Register for the EDUCAUSE Annual Conference today. Extra 25% off in-person registration, through July 8. →
SPONSORED CONTENT: KAI Partners

Top 10 GLBA Pitfalls in Higher Education

Authors:
Stephen Heath
Published:
Monday, February 9, 2026
Columns:
Industry Insights
min read


Implementing a Gramm-Leach-Bliley Act compliance program may seem overwhelming, but you can stay on the auditor's good side by showing progress.

KAI Partners

I'll start with a simple truth: Most cybersecurity failures in higher education aren't technology problems. They're communication problems. When leadership and IT departments talk past each other, security investments stall, requirements get misunderstood, and manageable risks turn into public incidents. The real work is translating technical risk into clear impacts on students and institutional mission.

Gramm-Leach-Bliley Act (GLBA) compliance sits squarely in the middle of that challenge. Colleges and universities fall under the GLBA umbrella because they handle student financial aid data, and the expanded Safeguards Rule of the Federal Trade Commission (FTC) makes expectations clear: If an institution touches this data, the institution must protect it with bank-grade seriousness. In practice, that means demonstrating intent, process, and progress—not perfection.

Across campuses, I see the same mistakes repeated again and again. Each one is fixable, often with tools and people the institution already has. Below are ten common pitfalls, quick actions that can change the compliance trajectory, and the language that resonates with presidents, chancellors, boards, and faculty.

1. No Written Information Security Program

A written information security program (WISP) is the umbrella that shows how your institution manages risk. The program doesn't need to be massive, but it does need to answer four basic questions:

  1. Who is responsible (by title) and what authority does that person have?
  2. What systems and data are in scope (including where student financial aid data lives on premises and with third parties)?
  3. How is that information safeguarded at a policy level? (For example, "Multifactor authentication [MFA] is enforced on systems with student financial information.")
  4. When is the program reviewed and improved?

Quick action: Check your board policy. If it doesn't delegate authority and requires periodic review, fix that first. A simple policy that does just those two things is the backbone of a defensible GLBA program.

How to talk about it: "If it isn't written down, it doesn't exist."

2. No "Qualified Individual" with Real Authority

GLBA requires institutions to designate a qualified individual (QI) to oversee the information security program. The regulation doesn't mandate specific certifications or job titles. In higher education, the QI is usually the senior IT or security leader (CIO, CTO, or CISO). The QI is designated by title and given authority to direct the implementation of the program.

Institutions can get into trouble by naming a QI without giving that person real decision rights. If the person responsible for the program can't enforce controls, set priorities, or escalate risk, the designation is symbolic. Regulators notice the difference.

Quick action: Make sure the board policy specifies a qualified individual and requires that they report to the board annually.

How to talk about it: "We need one clearly accountable executive for the security program."

3. Outdated or Missing Policies and Standards

Severely outdated documents can be worse than no documents. I've seen WISPs that reference mainframes that were decommissioned a decade ago.

GLBA expects living documents that reflect how an institution operates today, not how it operated yesterday or how it will operate next year. An annual review is a defensible standard, and concise policies outperform sprawling binders that no one reads.

Quick action: Add "Reviewed: Month, Year" to every document. Schedule a quick refresh with the people who run the controls. Keep it at a high level and push technical details to separate standards or playbooks.

How to talk about it: "Something changes every year; we need to capture that."

4. Treating Risk Assessment Like a Scan or a Pen Test

A vulnerability scan or pen test is not a GLBA risk assessment. A real risk assessment documents foreseeable risks, current controls, and residual risk, and explicitly states whether each risk is acceptable or can be reduced, transferred, or avoided. When auditors visit, they are looking for your thought process. If you can walk them through it, you will get more grace. If you can't, the conversation will be short.

Quick action: After the board policy is in place, get budget approval for a third-party risk assessment. Auditors will ask for it early, and not having one puts you on the back foot.

How to talk about it: "Auditors want patterns and progress, not perfection."

5. No Multifactor Authentication

The Safeguards Rule is risk-based and generally avoids prescribing specific controls. MFA is the glaring exception. MFA is expected for access to systems that store or can reach student financial information (think enterprise resource planning [ERP] platforms, identity and email, administrative access, and any other environment where Title IV data could reasonably exist).

Compromised credentials remain one of the most common starting points for ransomware. MFA makes it much harder for bad actors to access systems and services.

Quick action: Start with remote users and privileged users and then move to staff. Faculty often require additional political capital, so lean on GLBA requirements when necessary. Treat student MFA as a nice-to-have.

How to talk about it: "GLBA requires MFA. Period."

