This article was updated November 8, 2023.
Colleges and universities that administer student financial aid associated with Title IV programs have had to comply with the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA) since May 2003. That regulation was updated December 9, 2021, with some new requirements that went into effect on June 9, 2023.
The updates provide additional details and enhancements to the data security requirements to reflect the cyber threats, risks, and challenges in helping to secure student financial aid data.
Security Control Requirements
The original six security control requirements of the Safeguards Rule have been expanded to nine. Some of the original six have been reworded to provide further clarity. These requirements, essential to a formalized and written information security program, are to:
- Designate a qualified individual to implement and supervise your company’s information security program
- Conduct a risk assessment
- Design and implement safeguards to control the risks identified through your risk assessment
- Regularly monitor and test the effectiveness of your safeguards
- Train your staff
- Monitor your service providers
- Keep your information security program current
- Create a written incident response plan
- Require your qualified individual to report to your board of directors
Colleges and universities should have a documented information security program ;in place that incorporates these requirements as of June 9, 2023.
The Safeguards Rule is scalable to your institution. Not every institution has the same risk profile, size and complexity of IT, and resources to work toward compliance. The GLBA takes this into account and gives some leeway to smaller institutions with fewer than 5,000 students. For those smaller institutions with fewer than 5,000 students, only the first seven requirements apply.
Start Compliance Work
If you still haven’t started developing an information security program that takes into account the additions to the Safeguards Rule, colleges and universities should consider these actions for meeting each requirement.
Designate a Qualified Individual
A qualified individual should be one who has the skill and experience to oversee the institution’s efforts to protect sensitive data like student financial aid data.
This person doesn’t need to be in executive management—or even an employee—but should have the requisite knowledge needed to understand cyber threats, risks to student financial aid data, and the control environment to be able to mitigate and reduce risk to sensitive data.
This person could be a service provider, such as a virtual chief information security officer (vCISO) or consultant, tasked with keeping data secure. Choose someone with experience commensurate with the size and complexity of the institution’s operating environment. Oversight of a large university system with multiple campuses will have challenges very different from an institution with a single location.
Conduct a Risk Assessment
Conducting a risk assessment entails identifying where all student financial aid information is handled, processed, stored, and transmitted, and understanding the threats, vulnerabilities, and risks that could impact the security of that information.
Define the ways student financial aid data is acquired, including the applications and systems that are used, and follow its lifecycle to its ultimate storage location or disposal. After identifying the data lifecycle flow, identify potential threats and vulnerabilities along the way. These threats could be an external hacker, disgruntled employee, or an untrained employee in the financial aid office.
Vulnerabilities could be an insecure file transfer system, lax application controls, and nonexistent encryption on databases. Once threats and vulnerabilities are identified, the risks should be identified and ranked. Risks could be things like student financial aid data loss or inadvertent exposure or reputational damage because of a data breach.
Rating risks as critical, high, medium, or low should help identify appropriate and necessary controls.
Design and Implement Safeguards
Safeguards based on the risk assessment should be designed and implemented to effectively mitigate the risks identified and to thwart threats before they materialize.
Technical safeguards may include:
- Stringent rules configured on the network firewalls
- Encryption enabled on databases that house student financial aid data
- Email encryption to protect data while it is transit
- Multifactor authentication (MFA) to access the financial aid system
- Access logging and alerting on suspicious events
Administrative safeguards may include policies that mandate certain security controls and describe sanctions for noncompliance. They also include documented procedures for aligning controls with policy mandates.
Monitor and Test Safeguards
To help make certain that safeguards are operating at an optimal level for securing student financial aid data, regularly monitor and test their effectiveness. For example, penetration testing could be performed against the network firewall to ascertain that malicious traffic is blocked.
Vulnerability assessment scans conducted against internet-facing systems and systems handling sensitive information should occur monthly as part of routine IT procedures.
Quarterly email phishing tests could be performed to test employee susceptibility to social engineering attacks. Similarly, phone-based impersonation—vishing—attack testing should be performed to test employees’ awareness of those types of attacks.
Audit log alerts could be set on specific systems to notify the appropriate teams about potentially nefarious activity. If possible, centralizing log collection and analysis using a security information and event management system can be an effective tool for identifying nefarious activity on the network.
