(August 31, 2017 – Jarret Cummings) The draft text of the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule audit objective for the FY18 federal single audit is now available from Federal Student Aid (FSA) [https://ifap.ed.gov/eannouncements/Cyber.html] (see "FY18 Audit Language" [https://ifap.ed.gov/eannouncements/attachments/FY18DraftLanguageSecuringStudentInformation.pdf]). The text will not be official until it is released in the FY18 audit compliance supplement. Its availability from FSA, however, indicates that EDUCAUSE members can utilize it to inform audit preparations. Since those preparations usually get underway shortly after the start of the fiscal year (October 1), members should begin working with their institution's business office and audit firm to assess the objective's impact and how best to meet it. For more details, please see below.
Earlier this year, the federal Office of Management and Budget (OMB), working with FSA, announced that a GLBA Safeguards Rule audit objective would be included in the federal single audit process that most colleges and universities have to follow. OMB and FSA originally proposed text for the objective that EDUCAUSE and other groups found problematic, especially given the indication it would apply to FY17 audits, preparations for which most institutions had begun months previously.
OMB and FSA carefully considered the feedback provided by the higher education and audit communities, and ultimately decided to rewrite the objective in a clearer, more concise fashion. Following further dialogue with EDUCAUSE and others, the agencies agreed to delay the objective's implementation until the FY18 audit process as well.
The revised draft of the audit objective was not made public at the time that OMB and FSA shared the decision to delay its implementation, however. EDUCAUSE could allude to its likely form, as discussed in the post about the revised draft, but members and other stakeholders might reasonably have been cautious about acting on that information. Wanting to see the text itself and proceed with documenting Safeguards Rule compliance on that basis would be understandable, given the investment of time and effort involved in the audit process.
The availability of the draft text from the FSA site, though, signals that the text is sufficiently well-established for institutions to use in planning for the FY18 single audit. Members should now begin discussions with their business offices and audit firms about the process and documentation requirements they will need to meet to satisfy the following audit objective:
Determine whether the IHE [institution of higher education] designated an individual to coordinate the information security program; performed a risk assessment that addresses the three areas noted in 16 CFR 314.4 (b) and documented safeguards for identified risks.
Suggested Audit Procedures
a. Verify that the IHE has designated an individual to coordinate the information security program.
b. Obtain the IHE risk assessment and verify that it addresses the three required areas noted in 16 CFR 314.4 (b).
c. Obtain the documentation created by the IHE that aligns each safeguard with each risk identified from step b above, verifying that the IHE has identified a safeguard for each risk.
16 CFR 314.4 (b) contains the basic elements of the GLBA Safeguards Rule relating to risk assessments. The full text of that section reads:
(b) Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of your operations, including:
(1) Employee training and management;
(2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and
(3) Detecting, preventing and responding to attacks, intrusions, or other systems failures.
In addition to the draft audit objective text, FSA will likely release a "Dear Colleague Letter" (DCL) to provide more guidance on what the objective means in the context of its overall goals for institutional cybersecurity, and thus how institutions might best fulfill the objective and plan for the future. EDUCAUSE and its partners look forward to working with FSA to inform that guidance, which we will share with members as soon as we are able. Resources you may want to review in the meantime include:
- The Higher Education Information Security Council's Information Security Guide: Effective Practices and Solutions for Higher Education
- FSA Cybersecurity Compliance [https://ifap.ed.gov/eannouncements/Cyber.html]
Jarret Cummings is the Director of Policy and Government Relations for EDUCAUSE.