBA Scope
GLBA applies to any organization engaging in financial activities. For higher education institutions, this can include activities like:
- Student loans
- Federal work-study programs
- Financial advisory services (i.e. 401K programs)
- Career counseling services
- Issuance of debit or long-term payment plans with interest charges
- Collection of delinquent loans or accounts (in-house or third-party)
- Obtaining information from a consumer report
- Health insurance provisioning
It is impossible to protect CUI data if you are not able to determine and define where that information is located. Any people, processes, or technologies with access to this sensitive financial information should be considered in scope for your GLBA program. This will typically involve IT resources such as servers and workstations, portable hard drives, student information systems, other financial aid applications (which could be hosted locally or with a third party), and the security and other IT infrastructure supporting those systems. And don’t forget printed CUI moving through the departments and campuses—any staff handling those documents will also be in scope.
2. Determine Impacted Areas/Departments
As you start to plan for the assessment, you will want to determine which areas have access to any of the in-scope systems and data. Commonly-impacted departments within higher education include:
- Financial Aid
- Student Loans
- Student Services
- Public Safety
- Fundraising (Development, Foundation, Alumni)
You will want to engage each of these departments, interviewing them in a comprehensive manner, to understand and document any identifying information that is collected, for what purpose, and how that information is handled. Ultimately, you will need to provide a detailed list of administrative, technical, or physical safeguards used to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle the information in scope. The assessor will also review who has access to the data in each system and/or area, how it is accessed, and whether (and how) staff are trained to secure that information. They will be reviewing the full lifecycle of data from the initial collection, so it can be helpful to have data flow diagrams prepared as well.
Your IT and IT security teams will need to be engaged early in the process, as they implement the safeguards on those in-scope systems, and therefore will have a deep understanding of technical controls. The IT groups will be responsible for answering questions related to information storage, backups, vulnerability management, access provisioning, authentication controls, encryption, logging and alerting, anti-malware, and network security.
3. Collect Applicable Documentation
As much as possible prior to the assessment, gather the applicable documentation together for the assessor to review. This may include:
- System Inventory (including third-party services)
- Data Flow Diagram(s)
- Acceptable Use Policy
- Group Policy Standards
- Information Security Policy
- Change Management Policy
- Audit Procedures
- Remote Access Policy
- Mobile Device Policy
- Firewall/Router/Switch Configuration
- Anti-Virus Deployment Procedures
- Log Management/Review/Alerts
- Data Retention and Disposal Procedures
- Security Awareness Training Policy
- Incident Response Plan
- Hiring Policies
4. Perform a Risk/Compliance Assessment
Under the new FTC Safeguards Rule, organizations must have a written risk assessment. This assessment should be designed to assess external and internal threats, and to ensure the implemented safeguards are appropriate and operating as intended to protect all CUI data.
It can be performed internally or by a third party. While an internal risk assessment will have the benefit of thorough institutional knowledge, an external review provides an outside perspective and can often uncover risks that may otherwise be overlooked as employees become accustomed to the way they do things, or develop unintentional work arounds to complete job responsibilities, whether that leads to potential risk or not. The assessment will identify additional resources, controls, or technologies that may need to be implemented to address identified risks. The review will assess the maturity and completeness of the organization’s controls against the controls in the NIST SP 800-171 standard (i.e. change/configuration management, access control, vulnerability management, media security, incident response, physical security, etc.).
The assessor will also review all security documentation, organizational policies, procedures, etc. All third-party service providers involved must also be reviewed to ensure they are also operating in a compliant manner and implementing and maintaining proper safeguards to protect any sensitive information you are sharing with them.
5. Review Common Areas of Non-Compliance
Below are several findings the CampusGuard Team commonly identifies as part of the GLBA assessment process:
- A complete inventory of assets/in-scope systems is not maintained/up-to-date.
- Sensitive information is not classified appropriately.
- A lack of a defined or formal third-party vendor management program.
- Access to systems that contain CUI do not require Multi-Factor Authentication.
- Users with elevated privileges that do not have a valid business need for those privileges, and periodic audits of account access are not performed.
- Sensitive data is exchanged via email and is not consistently protected/encrypted.
- Legacy/archived information is stored outside of defined retention periods.
- Audit logs are not kept (or monitored) for in-scope systems.
- Security-related processes and business practices are not documented.
- Employees do not receive annual security awareness training.
- Incident Response Plan is not tested on a regular/scheduled basis.
- No formal risk assessment program or strategy.
6. Remediate and Mitigate Identified Risks
Once the assessment is complete, the next step will be to review all identified gaps (like those listed above), and implement a plan of action to address and correct any identified risks and/or deficiencies. The risk assessment plan will document all tasks that will need to be accomplished, necessary resources, and the controls that will be implemented to mitigate the risk, as well as timelines for completion.
While GLBA compliance may often seem like another check the box compliance activity, the overall goal is to prevent data breaches by securing customer and consumer data, and to minimize the impact of a breach by implementing effective technical and administrative controls.
Additional guidance from our CampusGuard Security Advisor Team:
[Gokturk]: For those of you who are still feeling a bit confused, it will be helpful to visit the latest version of Title 16 part 314, found on the National Archives Code of Federal Regulations website here. This website provides comprehensive descriptions of components of a GLBA program and requirements, as well as the types of information and scenarios in scope, with examples. There are also examples of what is NOT in scope, such as retail merchants offering layaway programs or to run a tab for a customer.
In a decentralized and collaborative university environment, it can be overwhelming to consider all the paths this information may take. No doubt there will be some surprises along the way. Rather than boiling the ocean, take a measured approach. Collect some stakeholders and whiteboard, for example, the student financial data pathways as you know them. Focus first on your primary and secondary systems and processes. Talk to the system and data owners, gauging their security awareness along the way. Follow the data flows, and you will quickly identify your priority areas where you can focus your efforts for the biggest impact. It may take time, but eventually you will map out your CUI across your environments. Lean on your system owners and other knowledgeable staff. Remember they know more about your systems and processes than an auditor will.
When you’re ready, CampusGuard is here and ready to help jumpstart those conversations and get you on the best path forward toward GLBA compliance.