The federal single audit includes a new Safeguards Rule audit objective for FY23 that incorporates new compliance elements associated with the Federal Trade Commission's updated Safeguards Rule.
The Office of Management and Budget (OMB) recently issued the FY23 Compliance Supplement,Footnote1 which includes a newly revised audit objective for institutional compliance with the Federal Trade Commission's (FTC) Safeguards Rule. The U.S. Department of Education (ED) Office of Federal Student Aid (FSA) requested that the OMB add a Safeguards Rule audit objective to the federal single audit process several years ago, given that institutions agree to comply with the rule when they sign the Title IV Program Participation Agreement (PPA). Institutions must sign the PPA to participate in federal student assistance programs.
The previous Safeguards Rule objective had been in place since FY19. Its objective was fairly straightforward: institutional auditors only had to take a checklist approach—requiring no special IT or cybersecurity knowledge—to establish whether institutions met the foundational elements of the previous Safeguards Rule.Footnote2 However, given that the FTC finalized extensive revisions to the Safeguards Rule in December 2021, the EDUCAUSE Policy team anticipated that FSA would pursue a revised audit objective reflecting those changes.Footnote3 With those FTC changes taking effect on June 9, 2023, FSA chose to pursue revisions to its Safeguards Rule audit objective starting with the FY23 audit process.
The changes in the new Safeguards Rule include the requirement that an institution designate a specific individual to lead the planning, implementation, and enforcement of its information security program.Footnote4 This program must be developed, implemented, and maintained by a comprehensive, written plan that is available and readily accessible in one or more parts. The rule mandates that the data security risk assessment included in an institution's information security program incorporate a host of new—and more specific—security elements and a number of specific safeguards to mitigate identified risks.
The FY23 Safeguards Rule audit objective requires auditors to determine the following:
- Whether the institution has designated a "Qualified Individual" to implement and monitor its Safeguards Rule-compliant written information security program.
- Whether the institution has a written information security program that addresses the seven (out of nine) elements of the Safeguards Rule that all institutions must implement regardless of how many customer records they maintain. (Institutions maintaining customer information on fewer than five thousand consumers are exempted from the board reporting and written incident response plan requirements. These two elements are omitted from the audit objective as well.)
These requirements, together with the additional language included in the objective, led the EDUCAUSE Policy team to interpret the new audit objective as being similar in form to the original objective.Footnote5 This means that auditors should continue to approach certifying Safeguards Rule compliance using a checklist approach that verifies the existence of a written information security program covering the specified elements without requiring particular security elements or safeguards to be validated—an activity that would require specialized IT audit services.
That said, the new requirements of the Safeguards Rule are such that the written information security program must sufficiently address the minimum level of compliance that the FTC prescribes across provisions spanning risk assessment, the design and implementation of safeguards based on this assessment (as well as those predetermined by the FTC in the rule itself), and regular testing of implemented safeguards, among other things. This expanded scope may result in inconsistent auditors' evaluations, particularly regarding how they assess the substance of a written information security program. Members should coordinate with their finance, institutional administration, and audit firm partners to determine what their auditors will need to see to confirm institutional compliance with the new audit objective.
In the meantime, EDUCAUSE will work with other relevant higher education associations and the audit association community to determine whether uniform recommendations for applying the objective are warranted or in process. The Policy team will continue to keep members apprised of any relevant developments related to Safeguards Rule compliance.
On that note, a recently uncovered copy of the current version of the Student Aid Internet Gateway (SAIG) Agreement—which an institution must sign to exchange financial aid data electronically with the U.S. Department of Education—includes attestation that an institution is in full compliance with the revised Safeguards Rule. EDUCAUSE will examine anticipated developments related to the SAIG Agreement in a forthcoming article.
Notes
- See pages 5-3-77–5-3-80. Jump back to footnote 1 in the text.
- For more information about the foundational elements of the previous Safeguards Rule, see Jarret Cummings, "The Safeguards Rule Audit Objective Is Here!" EDUCAUSE Review, July 11, 2019. The core checklist items include the following: (1) The institution has named someone to coordinate its information security program; (2) The institution has conducted a risk assessment covering employee training and management, networks and information systems, and incident response; and (3) The institution has implemented safeguards to address the identified risks in those areas. Jump back to footnote 2 in the text.
- For more information, see Jarret Cummings, "Policy Analysis: Revised, Highly Prescriptive FTC Safeguards Rule," EDUCAUSE Review, December 2, 2021, and Jarret Cummings, "FY22 Federal Single Audit: Safeguards Rule Objective Unchanged," EDUCAUSE Review, August 10, 2022. Jump back to footnote 3 in the text.
- The previous rule permitted the appointment of an individual or team to coordinate the information security program as sufficient for compliance purposes. Jump back to footnote 4 in the text.
- The audit objective includes the following additional language: "Because the written information security program may be in one or more readily accessible parts and the Qualified Individual is responsible for implementing and monitoring the information security program, it is ED's expectation that the Qualified Individual would be able to provide the written information security program that addresses the elements required for the written information security program to the auditors." See page 5-3-79 of the Compliance Supplement. Jump back to footnote 5 in the text.
Kathryn Branson is a Partner at Ulman Public Policy.
© 2023 Kathryn Branson. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.