Higher Education Faces a New Information Security Compliance Check

Last Updated on January 18, 2024

The other day I had a somewhat harried conversation with the IT director of a small liberal arts college. She was justifiably concerned about a new Gramm-Leach-Bliley Act (GLBA) compliance check that has been added to the student financial aid cluster in the Office of Management and Budget (OMB) 2019 Compliance Supplement.
Her small team was short on both expertise and funding to understand the new audit requirements and address any gaps. Thus she was looking for “the straight and narrow” path to demonstrating compliance.
It’s well known that colleges and universities are expected to comply with GLBA’s Safeguards Rule around information security because of all the lending they do, especially administering federal student loans. So there are no “new” rules on the table. What’s significant about the OMB’s focus on GLBA audit objectives is that new compliance oversight—and the need for schools to demonstrate GLBA compliance—is part of the US Department of Education’s Title IV audit process.

GLBA’s Safeguards Rule states that colleges and universities need to “develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to [the institution’s] size and complexity, the nature and scope of [institutional] activities, and the sensitivity of any customer information at issue.”
The Safeguards Rule also mandates several components that schools’ InfoSec programs must include.
How should higher education institutions prepare to demonstrate compliance with these audit requirements? Here are the essential steps as specified in the OMB’s 2019 Compliance Supplement:

• Verify that your school has assigned one or more people to coordinate its information security program.
• Confirm that you have performed a risk assessment covering key operational areas like employee training, IT systems and networks, data storage/backup, and incident response.
• Confirm that you have implemented and documented controls to mitigate each of the identified risks.

The good news is that the Compliance Supplement doesn’t specifically call out all the GLBA Safeguards Rule requirements, some of which entail significant effort; e.g.:

• Conduct vendor risk management (VRM) activities to ensure service providers that handle student data are able to keep it safe
• Contractually mandate that your service providers that handle student data implement and maintain GLBA-compliant controls
• Regularly assess and amend the information security program based on testing and monitoring, changes in your environment, etc.

Hopefully most of the above is “old hat” for higher ed IT institutions. Further, a heightened need to demonstrate GLBA compliance is not unwarranted given the ongoing storm of cyber attacks targeting higher ed’s troves of sensitive financial, personal and intellectual property data. Schools need to stay up-to-date on compliance issues as part of maintaining a viable information security posture.
If your school hasn’t already begun reviewing (and if necessary updating) your InfoSec program documentation and addressing any compliance “gaps,” you should get started ASAP. The new compliance check is effective for all colleges and universities under Title IV as the fiscal year ended on June 30, 2019 or later.
For more information, the 2019 Compliance Supplement is available here.