Understanding the Recent Changes to the Safeguards Rule and what it means for Higher Ed

April 13, 2022

The Federal Trade Commission issued a final rule, amending the standards to strengthen the Safeguards Rule for Customer Information under the Gramm-Leach-Bliley Act (GLBA). As part of this, there are implications that all higher education institutions need to be aware of, with required actions for compliance before the end of the year.

For starters, all public and private Title IV institutions (both nonprofit and for profit) must adhere to the cybersecurity requirements outlined by the GLBA. Any institution that holds any non-public, personal data, such as social security numbers, bank account information, contact information, etc., when offering a financial product or service, such as financial aid, housing credits, servicing student loans, is required to be fully compliant with the GLBA before the end of this calendar year. This is to protect student data against unauthorized access that could cause lasting harm and inconvenience against an individual.

Here is a quick snapshot of what this means for higher education.

Designation of a Qualified Individual to Serve as the Institution’s Chief Information Security Officer

Prior to the latest Safeguards Rule, an institution could share the responsibilities of a CISO across multiple individuals in different roles. However, with the latest amendment, one single, qualified individual is now required to run point and oversee the institution’s Information Security efforts. This CISO can be hired onto payroll or outsourced to a qualified individual for virtual CISO services. However, in the landscape of budget cuts and the great resignation, we are seeing a noticeable uptick in institutions exploring shared CISO services as an affordable solution with 24×7 monitoring and support.

Implement a Comprehensive Information Security Program and Perform Routine Risk Assessments

Your institution must have a detailed Information Security program that is based on a written risk assessment that identifies “reasonably foreseeable internal and external risks to the security, confidentiality, and integrity” of the student data you maintain. Avoid the unauthorized disclosure, misuse, alternation, and destruction of your students’ information and routinely assess that the safeguards in place are mitigating and controlling these risks. Your written risk assessment plan must include foundational criteria to evaluate and categorize the information security risks for your institution; foundational criteria to assess the quality and efficiency of your information security system; and details on how any identified risks will be mitigated and assessed and how your information security program will address said risks.

Information Security Program Design and Implementation Checklist:

  • Access controls to authenticate users of information systems
  • Access controls to restrict access to student/customer information in physical locations
  • Inventories of data, personnel, devices, systems, and facilities
  • Encryption of all prospective student, student, parental, and alumni information in transit and at rest
  • Secure development practices for applications developed in-house and used for transmitting, accessing, or storing non-public, personal data
  • Multi-factor authentication for any individual accessing student/customer information or internal networks that contain student/customer information
  • Audit trails to detect and respond to all security events
  • Secure disposal procedures for student/customer information that is no longer necessary for the institution’s “business operations or other legitimate business purpose”
  • Change management procedures for additions, deletions, or modifications to the information systems
  • Monitoring for authorized user activity and unauthorized access, use, or tampering of customer information
  • Providing comprehensive “security awareness training” to relevant employees
  • Periodic risk-based assessments of service providers
  • A detailed incident response plan
  • Routine reporting by the CISO, at least annually, to your institution’s Board or equivalent

Overhauling your institution’s information security program to guarantee compliance with the new GLBA standards can be daunting, but OculusIT is here to help. We offer high-touch, virtual Chief Information Security Officer services with 24×7 monitoring from higher education experts, all at an affordable price. If your institution could benefit from the guidance and leadership of our shared services model, let us know.

About the Author 

As Chief Information Security Officer at OculusIT since 2016, Vince Vargiya has over 15 years of experience in Cyber Security and Risk Governance. He is an influential leader and risk auditor. As a security practitioner, he is skilled at defining and implementing strategic direction. His areas of expertise include ISMS, GDPR, GLBA, PCI-DSS, NIST, BCP, PIMS, cyber security, cloud security, application security, data center management, and automation.

About OculusIT 

OculusIT is a global, all-inclusive managed IT, security, and cloud services company dedicated to serving the education industry. Our strategy is to offer the most cost-effective and responsive partnership that provides flexibility and nimbleness in response to economic changes and directly contributes to higher education’s ability to provide and maintain the highest quality IT services. OculusIT grows with you, adapts to you, and ensures consistency and continuity of service with a partnership, service philosophy, and cost savings unparalleled in the higher education IT services domain.