Information Security to Be Tested as Part of the Higher Education Single Audit
The U.S. Office of Management and Budget (OMB) plans to include new Special Tests and Provisions in its 2018 Compliance Supplement, with the Department of Education (ED) adding the testing requirements in the Audit Guide shortly thereafter. This means that your college or university’s compliance with certain provisions of the Gramm-Leach-Bliley Act (GLBA), which are designed to help your institution properly secure sensitive student data, will be tested as part of your single audit, beginning in either 2018 or 2019.
All of this comes on the heels of the ED’s “Dear Colleague” letters GEN-15-18 and GEN-16-12, emphasizing the importance of protecting student information, and after proposed special tests and provisions were included in the 2017 Compliance Supplement Vett Draft, but were later removed.
The ED has lately cautioned higher education institutions that data security and student privacy are becoming a critical review issue. Failure to comply with GLBA standards may bring penalties that range from monetary fines to the restriction or loss of eligibility for Title IV funding.
Be prepared for GLBA compliance testing
The GLBA’s safeguards rule contains several standards for protecting student information. The rule lists specific things that your institution must do in order to properly develop, implement, and maintain your information security program. You can anticipate that some or all of these items will be verified as part of the single audit:
- Someone has been designated to coordinate your information security program.
- You have identified reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of your data. This is accomplished by conducting a risk assessment, which must include:
- Employee training and management;
- Information systems, including network and software design, information processing, storage, transmission, and disposal; and
- Detecting, preventing, and responding to attacks, intrusions, or system failures.
- You have designed and implemented information safeguards to mitigate the risks that were identified in the risk assessment.
- Your institution oversees service providers by 1) selecting and retaining those that maintain appropriate safeguards, and 2) requiring them to implement and maintain safeguards to protect confidential data in the contract.
- You have evaluated and updated your information security program based on results of testing and monitoring or any other known circumstances.
Make sure that your institution has completed and thoroughly documented each of these items.
Remember, data breaches must be reported immediately
While the ED has become more communicative about the importance of compliance with the GLBA’s data privacy provisions, many institutions are being fined because of a lack of awareness on the related reporting requirements. Institutions must report a data breach on the day of detecting or suspecting an incident. Failure to report can include a fine of up to $54,789 per violation.
To avoid violations and fines, you need to understand what a data breach is and what information must be reported. The GLBA defines a breach as any “unauthorized disclosure, misuse, alteration, destruction, or other compromise of information.” It does not specify that the data breach must be electronic in nature and does not indicate a minimum number of compromised records to qualify it as a breach.
When you report a known or suspected data breach, you must include the following information:
- Date of the breach
- The information and number of records that were disclosed, misused, altered, destroyed, or otherwise compromised
- How the breach occurred (e.g., phishing, hack, accidental exposure, etc.)
- Your information security program officer’s contact information
- A detailed description of what your institution has done and/or will do to notify the affected parties and the specific things you are doing or will undertake to mitigate the breach’s impact
Once you have gathered as much of the information as you can, report the data breach by emailing firstname.lastname@example.org or by calling the Education Security Operations Center at 202-245-6550.
Resources to help you comply
There are two particularly helpful tools that can assist your institution with GLBA compliance:
- Cybersecurity Assessment Tool (CAT), built by the Federal Financial Institution Examiners’ Council (FFIEC)
- Institutions of Higher (IHE) Compliance Framework
How we can help
CLA higher education and information technology professionals understand how these new testing requirements may impact your organization. We can help you implement procedures and protocols that keep you compliant, as well as work with you to assess and remedy information security weaknesses throughout your entire system.