Protect student financial aid data by requiring security awareness training across the workforce—faculty, staff, student workers, vendors, and contractors. Your workforce will be the first line of defense against attempts by cybercriminals to circumvent technical controls like the firewall or antimalware software.
Security awareness training will help to keep your workforce alert to potential risks such as phishing emails, phone-based impersonation attacks, and bad actors following authorized people into sensitive areas.
Training the workforce to recognize social engineering attacks will help reduce the risk of ransomware, data theft, or unauthorized access to systems and data.
Monitor Service Providers
Many institutions use the specialization and expertise third-party service providers offer when they lack the skills in-house. Many IT departments don’t have staff dedicated to supporting a particular system or application. As such, using third-party support providers can be more efficient, better performing, and at times, less expensive than a full-time system administrator.
Third-party support has a lot of benefits but there are risks, such as a lack of data security safeguards within the service provider’s own environment. Monitor third-party service providers that handle student financial aid data or sensitive data on the institution’s behalf.
Their cybersecurity posture should be aligned with yours, and the obligation and responsibility to ensure the safety of student financial aid data flows down to the service provider. This should be indicated in agreements with the service provider to help ensure that responsibilities over securing sensitive data is a shared effort.
Reviewing external audit reports of the service provider’s internal control structure, such as a System and Organization Controls (SOC) 2® Type 2 audit performed at least annually, is one of several ways to continuously monitor the provider’s internal control environment. A SOC 2 audit report or similar attestation of controls audit report will detail how the service provider operates and maintains controls for keeping their customers’ data safe while in their possession.
Keep Information Security Program Current
An information security program would not be as effective if it was not reviewed regularly. Keep it updated to reflect newly introduced threats and risks to student financial aid data from new system implementation, new facilities, changes in business operations, and changes in the threat landscape.
Review the facets of the information security program at least annually to determine if any policies, procedures, or technologies need changes or updates. The designated qualified individual overseeing the program should start the reviews. That person may involve others within the institution’s information technology, legal, human resources, and executive management teams to provide input and perspective on where cybersecurity efforts should be focused.
Write an Incident Response Plan
An incident response plan (IRP) is like accident insurance. You hope you never have to use it but it’s nice to have when needed. An IRP provides the protocols to follow and the steps to take during and after a data security breach or cybersecurity event.
For institutions hit with a successful cyber or ransomware attack, a well-documented, well-rehearsed IRP could mean the difference between a few minutes of inconvenience or several days or weeks to recover. An IRP details the protocols to follow in a cybersecurity incident. It’s the playbook for addressing the incident and minimizing the damage or unexpected downtime of a critical system.
In the aftermath of a security incident when the situation could get chaotic, the IRP can offer guidance for minimizing adverse impacts and returning to normal operations. It will often have playbooks for incident response procedures for various attack and data breach scenarios including virus infection, employee sabotage, or stolen laptops.
The IRP should be a living document reviewed and modified as conditions change.
Report to the Board of Directors
The designated qualified individual should report at least annually to the institution’s board of directors or trustees. If such a group isn’t available, that person should give a senior management representative an assessment of the institution’s information security program.
Assessment topics should include:
- Results of risk assessments performed
- Results of any penetration tests or other testing procedures
- Challenges encountered optimizing the program
- Outcome of security events
- Issues with third-party providers
Regular reports can also include, among other things:
- Number of cyberattacks thwarted during the year
- Effectiveness of phishing attack tests
- Any malicious software caught and quarantined
Make and Document Plans
While meeting the Safeguards Rule requirements may seem daunting, the most important step is starting the process to document what the information security program should resemble at your institution.
Now that the deadline of June 9, 2023, has passed, institutions that aren’t compliant with the Safeguards Rule may be required by the Department of Education to develop or revise their information security programs and submit a corrective action plan (CAP) that describes the steps to be taken by the institution to achieve compliance by a specific date.
Continued failure to comply may result in a ban of participation in the Title IV programs, a disabling of access to the Department of Education’s information systems, or a fine of $100,000.
We’re Here to Help
If you have concerns about how the Safeguards Rule impacts your institution, contact your Moss Adams professional.