ED Proposes Auditing Safeguards Rule Compliance
To protect student information, colleges and universities are required to comply with the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA).
By existing law and regulation, the Federal Trade Commission (FTC) is the Safeguards Rule enforcement agency. However, NACUBO recently learned that the Department of Education has proposed adding a GLBA compliance check to the audit requirements for the student financial assistance cluster for FY17 under the Single Audit Act.
NACUBO member institutions should evaluate and document their current campus compliance with the Safeguards Rule.
While the GLBA primarily regulates financial institutions, colleges and universities—largely due to their involvement in lending activities—are also subject to some provisions. The Safeguards Rule requires a campus to make a good faith effort to identify its specific information security risks and develop risk management and contingency plans accordingly.
In 2003, NACUBO published Advisory Report 2003-01, which provides a summary and explanation of the Federal Trade Commission (FTC) final regulations related to the safeguarding of customer information.
More recent ED “Dear Colleague Letters” also reminded colleges and universities about their obligations:
- 2015 Reminder for IHEs on Safeguards Compliance Requirement (GEN-15-18)
- 2016 Reminder for IHEs on Safeguards Compliance Requirement (GEN-16-12)
Upon learning that ED is considering adding a GLBA compliance check, NACUBO, together with EDUCAUSE, the Council on Governmental Relations, and the National Association of Student Financial Aid Administrators, wrote to the Office of Management and Budget (OMB) to express some concerns with the proposed audit objective. The associations are mindful that securing the privacy and confidentiality of student information is critical but were uneasy with the overly broad scope and lack of specificity in the draft, and asked OMB to revise the approach. It appears OMB was amenable and will likely revise the audit test to contain objective criteria.
However, NACUBO believes the requirement will likely be included in OMB’s publication of the Compliance Supplement for FY17, despite a request to delay implementation until FY18. The OMB Compliance Supplement provides auditors with guidelines for reviewing compliance with federal rules when auditing the student financial assistance cluster as a major program.
NACUBO urges member institutions to evaluate and document their current campus compliance with the Safeguards Rule.
The “Student Financial Services” chapter of NACUBO’s College and University Business Administration offers these suggestions:
- Designate an employee or employees to coordinate the information security program.
- Identify reasonable, foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks.
- At a minimum, such a risk assessment should include consideration of risks in each of the following operational areas:
- Employee training and management,
- Information systems, including network and software design as well as information processing,
- Storage, transmission, and disposal, and
- Detecting, preventing, and responding to attacks, intrusions, or other systems failures.
- Design and implement information safeguards to control the risks identified through risk assessment and regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures.
- Oversee service providers by taking steps to select and retain providers that are capable of maintaining appropriate safeguards for customer information.
- Contractually require service providers to implement and maintain such safeguards.
- Periodically evaluate and adjust the information security program, based on the results of the testing and monitoring mentioned above, any material changes to operations, or any other circumstances that are known to have or that may have a material impact on the information security program.
Another helpful resource is the EDUCAUSE Information Security Guide, which is developed and maintained by its Higher Education Information Security Council. This is a comprehensive guide on planning and implementing institutional information security.
Additionally, the FTC offers this guidance for complying with the Safeguards Rule.