Higher Education Requirements for GLBA: How to prepare for an audit

Since 1999, the Gramm Leach Bliley Act (GLBA) has existed to hold financial institutions responsible for the protection of customer's private information. Since Title IV schools receive federal funding for financial assistance, they are subject to GLBA requirements. For most colleges and universities, this is old news. The bill was completed in 1999 and the FTC confirmed that higher ed institutions that process financial aid are classified as financial institutions in 2003. Alongside the Family Educational Rights and Privacy Act (FERPA), these are well-known standards for protecting student information.

While GLBA was created for financial institutions, considerable evidence has been shared to clarify the reasons that higher education institutions receiving financial aid fall under the same umbrella. Colleges and universities store large amounts of sensitive data and loan information related to student financial aid. This wealth of information combined with the very nature of a school's need to provide accessible information to the public makes higher education institutions an attractive target for cyber attackers.

What's New with GLBA?

Technically, nothing about GLBA has changed. The same standards are still in place and higher education institutions are still expected to follow the rules as dictated by the bill. However, it seems a time of reckoning has arrived for higher education institutions that remain non-compliant.

For over a decade, GLBA compliance was completely self-regulated without any oversight of consequences for non-compliance. While the U.S. Department of Education (ED) sent out the occasional letter to remind colleges and universities of their responsibilities related to GLBA, little or no action was taken to ensure schools were compliant. After considerable cybersecurity issues for higher education institutions occurred over the last decade, 2019 arrived with an amendment from the ED. GLBA compliance checks are now required as part of annual federal compliance audits.

Enforcement of Cybersecurity Requirements Under GLBA

Even with the new audit requirements, there was little confirmation about how institutions would be affected by the audit process. While regulations were outlined, specific information to help universities and colleges prepare was scarce. 

On February 28, 2020, the Federal Student Aid (FSA) department of the ED created an electronic announcement outlining the details of future enforcement of GLBA compliance for colleges and universities. The first half of the announcement covers the reminders issued in 2015 and 2016, then reviews the basic requirements outlined for audits in 2019. 

After these reminders, colleges and universities are introduced to the course of action to be taken when audits reveal non-compliance.

When an institution has failed to comply with any required GLBA standards, the finding will be included in an audit report which will be passed along to the Federal Trade Commission (FTC). The FTC will then determine which actions need to be taken as a result. In addition to the FTC, audit results will also be revealed to the Federal Student Aid's Postsecondary Institution Cybersecurity Team (Cybersecurity Team). Additional information may be requested to allow the cybersecurity team to assess the level of risk to student data.

Risk evaluation from the cybersecurity team could lead to serious consequences. If the institution or servicer poses a substantial risk to the security of student information, the following actions may be taken.

• Temporarily or permanently disabled access from ED information systems
• Referral to the Department's Administrative Actions and Appeals Service Group for consideration of a fine or other appropriate administrative action by the Department. 

While this is a big deal for colleges and universities, it isn't really new information. The penalties for non-compliance with GLBA regulations have always included the potential for costly fines, or even worse, losing federal funding for financial assistance. Yet, the atmosphere surrounding the penalties is changing. This new documentation from the FSA provides clear guidelines of enforceable issues and the actions that will immediately follow a failed audit. 

We know that the FTC has penalized major companies like PayPal for GLBA non-compliance. While schools haven't faced penalties in the past, there's no doubt that future audits will include consequences. 

The Potential for an Increased Need for Financial Aid

Like most areas of the planet, higher education has been heavily impacted by the impact of COVID-19. Physical attendance was impossible at most colleges and universities for several months. Online learning became the norm for both college students and those in high schools. While the requirements were essential, they placed students in a position with fewer resources.

Applications for financial aid have suffered a more than 9% drop from last year. Unfortunately, this doesn't mean fewer students need assistance. In fact, students in schools with high concentrations of low-income students and students of color saw the biggest drops in completion of the Free Application for Federal Student Aid (FAFSA). Without the assistance of in-school personnel like teachers and counselors, fewer students are applying for financial aid or seeking ways to attend college.

In light of these numbers and the potential for significant drops in attending students, colleges and universities will likely promote the use of financial assistance for potential students. Additionally, the pandemic has shaken up the job market in practically every industry. This could lead to unemployed adults seeking financial aid in an attempt to secure education for a new career. With many families still in crisis and the cumulative effects of COVID far from over, schools may be processing more financial aid requests and taking on more cybersecurity challenges. These changes could mean organizations that weren't subject to GLBA in the past are suddenly required to comply.

GLBA Requirements for Higher Education Institutions

GLBA is made up of a privacy rule (which regulates the collection and disclosure of financial information) and a safeguards rule (which states that organizations must implement security programs to protect sensitive personal information). For higher education institutions, the question quickly becomes "What steps do I take to become GLBA compliant?" Luckily, GLBA does outline the points that must be covered in a cybersecurity plan.

Comply with GLBA Financial Privacy Rule

The Privacy Rule outlines which data will be collected, how it will be used and shared, who has access to it, and the policies and procedures used to protect it. Additionally, organizations are required to notify customers of the privacy policy annually. The annual notice must also include the right to opt out of sharing information with third parties.

