Requirement for Educational Institutions to Secure Protected Personal Information

On July 1, 2016, the US Department of Education (DOE) released guidance in the form of a “Dear Colleague” letter emphasizing the importance of data security for higher education institutions and reminding institutions of their legal obligations to protect student information used in the administration of Title IV programs. Each institution’s Program Participation Agreement includes a provision that the institution must comply with the provisions of the Gramm-Leach-Bliley Act (GLBA). The GLBA is the federal law that governs financial institutions and their collection and use of private and personally-identifiable information. The Act states that institutions are required to ensure the security and confidentiality of student financial aid records and information.

The National Association of College and University Business Officers (NACUBO) is recommending each institution review and evaluate their current compliance with 16 CFR Part 314 – Standards for Safeguarding Customer Information, and offers these suggestions:

• Designating an employee or employees to coordinate the information security program
• Identifying reasonable, foreseeable internal and external risks to the security, confidentiality and integrity of customer information that could result in the unauthorized disclosure, misuse, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in the following operational areas:
  • Employee training and management
  • Information systems, including network and software design as well as information processing
  • Storage, transmission and disposal
  • Detection and prevention of and response to attacks, intrusions or other system failures
• Designing and implementing information safeguards to control the identified risks, and regularly testing or monitoring the effectiveness of the safeguards’ key controls, systems and procedures.
• Overseeing service providers by taking reasonable steps to select and retain providers that are capable of implementing and maintaining appropriate safeguards for the customer/student information.
• Evaluating and adjusting the information security program in light of changed circumstances based on the results of the testing and monitoring mentioned above.

The DOE plans to add a GLBA compliance check to the audit testing requirements for the student financial assistance cluster in the 2018 version of the Office of Management and Budget (OMB) Compliance Supplement. This document provides auditors with guidelines for reviewing compliance with federal rules when auditing the student financial assistance cluster as a major program.

The DOE provided draft audit language that is anticipated to be included in the OMB compliance supplement at the 2017 Federal Student Aid (FSA) Conference in December of 2017.

Audit Objectives

Determine whether the Institutions of Higher Education (IHE) designated an individual to coordinate the information security program, performed a risk assessment that addresses the three areas noted in 16 CFR 314.4 (b) and documented safeguards for identified risks.

Suggested Audit Procedures

1. Verify that the IHE has designated an individual to coordinate the information security program.
2. Obtain the IHE risk assessment and verify that it addresses the three required areas noted in 16 CFR 314.4 (b).
3. Obtain the documentation created by the IHE that aligns each safeguard with each risk identified from step b above, verifying that the IHE has identified a safeguard for each risk.

All institutions must have GLBA safeguards in place. Institutions without GLBA safeguards may be found administratively incapable (unable to properly administer Title IV funds), which may result in termination of funding.

The DOE provided the following steps to help ensure that your institution is compliant with the GLBA requirements:

1. Find the information security policy and program for your school – If you don’t have one, develop one.
2. Verify your school’s information security policy and program has a contact person – Make sure to keep that person’s information up to date in the policy, and confirm they are actively managing the program.
3. Verify that your school has an information risk assessment/testing schedule in place – if you don’t have one, develop one.
4. Verify that your school has documented the tests and results based on that schedule – if no testing has been done, have team start to follow the schedule and DOCUMENT
5. Add your information security policy/program/schedule/contact information to your consumer information and compliance website so that you can easily find/maintain it.
6. Communicate to your entire executive team so that if a breach happens, everyone is prepared to respond immediately & appropriately.

The DOE suggests that institutions utilize the Cybersecurity Assessment Tool (CAT). This is an optional self-assessment tool that helps schools establish a current risk profile for the executive team to review and then prioritize. The tool provides an in-depth review of each of the required domains and will directly align with the GLBA requirements.

Institutions can also refer to the EDUCAUSE Information Security Guide. This guide is provided by the Higher Education Information Security Council and provides “practical approaches to creating higher education information security programs and preventing, detecting, and responding to information security problems in a wide range of higher education environments.”

If you have questions about your school’s data security and compliance, contact your CSH advisor.