Skip to content Menu

New OMB Policy Requires Title IV Privacy and Data Security Audit Checks

7/03/2019

The Office of Management and Budget (OMB) has released a Compliance Supplement for 2019. As expected, this guidance features an audit objective meant to review institutional compliance with the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA).

Higher education institutions have always been expected to comply with the rule, which is meant primarily to safeguard customer information at financial institutions, but this is the first time that oversight of college and university compliance has been codified as part of the Title IV audit process.

In speaking with both OMB and the Department of Education while the new objective was being crafted, higher education advocates urged regulators to maintain the inherent flexibility of the Safeguards Rule within this audit objective to enable schools of all sizes to effectively protect sensitive student information in a way that is tailored to each institution. Regulators appear to have mostly adhered to this request with the stated audit objective being to “determine whether the institution designated an individual to coordinate the information security program; performed a risk assessment that addresses the three areas noted in 16 CFR 314.4 (b) and documented safeguards for identified risks.”

Suggested Audit Procedures to ensure compliance are:

“a. Verify that the institution has designated an individual to coordinate the information security program.

b. Verify that the institution has performed a risk assessment that addresses the three required areas noted in 16 CFR 314.4 (b), which are (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures.

c. Verify that the institution has documented a safeguard for each risk identified from step b above.”

The public now has a small window to offer comments on the entire Compliance Supplement, but significant changes to this audit objective are not expected. ED, EDUCAUSE, and NACUBO provide resources to aid institutions with information security best practices and GLBA compliance.

Contact

Liz Clark

Vice President, Policy and Research

202.861.2553

Related Content

NACUBO and ACE Issue Update on Global Music Rights Negotiations

Discussions between NACUBO, the American Council on Education, and Global Music Rights for a public performance license ultimately proved unsuccessful, and the two higher education associations have issued a statement to update institutions on the negotiations.

What Did I Miss in Washington? July 10-August 1, 2018

In this edition: NACUBO guidance on closing out Perkins Loan programs, an update on borrower defense, a new tax bill on Capitol Hill, and more.

What Did I Miss in Washington? April 30-May 13, 2019

In this edition: House appropriators approve increased FY20 funding for ED, the IRS announces retirement and deferred compensation plan audits, and more.