The five year wait is finally over. In 2014 the Department of Education (ED) issued a Dear Colleague Letter notifying Colleges and Universities they would need to be compliant with data safeguard rules applicable to the Gramm-Leach-Bliley Act (GLBA). The 2019 OMB Compliance Supplement was released July 1, 2019 and it does include new GLBA Data Safeguard requirements.

GLBA only applies to Colleges and Universities under Title IV due to the administration of student financial aid programs. Also, it is effective for Colleges and Universities with fiscal year ends ending June 30, 2019 or later.

While we have had plenty of time to plan for GLBA and pour over the guidance issued since 2014, the guidance was not very specific. We were not entirely sure what to expect. The 2019 Compliance Supplement does not contain all the GLBA Safeguards Rule elements, but only a subset. Will more come? Is the plan to phase additional requirements in each year? Will these be all we see? The answers are, “We do not know at this point,” and no guidance has been provided yet on future plans. Either way, the good news is the first year requirements are less stringent than they could have been.

So what are the rules? They are summarized in the following three audit procedures:

  1. Verify that the institution has designated an individual to coordinate the information security program.
  2. Verify that the institution has performed a risk assessment that addresses the following three required areas.
    • Employee training and management;
    • Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and
    • Detecting, preventing and responding to attacks, intrusions, or other systems failures
  1. Verify that the institution has documented a safeguard for each risk identified.

Dean Dorton’s IT Audit and Cybersecurity Assessment team specialize in providing IT risk assessments and audits to help keep colleges and universities compliant with the new GLBA Data Safeguard requirements. Is your institution too small to hire an information security officer? We understand the budget constraints on today’s colleges and universities and can provide team members to be your institution’s information security officer and consulting around hiring and coordinating your information security program.