We mentioned in our previous E-Focus, eventually auditors will be directed to assess the implementation of the GLBA and FTC Safeguard Rule requirements.  The 2023 Compliance Supplement – 2 CFR Part 200 Appendix XI (May 2023), Part 5 Cluster of Program (page 5-3-80) provides auditors suggested audit procedures including:

1. Verifying the institution has a Qualified Individual for implementing and monitoring the information security program.
2. Verifying the institution has a formal (written) information security program addressing the specific required minimum specifications.

The details are bit more complicated, but auditors will begin looking at these programs further. The 2023 Compliance Supplement only requires that auditors verify the written information security program contains the minimum specifications, but does not require the auditor to test verify or test the implementation; however, the scope of those audits may increase in future years to address all the requirements listed.

The guidance directs auditors to verify the institution has a designated Qualified Individual and has a formal security program addressing the following:

• Access Controls: Access controls (least privilege approach) are implemented and periodically reviewed.
• Data Inventory: Data inventories track the collection, processing, transmission, and storage of sensitive data.
• Applications: Internally developed applications are periodically assessed.
• Multi-Factor Authentication: All student data (and sensitive data) is protected by Multi-Factor Authentication.
• Data Disposal: Sensitive data, including student financial information, is securely destroyed when no longer required.
• Risk Assessment: Periodic risk assessments are conducted to anticipate and evaluate changes to the environment.
• Logging User Activity: Logs of user activity are maintained to identify potential occurrences of unauthorized access.
• Testing: Safeguards are regularly tested or monitored to ensure the effectiveness of the protective controls.
• Service Providers: Addressing how the institution will assess service providers and oversee the service providers to minimize risk.
• Periodic Updates: Using the information generated through all activities, the information security program will be updated to address new threats and risks.

The guidance dives into a little more detail on areas of responsibility for the Qualified Individual, audit objectives, and guidance on goals of the GLBA and FTC Safeguards Rule.

We encourage all higher education institutions to review their written information security program and make sure you are ready for your auditors to start digging into these details.

As always, if you need information or assistance with any of the areas discussed in this E-Focus, please feel free to contact the RubinBrown Colleges and Universities team at any time.

Published: 6/26/2023

_{^{Readers should not act upon information presented without individual professional consultation.}}

_{^{Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.}}