Colleges and universities that administer student financial aid associated with Title IV programs have had to comply with the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA) since May 2003. That regulation was updated December 9, 2021, with some new requirements effective June 9, 2023.
The updates provide additional details and enhancements to the data security requirements to reflect the cyber threats, risks, and challenges in helping to secure student financial aid data.
Security Control Requirements
The original six security control requirements of the Safeguards Rule have been expanded to nine. Some of the original six have been reworded to provide further clarity. These requirements, essential to a formalized and written information security program, are:
Colleges and universities must have an information security program in place that incorporates these requirements by June 9, 2023.
Not every institution has the same risk profile, size and complexity of IT, and resources to work toward compliance. The GLBA takes this into account and gives some leeway to smaller institutions with less than 5,000 students. For those smaller institutions with less than 5,000 students, only the first seven requirements apply.
Start Compliance Work Now
Colleges and universities can consider these actions for meeting each requirement by the deadline.
Designate a Qualified Individual
A qualified individual should be one who has the skill and experience to oversee the institution’s efforts to protect sensitive data like student financial aid data. This person doesn’t need to be in executive management—or even an employee.
This person could be a service provider, such as a virtual chief information security officer (CISO) or consultant, tasked with keeping data secure. Choose someone with experience commensurate with the size and complexity of the institution’s operating environment. Oversight of a large university system with multiple campuses will have challenges very different from an institution with a single location.
Conduct a Risk Assessment
Conducting a risk assessment entails identifying where all student financial aid information is handled, processed, stored, and transmitted, and understanding the threats, vulnerabilities, and risks that could impact the security of that information.
Define the ways student financial aid data is acquired, including the applications and systems that are used, and follow its lifecycle to its ultimate storage location or disposal. After identifying the data lifecycle flow, identify potential threats and vulnerabilities along the way. These threats could be an external hacker, disgruntled employee, or an untrained employee in the financial aid office.
Vulnerabilities could be an insecure file transfer system, lax application controls, and nonexistent encryption on databases. Once threats and vulnerabilities are identified, the risks should be identified and ranked. Risks could be things like student financial aid data loss or inadvertent exposure or reputational damage because of a data breach.
Rating risks as critical, high, medium, or low should help identify appropriate and necessary controls.
Design and Implement Safeguards
Safeguards based on the risk assessment should be designed and implemented.
Technical safeguards may include:
- Stringent rules configured on the network firewalls
- Encryption enabled on databases that house student financial aid data
- Multifactor authentication (MFA) to access the financial aid system
- Access logging
Administrative safeguards may include policies that mandate certain security controls and describe sanctions for noncompliance.
Monitor and Test Safeguards
To help make certain that safeguards are operating at an optimal level for securing student financial aid data, regularly monitor and test their effectiveness. For example, penetration testing could be performed against the network firewall to ascertain that malicious traffic is blocked.
Quarterly email phishing tests could be performed to test employee susceptibility.
Audit log alerts could be set on specific systems to notify the appropriate teams about potentially nefarious activity.
Protect student financial aid data by requiring security awareness training across the workforce—faculty, staff, student workers, vendors, and contractors. Your workforce will be the first line of defense against attempts by cybercriminals to circumvent technical controls like the firewall or antimalware software.
Security awareness training will help to keep your workforce alert to potential risks such as phishing emails, phone-based impersonation attacks, and bad actors following authorized people into sensitive areas.
Training the workforce to recognize social engineering attacks will help reduce the risk of ransomware, data theft, or unauthorized access to systems and data.
Monitor Service Providers
Many institutions use the specialization and expertise third-party service providers offer when they lack the skills in-house. Many IT departments don’t have staff dedicated to supporting a particular system or application.
Third-party support has a lot of benefits but there are risks, such as a lack of data security safeguards within the service provider’s own environment. Monitor third-party service providers that handle student financial aid data or sensitive data on the institution’s behalf. Their cybersecurity posture should be aligned with yours, and the obligation and responsibility to ensure the safety of student financial aid data flows down to the service provider.
Reviewing external audit reports of the service provider’s internal control structure, such as a System and Organization Controls (SOC) 2® Type 2 audit performed at least annually, is one of several ways.
Keep Information Security Program Current
An information security program would not be as effective if it was not reviewed regularly. Keep it updated to reflect newly introduced threats and risks to student financial aid data from new system implementation, new facilities, changes in business operations, and changes in cybersecurity.
Review the facets of the information security program at least annually to determine if any policies, procedures, or technologies need changes or updates. The designated qualified individual overseeing the program should start the reviews. That person may involve others within the institution’s information technology, legal, human resources, and executive management teams.
Write an Incident Response Plan
An incident response plan (IRP) is like accident insurance. You hope you never have to use it but it’s nice to have when needed.
For institutions hit with a successful cyber or ransomware attack, a well-documented, well-rehearsed IRP could mean the difference between a few minutes of inconvenience or several days or weeks to recover. An IRP details the protocols to follow in a cybersecurity incident. It’s the playbook for addressing the incident and minimizing the damage or unexpected downtime of a critical system.
In the aftermath of a security incident when the situation could get chaotic, the IRP can offer guidance for minimizing adverse impacts and returning to normal operations. The IRP should be a living document reviewed and modified as conditions change.
Report to the Board of Directors
The designated qualified individual should report at least annually to the institution’s board of directors or trustees. If such a group isn’t available, that person should give a senior management representative an assessment of the institution’s information security program.
Assessment topics should include:
- Results of risk assessments performed
- Results of any penetration tests or other testing procedures
- Challenges encountered optimizing the program
- Outcome of security events
- Issues with third-party providers
Regular reports can also include, among other things:
- Number of cyberattacks thwarted during the year
- Effectiveness of phishing attack tests
- Any malicious software caught and quarantined
Make and Document Plans
While meeting the Safeguards Rule requirements may seem daunting, the most important step is starting the process to document what the information security program should resemble at your institution.
The deadline of June 9, 2023, is approaching. Institutions that aren’t compliant with the Safeguards Rule may be required by the Department of Education to develop or revise their information security programs and submit a corrective action plan (CAP) that describes the steps to be taken by the institution to achieve compliance by a specific date.
Continued failure to comply may result in a ban of participation in the Title IV programs, a disabling of access to the Department of Education’s information systems, or a fine of $100,000.
We’re Here to Help
If you have concerns about how the Safeguards Rule impacts your institution, contact your Moss Adams professional.
Visit our Cybersecurity Risk & IT Compliance Services for more information.