The Office of Management and Budget (OMB) has released a Compliance Supplement for 2019. As expected, this guidance features an audit objective meant to review institutional compliance with the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA).
Higher education institutions have always been expected to comply with the rule, which is meant primarily to safeguard customer information at financial institutions, but this is the first time that oversight of college and university compliance has been codified as part of the Title IV audit process.
In speaking with both OMB and the Department of Education while the new objective was being crafted, higher education advocates urged regulators to maintain the inherent flexibility of the Safeguards Rule within this audit objective to enable schools of all sizes to effectively protect sensitive student information in a way that is tailored to each institution. Regulators appear to have mostly adhered to this request with the stated audit objective being to “determine whether the institution designated an individual to coordinate the information security program; performed a risk assessment that addresses the three areas noted in 16 CFR 314.4 (b) and documented safeguards for identified risks.”
Suggested Audit Procedures to ensure compliance are:
“a. Verify that the institution has designated an individual to coordinate the information security program.
b. Verify that the institution has performed a risk assessment that addresses the three required areas noted in 16 CFR 314.4 (b), which are (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures.
c. Verify that the institution has documented a safeguard for each risk identified from step b above.”
The public now has a small window to offer comments on the entire Compliance Supplement, but significant changes to this audit objective are not expected. ED, EDUCAUSE, and NACUBO provide resources to aid institutions with information security best practices and GLBA compliance.