Colleges and universities have been subject to the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule for almost 20 years. Yet, without a strong enforcement mechanism most institutions have not assessed their own compliance.
For the first time, the United States Office of Management and Budget (OMB) included audit objectives for colleges and universities concerning compliance with the Safeguards Rule in the Single Audit Compliance Supplement for 2019. The Safeguards Rule requires institutions to protect sensitive financial data about students and parents/guardians by implementing several controls and processes. Listen in to the recorded webinar as our higher education and cybersecurity specialists explore the GLBA requirements, the new Single Audit testing and share case studies on compliance
Key learning objectives:
For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.
Continue reading to view frequently asked questions.
1) Are there specific trainings (including the length of trainings) are required? I'm specifically curious anything other than FERPA. Also, would it be different for CA schools? Thank you.
Training is a required part of the GLBA per the Safeguards Rule.
However, there are no specific requirements for the content of the training or the administration of the training. Institutions should determine the types and lengths of training to address their institution’s specific risks and requirements.
2) As it relates to vendors, how would you go about current contracts with vendors that don't have security controls language in them? Wait until they expire? Amend them as soon as possible?
Baker Tilly recommends reviewing existing contracts on a periodic basis and working with vendors to update contractual language as needed. Since Baker Tilly is not a law firm, we recommend you work with legal counsel to determine next steps for your institution.
3) Can we have delegated two people?
Sure, more than one person can be delegated the information security program coordinator role. However, Baker Tilly recommends you explicitly name the person(s) who will coordinate the program within the written information security program. Naming a committee or group does not allow for any accountability for the information security program.
4) Can you provide the reference documents where the SEC has said if an IHE complies with FERPA they have complied with GLBA?
This is addressed in as part of the GLBA per the Privacy Rule.
Additional information can also be found at NACUBO’s site.
5) Clarification...are we to identify one risk or one safeguard?
GLBA requires that the institution has identified and implemented safeguards to address the identified risks. The Single Audit Compliance Supplement guidance for the external auditors asks the auditors to verify that the institutions has identified at least one safeguard for each identified risk.
It is a reasonable expectation that you will have many risks documented in your risk assessment. And for each risk it is likely that you would have many safeguards documented. However, many safeguards will probably address multiple risks, which is to be expected.
6) Could you provide clarification on your earlier comment related to FERPA and how that relates to GLBA?
See question/answer #4 above.
7) Did you say NIST 171?
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. This is specifically recommended, but at this time not required, by the Department of Education in the 2016 Dear Colleague Letter (DCL) GEN-16-12 on Protecting Student Information (see link).
8) Do you find the designated personnel responsible for coordinating the information security program is the CISO?
Baker Tilly has seen certain institutions designate the CISO and other institutions designate a person in the financial aid office and other institutions designate the CFO. Baker Tilly recommends the designee(s) have the appropriate level of authority to adequately coordinate the program, which includes decision making responsibilities.
9) Do you know of Universities that have been fined under GLBA recently? Or other enforcement?
Baker Tilly is unaware of any specific institutions of higher education that have been fined or faced other enforcement under GLBA. However, with the changes to the new Single Audit Compliance Supplement, this is the first time institutions are being proactively assessed on compliance with GLBA. It is unknown if findings from single audits will result in investigations by the Department of Education.
10) Do you need to be 100% compliant with all 110 NIST requirements to be compliant with GLBA, or is there flexibility to help justify why we may not wish to pursue some of the controls?
GLBA does not require any specific control framework. The Department of Education Dear Colleague Letter (DCL) 16-12 simply recommends that institutions refer to NIST SP 800-171 as guidance. The letter specifics states: “We also advise institutions that important information related to cybersecurity protection is included in the National Institute of Standards and Technology (NIST) Special Publication 800-171 (NIST SP 800-171). Specifically, the NIST SP 800-171 identifies recommended requirements for ensuring the appropriate long-term security of certain Federal information in the possession of institutions.”
See question/answer #7 above for additional info.
11) GLBA covers more than financial aid data, doesn't it? E.g. faculty housing assistance programs.
GLBA can cover a number of “covered accounts” as defined under the law and rules. Each institution must evaluate the GLBA requirements and determine how they impact the institution. Our webinar focused on financial aid data since this is most likely the largest volume of impact data and the Single Audit Compliance Supplement now requires auditing of the GLBA protections over financial aid data.
12) How do you mitigate user accountability around institutions that have small technology teams with regards to user access? For instance a directory of cybersecurity also administers the financial application used to collect student data?
There are numerous strategies that institutions can use to address small teams that do not allow for segregating duties between different personnel. In all cases, the best controls involve business/operations personnel who can monitor personnel with privileged/administrator/superuser access to systems.
13) How does encrypting data at rest and in transmission play into compliance with GLBA?
No, there is no specific requirement for encryption under GLBA and there is no safe harbor for institutions by simply implementing encryption. Baker Tilly recommends encryption is used as a key control for data protection, however, institutions should determine the specific safeguards/controls to implement based on the institution’s risks and the costs associated with implementing and maintaining controls.
14) If a higher institution is compliant with FERPA, there is no additional requirements to comply with under GLBA - I think I heard this at the beginning and that the FCC and Dept. of Ed came to this conclusion. Is this correct?
No. See question/answer #4 above.
15) If a vendor provide an equipment to us and this equipment stores PII which the vendor has access to through maintenance of the equipment or through their vendor hosted software, does this situation call for SOC report, right to audit clause etc.?
Baker Tilly recommends both right to audit clauses and third party assurance reports (e.g., SOC) are included in all vendor contractors, which will allow the institution the ability to adequately evaluate the vendors controls. In the example included in the question, we would agree that one or both of these controls should be in place. Additionally, some level of proactive monitoring of the vendor’s personnel when they are accessing the equipment used by your institution.
16) If you have a vendor that has push back regarding language in the contract such as right to audit; it would be reasonable to find another vendor??
Sure, it depends on the institution’s risk tolerance. Each institution should determine its risks and then implement safeguards/controls to address those risks. If the institution decided to implement compensating safeguards/controls for the vendor that might be adequate. Alternatively, the institution might deem the risk of continuing to use that vendor too high and decide to find another provider.
17) Is the student id number considered PII?
This depends on a number of factors, including the institution’s geographic location and other regulatory requirements, as the definition of PII varies. For GLBA, if the student ID number is also used as an account number for a loan or declining balance debit account than would most likely be PII. However, there are many factors that must be considered to determine if student ID numbers used at your institution should be considered PII.
18) Is there a specific Risk assessment model that is recommended? We see that the Fed Dept. of Ed recommends the FFIEC CAT tool
There is no specific risk assessment model that is required or recommended. Baker Tilly recommends that the institution use an approach that make sense for the institution, and that focuses on identifying had managing the appropriate risks for protecting systems and data, not just for meeting compliance requirements.
Yes, the Office of Federal Student Aid has listed the FFIEC’s CAT Tool on its FSA Cybersecurity Compliance website. However, it is unclear if they are officially recommending that tool. Additionally, that tool contains many items that are not likely applicable to Institutions of Higher Education such as ATM management, as well as using a risk rating scale that aligns with financial institution organization structures. If you select to use that tool be aware that you will still need to customize it or use it in a different way than the FFIEC intended.