About Partners Contact Client Portal
LinkedIn Twitter
Services Industries Insights & Events Careers & Culture

Services

RubinBrown specializes in providing a comprehensive range of services to meet business and personal needs. Whether you require expert tax, strategic business consulting, audit services or more, RubinBrown's team of experienced professionals are here to support you.

View All Our Services
Assurance Services
Benefit Plan Audit Services Public Company Services SOC Examinations, IT Audit, & Third-Party Risk
Consulting Services
Business Process Improvement Services Business Restructuring & Bankruptcy Services Cyber Security Services Environmental, Social and Governance Services ERP & Enterprise Software Advisory Fraud & Forensics SOC Examinations, IT Audit, & Third-Party Risk Information Technology Services Litigation Services Mergers & Acquisitions Services Risk & Internal Audit Services Valuation Services
Entrepreneurial Services
Outsourced Accounting & Advisory Services
Tax Services
Federal Tax Services Private Client Services Credits & Incentives Services State & Local Tax Services
RubinBrown Advisors RubinBrown Corporate Finance

Industries

At RubinBrown, we bring experience across a range of industries. Our experience enables our professionals to offer tailored solutions catering to the intricacies of each sector. Our professionals have years of focused engagement and skills, allowing them to navigate industry-specific challenges to benefit our clients.

View All Our Industries
Colleges & Universities Construction Gaming Healthcare Law Firms Life Sciences & Technology Manufacturing & Distribution Not-For-Profit Private Equity Public Sector Real Estate Transportation & Dealerships

Insights & Events

At RubinBrown, we provide valuable insights detailing emerging trends and industry-specific information. Our events, hosted virtually and in-person, keep you informed and connected to the topics and industries that matter most to you and your organization.

View All Insights & Events
Jun 11

RubinBrown’s Leveraging Technology for Business Success

Learn More & Register
Jun 17

RubinBrown’s Rural Health Webinar Series

Learn More & Register

RubinBrown Sports Betting Index: March 2025 Analysis

Learn More

Tax Bill Watch 2025: Budget Resolution Compromise

Learn More

Careers & Culture

At RubinBrown, we are inspired team members, working as one firm, living our core values, and Being Our Best for Others while delivering totally satisfied clients. We invite you to learn more about the Firm's culture, the Be Your Best for Others mentality, and explore the available opportunities at RubinBrown.

Discover Our Culture
Baker Tilly International Campus Recruiting Diversity & Inclusion Experienced Recruiting RubinBrown Charitable Foundation Join The Team
Back to Insights

Focus on Colleges and Universities: GLBA and FTC Safeguard Rule Impacts

Contact Us

Focus on Colleges and Universities: GLBA and FTC Safeguard Rule Impacts

Contact Us

The new rules from the Gramm-Leach-Bliley Act (GLBA) and the Federal Trade Commission (FTC) Safeguards Rule were released in December 2021 and go into effect in December 2022. The changes expand the definition of nonbanking financial institutions to include higher education institutions providing student financial aid.

The requirements focus on establishing a cyber security program designed to protect student financial information.

A brief overview of the main requirements include:
  • Designate a “Single Qualified Individual” to oversee and enforce the information security program - a trained information security officer, senior IT leader/person with security training and experience. Outside advisory support is allowed as well.
  • Periodic Risk Assessments - risk assessments need to be updated annually to identify risks and used by the information security program to address the identified risks.
  • Design and Implement Security - use the risk assessment to implement appropriate security controls. These will vary based on the risks identified, but broadly include:
    • Authentication - implement multifactor authentication (MFA) for access to all information systems. At a minimum implement MFA for all remote access, email, and access to student information.
    • Access Control - limit access to the minimum required for each person to perform their assigned duties.
    • Encryption - encrypt all sensitive data in motion and wherever possible encrypt sensitive data at rest.
    • Secure Development - implement secure development processes and security assessments for in-house developed applications.
    • Change Management - implement formal change management processes.
    • Monitoring - implement monitoring controls (e.g., network, application, etc.) capable of detecting changes in the environment and inappropriate access to data.
    • Additional controls referenced by the Dear Colleague (GEN-15-18) letter are detailed in NIST SP800-171
  • Regular Testing - periodic vulnerability assessments and annual penetration testing. Typically, vulnerability scans are performed internally and externally on at least a quarterly schedule. Annual penetration testing can be conducted on a risk based schedule (typically annually for external testing).
  • Information Security Training - both information security awareness for all users, as well as specialty security training for the staff with information security responsibilities.
  • Vendor Risk Management - periodic reviews of vendors supporting higher risk areas, such as those with access to student financial aid data.
  • Incident Response Plan - a written plan, tested at least annually, providing the detailed guidance necessary to deal with an information security incident (e.g., data breach, ransomware, etc.).
  • Annual Reports - a report on the past year's events and activities to the governing body (e.g., audit committee, regents, board, etc.).

Many of the security controls are described in the National Institute of Standards and Technology (NIST) Special Publications (SP), like NIST SP800-30r1 Guide for Conducting Risk Assessments and NIST SP 800-171r2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Educause also provides access to many resources including templates and checklists, especially the Incident Management and Response templates.

The important message is to get started on these efforts. December 2022 is rapidly approaching and at some point soon external auditors will begin asking about the status of the program.

As always, if you need information or assistance with any of the areas discussed in this E-Focus, please feel free to contact the RubinBrown Colleges and Universities team at any time.

 

Readers should not act upon information presented without individual professional consultation.

Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.

 

 

Contact Us:

Be Your Best for Others at RubinBrown

At RubinBrown, our firm fosters a culture built upon five vision points, and are guided by our philosophy of Being Our Best for Others. Discover how you can be your best at RubinBrown today by visiting our Careers & Culture Overview for available opportunities and more.

Discover Our Culture

Join Our Mailing List

RubinBrown periodically sends breaking regulatory updates, technical summaries, industry-specific information and event (in-person and virtual) invitations through electronic newsletters.

Sign Up for Our Communications
1-800-678-3134 Certified Public Accountants & Business Consultants

Ranked a Top 50 Accounting Firm by Inside Public Accounting

Firm News Disclaimers Privacy Policy Client Payment © 2025 RubinBrown LLP
RubinBrown Executive Recruiting RubinBrown Advisors RubinBrown Corporate Finance