Why Colleges and Universities Need to Prepare for GLBA Data Security Audits
By Joseph Compton, Partner, Advisory Services
Higher education institutions should be prepared to demonstrate audit compliance with the Gramm-Leach-Bliley Act’s (GLBA) student financial record data safeguard requirements.
The U.S. Office of Management and Budget (OMB) has indicated that it plans to include GLBA compliance in the single audit for colleges and universities in the future. The Council on Government Relations noted that the Department of Education (DOE) postponed efforts to include GLBA data safeguard review in place for 2018, but that policymakers could include them for 2019.
Institutions should prepare to demonstrate the use of industry best practices for data privacy and protection. Preparation includes formal information security plans, risk assessment, safeguards, and periodic evaluations of security protocols. In the past, the DOE has strongly encouraged that institutions follow the National Institute of Standards and Technology (NIST) recommendations for data security and management. Institutions that don’t meet GLBA standards during the audit are at risk of substantial monetary fines or even the loss of access to Title IV federal financial aid program funding.
Understanding What Safeguards Are Required
The amount of information easily available online has many benefits, but it has also heightened the risk of data breaches and exposure of sensitive financial and personal information. GLBA compliance requires institutions to follow federal guidelines to avoid substantial monetary fines or even the loss of access to Title IV federal financial aid program funding. Compliance with the GLBA safeguards rule will require schools to assign specific staff members to manage information security. Schools will also need to perform risk assessments that identify potential exposure points for sensitive data, as well as train employees to follow procedures for handling data or reporting a possible breach.
Once the risk assessment process is completed, institutions should implement safeguards that address any issues raised and conduct periodic testing to monitor for new risks. Universities and colleges will also have to be careful to only work with service providers that use similar safeguards to protect any data they acquire or handle. Documentation would then need to be maintained to demonstrate compliance in all of these areas during an audit.
The Federal Trade Commission and Federal Financial Institutions Examination Council (FFIEC) have published resources explaining in more detail the compliance and documentation rules institutions should prepare to follow. The FFIEC guide is based on a 2014 pilot program assessment by its members and followed principles from the NIST Cybersecurity Framework at the time. However, cybersecurity threats are constantly evolving. Once the GLBA safeguards rule is part of schools’ single audits, institutions will need to not only make sure they’re following best practices at the time, but also prepare to adjust their safeguards and procedures as cyber threats continue to change.
Marcum can work with your educational institution to prepare for audit compliance with the Gramm-Leach-Bliley Act’s (GLBA) student financial record data safeguard requirements.
Do you have questions about getting started or other risk advisory matters? Contact Joseph Compton, Partner, Advisory Services.