TL;DR
Security teams face a myriad of problems when starting and executing a cybersecurity risk assessment. Coordinating a risk assessment is a big undertaking. It can present a lot of different obstacles in the form of technical, political, and operational challenges. In this article, we will uncover the top five problems that security teams face during risk assessments and provide some insight into how you can overcome them.
Introduction
The Gramm-Leach-Bliley Act (GLBA) has existed for years, but it has directly affected colleges and universities in the past four years. Higher education organizations will need to review their GLBA compliance to ensure compliance with the upcoming Safeguards Rule changes scheduled to take effect in June 2023.
What is the GLBA?
The Gramm-Leach-Bliley Act is a federal regulation that regulates the collection, storage, and transmission of Personally Identifiable Information (PII) by financial institutions. It consists of three sections: the Financial Privacy Rule, the Safeguards Rule, and the Pretexting provisions.
Does GLBA Compliance Apply to Higher Education?
The short answer is yes. GLBA compliance has affected various institutions since 1999, and higher education institutions have been subject to compliance audits since 2018.
The US Department of Education Federal Student Financial Aid Office (FSA) designated Title IV institutions as “financial institutions,” making them subject to GLBA compliance. The FSA also confirmed that most data sourced from the Department of Education and information used in administering Title IV programs classifies as Controlled Unclassified Information (CUI).
Currently, GLBA in higher education applies to how colleges and universities collect, store, and utilize student financial records containing PII, such as tuition payments and financial aid records. TheFederal Trade Commission(FTC) enforces both the Privacy Rule (16 CFR 313) and the Safeguards Rule (16 CFR 314).
The GLBA Privacy Rule
The GLBA Financial Privacy Rule governs the collection and disclosure of private financial information. In general, colleges and universities comply with the Privacy Rule if they comply with the Family Educational Rights and Privacy Act (FERPA), which we explain in greater detail below.
The GLBA Safeguards Rule
Since 2003, the GLBASafeguards Rulehas mandated that higher education institutions establish an information security program to safeguard customer information.
Although GLBA compliance was initially self-regulated, an amendment in 2017 by the Federal Office of Management and Budget (OMB) and the FSA mandated that schools include it in their annual federal compliance audits. The FSA began auditing colleges and universities for GLBA compliance in 2018.
During the initial evaluation process, auditors must verify that each institution has the following:
- Designated a person to manage the information security program
- Conducted a risk assessment that addressed employee training and management, information systems, and protocols for detecting, preventing, and responding to attacks
- Documented safeguards for each of the above security risks
In December 2021, the Federal Trade Commission issued final regulations to modify the Safeguards Rule. The modifications expand on existing minimum information security requirements at participating institutions and their third-party service providers. Affected organizations will need to take the following steps in response to the revised rule:
- Designate a qualified individual to oversee their information security program.
- Develop a written risk assessment.
- Limit and monitor access to sensitive student information.
- Encrypt all sensitive information.
- Train security personnel.
- Develop an incident response plan.
- Regularly evaluate the security practices of service providers.
- Implement multi-factor authentication (MFA) or another method with equivalent protection for anyone accessing student information.
Changes to the GLBA Safeguards Rule will take effect in June 2023. To learn more about the Safeguards Rule, please refer to ourComplete Guide.
GLBA vs. FERPA
The GLBA and the Family Educational Rights and Privacy Act (FERPA) are federal laws that relate to privacy and confidentiality, but they have different scopes.
While GLBA applies to various financial institutions, FERPA applies specifically to educational institutions that receive federal funding.
FERPA protects the privacy of student and education records and gives students the right to inspect and review their education records, request that their records be amended if they are inaccurate or misleading, and control the disclosure of their education records to third parties.
GLBA vs. HEA
The GLBA and the Higher Education Act (HEA) are federal laws relating to different aspects of higher education and financial privacy.