This simply means higher ed institutions will need to have a specific plan to determine:

• What: The types of sensitive information that must be collected
• How: Use and sharing practices of sensitive data
• Who: Who has access to sensitive data
• Policies: Procedures used to protect sensitive data

Students must be notified about this plan upon signing up for financial aid and each year until graduation. For most colleges and universities, compliance with the privacy rule is already in place. Colleges and universities are deemed to comply with the GLBA Privacy Rule if they comply with the Family Educational Rights and Privacy Act (FERPA).

Follow Safeguards Standards

The safeguards rule is designed to outline standardized requirements to adequately safeguard customer information. The safeguards rule includes multiple elements institutions must follow to achieve and maintain GLBA compliance. It essentially states that organizations must have a written security plan and outlines the specific points required to provide adequate safety.

Like most pieces of legislation, the GLBA isn't exactly brief or easy to digest. Higher education institutions must The steps below describe how higher education institutions must comply with the GLBA safeguards rule.

Develop an Individualized Plan

Higher education institutions must develop a plan suited to the size and complexity of the organization, nature and scope of the activities, and sensitivity level of information handled. To accomplish this, your information security plan may be written on a single page or multiple documents. Similarly, one employee or a complete team can be designated to oversee the plan's make-up and maintenance. The requirements are designed to be flexible enough to allow multiple organizations of different sizes and scopes to create effective safeguards for sensitive data.

Safeguards Rule Plan Requirements

Certain elements are required to be a part of any GLBA compliant safeguard plan. Take these steps to complete each of the required elements of the safeguards rule.

1. Designate an employee or employees to coordinate your security program.
   
   
2. Identify potential internal and external risks that could compromise sensitive data and assess current safeguard practices for effectiveness. The risk assessment must include the effectiveness of:

• Employee training and management
• Information systems (network and software design)
• Methods for information processing, storage, transmission, and disposal
• Detecting, preventing, and responding to attacks, intrusions, or other system failures

3. Design and implement safeguards to target risks realized from routine risk assessments, and regularly test these safeguards to ensure continued effectiveness.
   
   
4. Oversee service providers by taking these steps:

• Select and maintain service providers with the tools and capabilities to maintain safeguards for the sensitivity level of the data you collect and store.
• Require your service providers by contract to implement and maintain such safeguards.

5. Evaluate and improve your organization's security plan as a response to weaknesses revealed in routine testing, institution growth, changes in operations or business arrangements, or any other circumstances that might impact the effectiveness of your information security program.

Perform Annual Independent Audits

Since 2019, GLBA compliance checks have been a part of Financial Student Aid (FSA) and Department of Education (ED) annual federal compliance audits. The amendment to the audit guide provides these required procedures for GLBA compliance.

• Verify that an employee has been designated to coordinate the information security program for your institution.
• Verify that the institution has performed a risk assessment that addresses the three required areas noted in 16 CFR 314.4(b) (or step 2 above).
• Verify that a safeguard has been documented for each risk identified in the risk assessment.

To adequately prepare for an audit, you must be able to identify the employee or team responsible for the coordination and maintenance of your institution's information security plan, share the results of your completed risk assessment, and verify safeguards to prevent future risks.

Campus Cybersecurity Program and the Future of GLBA

There's no doubt that cyberattacks are a problem for higher education institutions. Attacks requesting ransoms of over a million dollars can mean severe financial implications for schools already operating on a shoestring budget. Data breaches can be equally damaging when access to social security numbers and financial information is involved. 

Between 2019 and 2020, ransomware attacks against colleges doubled. Yet, ransomware isn't the only threat. Phishing attempts that target emails have been known to cut off student access to campus Wi-Fi and other online learning systems. Paying oversized ransoms is a big deal for colleges and universities, but cyberattacks have long-lasting impacts on schools in other ways as well. No matter how much money is paid, there's no guarantee that data will ever be recovered or software will ever be successfully restored. Additionally, the impact on a school's reputation after a significant attack can be difficult to recover from. As the complexity, severity, and frequency of these attacks increase, it's clear that cybersecurity standards will need to improve to mitigate these growing threats. Recent actions by the FTC and FSA make it clear that change is coming.

Proposed Changes to the GLBA Safeguards Rule

While it's true that the GLBA hasn't changed, alterations might be on the horizon. As technology changes and more cybersecurity threats are recognized, the Federal Trade Commission (FTC) is considering potential ways the GLBA safeguards rule should be changed to mitigate potential threats. On July 13, 2020, the FTC held an online workshop to examine proposed amendments to the GLBA safeguards rule. 

Proposed changes to the safeguards rule that commenters were asked to weigh in on include:

• Whether the safeguards rule should include more specific requirements for information security programs
• Whether the inclusion of an incident response plan should be required
• Whether the rule should incorporate any other information security standards or framework like NIST
• Whether the rule should contain its own definition of financial institution
• Whether the definition of financial institution should be expanded

Mixed comments were received regarding the proposals. The main concern for most organizations is that the proposed changes will reduce the flexibility of the rule. While it's generally agreed that a checkbox approach to compliance would be a negative change, there are still concerns about the need for an update. 