6. Sporadic or Missing Security Training

"Offered" training doesn't count if no one finishes it. GLBA expects you to train people and to prove they completed the training. Short, focused, repeatable modules work best: phishing awareness, handling lost devices, avoiding misdirected email, and understanding how to respond when something goes wrong. Practical beats perfect.

Quick action: For most campuses, buying training is more realistic than building it. Use a vendor that provides short modules and completion reporting.

How to talk about it: "If we can't prove that people were trained, auditors assume they weren't."

7. Not Keeping the Board Informed

GLBA doesn't expect campuses to run a 24/7 security operations center. However, it does expect institutions to check whether controls still work and to keep the board informed about the state of the program. The fastest way to lose credibility is to treat compliance as a one-time project rather than an ongoing management responsibility.

In public higher education, reporting on your security program can conflict with transparency. To address this, I recommend that reports in open sessions are kept at a high-level. Sensitive details can move to a closed session with counsel when appropriate.

Quick action: If you have not reported to the board within the last twelve months, request to be on the agenda as soon as possible.

How to talk about it: "Patterns and progress." Say it often, write it down, and then show it.

8. Not Planning for the Worst Day

Disaster recovery, business continuity, and incident response plans don't need to predict every threat. They do need to spell out what happens on your worst day, including which systems must come back first, where backups live, who calls whom, and who has decision-making authority. The best plans are easy to locate, understand, and execute under pressure.

Quick action: Schedule a two-hour tabletop exercise with a hypothetical scenario. For example, "The ERP goes down for forty-eight hours during the second week of the academic term." Capture the basics: Where are the backups? What can we do? When do we need to call the vendor? Who can decide what? Do we have cell phone numbers for the response team and key stakeholders?

How to talk about it: "What would we do if . . . ?"

9. Ignoring Third-Party and Vendor Risk

GLBA applies to your service providers, not just your campus. If vendors store, process, or can access student financial information, you are responsible for ensuring they safeguard it appropriately. Where institutions stumble is assuming procurement language or a signed contract equals risk management.

Auditors will ask two simple questions: "Who are your high-risk vendors?" and "Can you show that you've assessed their risk?" If the answer to either question is no, the conversation quickly goes sideways.

Quick action: Get to know your procurement team. Give them a one-page checklist of when to talk to the security team about a vendor (usually if a vendor stores, processes, or transmits student financial information, or has privileged access to systems that do). Ask the vendor for a Service Organization Control (SOC) 2 report or a completed Higher Education Community Vendor Assessment Toolkit (HECVAT).

How to talk about it: "We can't outsource accountability."

10. Assuming That GLBA Won't Be Enforced

During the initial years of a regulation, enforcement can feel distant. Don't count on it. As GLBA becomes a more mature regulation in higher education, expectations will rise. A breach, a Department of Education inquiry, or the inability to produce basic documentation can trigger deeper scrutiny. When that happens, the first things requested by auditors are your WISP and your risk assessment. If you can show these items, as well as a remediation roadmap with progress, you will most likely receive more grace.

Quick action: Make a roadmap based on your risk assessment. Track milestones on critical issues and report them to the board.

How to talk about it: "Hoping they'll never ask is not a compliance strategy."

A Right-Sized GLBA Start for Small Institutions

If you're a small institution without a CISO or dedicated security team, don't wait for perfect conditions. Start with a mandate. Ask the board or cabinet to authorize the information security program, designate the QI by title, and require an annual written update. A mandate establishes authority and opens the budget conversation that GLBA auditors expect.

From there, run two parallel tracks: Document a short, honest WISP and complete a focused risk assessment that clarifies the rationale for what must be remediated now versus budgeted for in a future fiscal year.

Board Buy-In

The lesson from my work with colleges and universities is simple: Translate security into outcomes leaders already care about: enrollment, retention, accreditation, and reputation. When you speak the board's language while staying precise about GLBA requirements, support follows.

The process that works under pressure is straightforward: Establish governance, document the program, assess risk, then frame the remaining gaps in business terms to unlock funding. Keep the focus on outcomes, not tools.

The Bottom Line

GLBA compliance isn't a box to check. It's a governance habit. Institutions that avoid the pitfalls described above can explain what could go wrong, show how risk is managed, prove people are trained, and report progress with candor.

If an auditor shows up tomorrow, you should have three things ready: your WISP, your latest risk assessment, and your annual report to the board with a clear corrective plan. Patterns and progress win the day.

Stephen Heath is Cybersecurity Executive Consultant at KAI Partners.

© 2026 KAI Partners, Inc.