The HEA governs the administration of federal higher education funding, policies, and programs, including financial aid programs such as Pell Grants, Stafford Loans, and work-study programs, as well as grants for research and development and funding for historically black colleges and universities, minority-serving institutions, and tribal colleges and universities.
The HEA also includes provisions related to the accreditation of colleges and universities, student privacy and rights, student loan repayment options, and various other issues related to higher education in the US.
GLBA Compliance Requirements for Higher Education Institutions
The GLBA audit process described earlier offers a glimpse into what colleges and universities must do to comply with the GLBA. However, having a more comprehensive understanding of the requirements is critical.
First and foremost, institutions must create a written information security program that explains the safeguards they have in place to protect student information. Although these documents may differ from one school to the next, every institution’s information security program must include the following elements:
- A designated qualified employee who coordinates the comprehensive information security program
- A means of identifying and assessing risks to student information in each relevant area of operation, as well as a method for evaluating safeguards currently in place
- An implemented safeguards program that’s regularly monitored and tested
- Service providers with the expertise and obligation to maintain appropriate safeguards who receive oversight in how to handle sensitive information
- A process for evaluating and adjusting the information security program to account for relevant changes
GLBA compliance requirements are intentionally adaptable to meet the varying needs of financial institutions. However, the FTC offers additional guidance on what an effective information security plan should contain. These recommendations concentrate heavily on employee training and management, with suggested practices that include:
- Performing background checks on prospective employees
- Restricting access to sensitive information to authorized personnel
- Delivering security awareness training
- Enforcing disciplinary action for breaches
Although the Department of Education and FSA have not directly mandated any specific cybersecurity framework for GLBA compliance or other purposes, they have always “strongly encouraged” higher education institutions to adopt the National Institute of Standards and Technology Special Publication 800-171 Rev. 2, Controlled Unclassified Information in Nonfederal Systems (NIST 800-171).
In 2020, the Department of Education and FSA declared their intention to conduct NIST 800-171 self-assessments as part of the multi-year phased rollout of theirCampus Cybersecurity Program(CCP). Furthermore, the FSA has combined its cybersecurity compliance and made it accessible on theFSA Cybersecurity Compliancewebsite.
Consequences for GLBA Non-Compliance
If a higher education institution is non-compliant, the FSA’s Postsecondary Institution Cybersecurity Team maydisable the institution’s accessto the Department of Education information systems.
Under section 523 of the GLBA, there are several criminal penalties outlined. For example, institutions and violators may be subject to fines of up to $100,000, and individuals could face up to five years of imprisonment–or ten years for repeat offenders.
However, the most detrimental consequence of GLBA non-compliance is a security breach. In the case of a successful cyberattack, a perpetrator may leak or steal important student information. Institutions that fail to take appropriate measures to safeguard students’ financial information may pay significant ransoms to retrieve that data.
Even then, there is no guarantee that the attacker will return the information after receiving the money. Such non-compliance can also severely harm the university’s reputation. From a student’s perspective, why should they entrust such an institution with their personal information?
How Isora GRC from SaltyCloud can help with GLBA Compliance
Complying with GLBA may seem daunting. Fortunately, a lightweight governance, risk, and compliance (GRC) solution can help.
Isora GRC from SaltyCloud helps higher education institutions manage and maintain compliance with GLBA on a single, end-to-end assessment platform. With Isora GRC, colleges and universities can:
- Conduct a risk assessment using preloaded cybersecurity framework like NIST 800-171 and more.
- Collect, store, and document safeguards for any identified risks.
- Identify compliance gaps and work towards mitigation before an official audit.
- Conduct follow-up assessments to measure and document improvements in compliance programs.
- Access in-app score and gap analysis dashboards for GLBA compliance and export assessment data into audit-ready evidentiary reports.
SaltyCloud works with dozens of higher education institutions to help them manage cybersecurity risk, demonstrate regulatory compliance, manage vendor risk, and ace their GLBA audit, saving them valuable time and resources.