The FSA's New Campus Cybersecurity Program

Despite being in a global pandemic, 2020 was a busy year for the FSA. Along with the increased regulations for GLBA audits, the FSA is finalizing the framework for the Campus Cybersecurity Program. On December 18, 2020, the FSA released an electronic statement introducing a multi-year phased implementation of the new program.

Alongside the objective of protecting controlled unclassified information (CUI) with compliance of National Institute of Standards and Technology (NIST) Special Publication 800–171 Rev. 2, the letter cites continued compliance of GLBA. In the past, NIST compliance hasn't been a requirement of GLBA. However, a letter released in 2016 by the ED to remind HIEs of their obligation to maintain GLBA standards "strongly encourages institutions to review and understand the standards defined in the NIST SP 800-171". This letter was also when the addition of GLBA compliance to the annual student aid compliance audit was first mentioned.

So, does this mean the campus cybersecurity program will be a part of GLBA compliance? Not exactly. It's more likely that GLBA will be a component of the program. A PDF providing information about the program's rollout combines GLBA with NIST SP 800-171 as a way to reach proactive risk management. It also clarifies that sensitive financial and privacy data handled by colleges and universities are considered classified controlled information (CUI) and therefore subject to NIST compliance. Notable examples of CUI in the list include student records, personnel records, and federal taxpayer information.

Even with information about near-term, intermediate-term, and long-term goals, the specific regulations of the program are vague. Yet, it's clear that higher ed institutions will be required to perform self-assessments soon. While the FTC faced considerable pushback about adding NIST SP 800-171 to the GLBA safeguards rule, it seems inevitable for Title IV colleges and universities.

How Can Colleges and Universities Prepare for Upcoming Audits?

It's clear that higher education institutions face many cybersecurity threats and must have the technology in place to protect students, staff members, and families. Still, the sweeping changes that many organizations face will be difficult to complete. GLBA compliance isn't new, but the immediate and stiff penalties suggested for non-compliance are. Many of these changes will be adopted quickly, leaving some schools scrambling to catch up. For all higher education institutions, getting started immediately is the best course of action. No matter what stage of compliance you've reached, it's essential to always look toward the potential threats of the future. 

Begin with a GLBA Compliance Assessment

How well do you know your organization's information security program? Are you prepared to discuss it with an auditor today? Every institution needs a system in place to determine whether the existing security program meets all the criteria for GLBA. While the regulations are flexible, they're designed for organizations to fill in the blanks with specific information. To assess your organization's GLBA compliance readiness, download the free GLBA Guide for Higher Education from BitLyft Cybersecurity. It includes a step-by-step guide of best practices for institutions and a checklist for compliance.

Learn More About NIST SP 800-171

The ED and FSA have been promoting NIST standards as a way to maintain GLBA compliance for several years. These regulations are generally considered the standard for many cybersecurity programs. In 2016, ED released these recommended requirements for institutions to establish NIST SP 800-171 compliance. 

• Limit information access to authorized users.
• Ensure system users are properly trained.
• Create audit records for information systems.
• Establish baseline configurations and inventories of systems
• Identify and authenticate users appropriately.
• Establish the ability to respond to incidents
• Perform appropriate maintenance on information systems.
• Create an adequate system to fully protect both paper and digital media.
• Screen individuals before authorizing access to sensitive data.
• Limit physical access to systems.
• Conduct routine risk assessments.
• Assess security procedures periodically and implement action plans to address shortfalls.
• Monitor, control, and protect inter-organizational communications.
• Identify, report, and correct information flaws on time.

Choosing the Right Partner for a Complete Security Solution

For many colleges and universities, utilizing the personnel and resources required to create an efficient and accurate in-house cybersecurity team is simply impossible. Higher education institutions face strict budgets and unique information networks that make them highly accessible to attackers. GLBA compliance begins with an individualized plan designed to protect the specific information handled by your institution. Yet, to keep up with the growing and changing threats, the program must always be evolving.

A managed security service provider (MSSP) provides outsourced monitoring and management of security devices and systems like managed firewall, intrusion detection, virtual private network, vulnerability scanning, and antiviral services. These services are customized to meet the size of an institution and the scope of sensitive data to create a program that can meet the requirements of GLBA. Managed detection and response (MDR) is an advanced security service that includes advanced tools and active services like threat intelligence, threat hunting, security monitoring, and incident monitoring and response. These tools work to provide adequate protection that meets the requirements covered in the safeguards rule. For complete GLBA compliance, your service provider must have those tools along with advanced capabilities to understand the complex demands of education networks and freedom of information.

BitLyft is a full-service cybersecurity company with extensive experience working with higher education institutions. We understand the complex challenges the education system faces when simultaneously providing access to information and protecting sensitive data from threat actors. Our cybersecurity experts can help colleges and universities meet GLBA compliance and incorporate the requirements of NIST SP 800-171 and/or CMMC into your individualized program. To get started on the path to GLBA compliance, download our complete guide right away.

For more information about how we can help you achieve a complete cybersecurity program to meet your institution's complex security regulations, get in touch with our cybersecurity experts.