The new rules from the Gramm-Leach-Bliley Act (GLBA) and the Federal Trade Commission (FTC) Safeguards Rule were released in December 2021 and go into effect in December 2022. The changes expand the definition of nonbanking financial institutions to include higher education institutions providing student financial aid.
The requirements focus on establishing a cyber security program designed to protect student financial information.
A brief overview of the main requirements include:
- Designate a “Single Qualified Individual” to oversee and enforce the information security program - a trained information security officer, senior IT leader/person with security training and experience. Outside advisory support is allowed as well.
- Periodic Risk Assessments - risk assessments need to be updated annually to identify risks and used by the information security program to address the identified risks.
- Design and Implement Security - use the risk assessment to implement appropriate security controls. These will vary based on the risks identified, but broadly include:
- Authentication - implement multifactor authentication (MFA) for access to all information systems. At a minimum implement MFA for all remote access, email, and access to student information.
- Access Control - limit access to the minimum required for each person to perform their assigned duties.
- Encryption - encrypt all sensitive data in motion and wherever possible encrypt sensitive data at rest.
- Secure Development - implement secure development processes and security assessments for in-house developed applications.
- Change Management - implement formal change management processes.
- Monitoring - implement monitoring controls (e.g., network, application, etc.) capable of detecting changes in the environment and inappropriate access to data.
- Additional controls referenced by the Dear Colleague (GEN-15-18) letter are detailed in NIST SP800-171
- Regular Testing - periodic vulnerability assessments and annual penetration testing. Typically, vulnerability scans are performed internally and externally on at least a quarterly schedule. Annual penetration testing can be conducted on a risk based schedule (typically annually for external testing).
- Information Security Training - both information security awareness for all users, as well as specialty security training for the staff with information security responsibilities.
- Vendor Risk Management - periodic reviews of vendors supporting higher risk areas, such as those with access to student financial aid data.
- Incident Response Plan - a written plan, tested at least annually, providing the detailed guidance necessary to deal with an information security incident (e.g., data breach, ransomware, etc.).
- Annual Reports - a report on the past year's events and activities to the governing body (e.g., audit committee, regents, board, etc.).
Many of the security controls are described in the National Institute of Standards and Technology (NIST) Special Publications (SP), like NIST SP800-30r1 Guide for Conducting Risk Assessments and NIST SP 800-171r2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Educause also provides access to many resources including templates and checklists, especially the Incident Management and Response templates.
The important message is to get started on these efforts. December 2022 is rapidly approaching and at some point soon external auditors will begin asking about the status of the program.
As always, if you need information or assistance with any of the areas discussed in this E-Focus, please feel free to contact the RubinBrown Colleges and Universities team at any time.
Readers should not act upon information presented without individual professional consultation.
Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.