The FY19 federal single audit compliance supplement contains an objective for colleges and universities concerning Safeguards Rule compliance. Since the FY19 audit will be the first to address this issue, EDUCAUSE members are encouraged to collaborate with their business offices and external auditors to determine how best to respond.
Shortly before the Fourth of July holiday, the Office of Management and Budget (OMB) posted the Compliance Supplement [https://www.whitehouse.gov/wp-content/uploads/2019/07/2-CFR_Part-200_Appendix-XI_Compliance-Supplement_2019_FINAL_07.01.19.pdf] for the fiscal year 2019 (FY19) federal single audit. As a condition of receiving federal funding, including student financial aid, public and nonprofit colleges and universities must complete the single audit process.
As the EDUCAUSE Policy Team anticipated, the FY19 supplement includes an audit objective for institutional compliance with the Federal Trade Commission (FTC) Safeguards Rule, which implements the data security provisions of the Gramm-Leach-Bliley Act. The U.S. Department of Education (ED) Office of Federal Student Aid (FSA) has signaled since 2017 that it would seek this audit objective to support the Safeguards Rule compliance requirement it incorporated into the Title IV Program Participation Agreement (PPA) in 2015. (All institutions seeking access to federal student financial aid programs must sign the PPA in order to do so.)
The text of the audit objective is included below. You may also find it online [https://www.whitehouse.gov/wp-content/uploads/2019/07/2-CFR_Part-200_Appendix-XI_Compliance-Supplement_2019_FINAL_07.01.19.pdf] (see pages 5-3-53 and 5-3-54).
EDUCAUSE, NACUBO, and other higher education associations joined with accounting organizations in 2017 to advocate for a straightforward "checklist" approach to a Safeguards Rule objective. This approach would allow institutions and their auditors to establish compliance with the rule without requiring expensive, specialized auditors. Fortunately, FSA and OMB carried forward the commitments made during those negotiations and produced that type of objective.
As illustrated below, institutions will not have to address the content of their information security programs in responding to the objective. They will simply have to establish that they have implemented the core elements of the rule:
- The institution has named someone to coordinate its information security program.
- It has conducted a risk assessment covering employee training and management, networks and information systems, and incident response.
- It has implemented safeguards to address the identified risks in those areas.
The objective does not, however, define what documentation an auditor will need to see from an institution, and in what format that documentation should be supplied, to confirm its compliance. In addition, given the newness of the objective, the audit community probably will not have time to develop a shared, recommended approach for auditors to follow. With that in mind, EDUCAUSE members should work with their finance and administration colleagues and their institution's audit firm to determine what their auditors will need to see to "check the boxes" on the Safeguards Rule audit objective. And even though FY19 still has a couple of months to go, chances are that most colleges and universities have already started preparing for the audit process, so now is the time to initiate the audit objective conversation at your institution if it is not already underway.
*****
FY19 Federal Single Audit Compliance Supplement
10. Gramm-Leach-Bliley Act—Student Information Security
SFA - Title IV Programs
Compliance Requirements The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as "financial institutions" and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Under an institution's Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)) The Department of Education provides additional information about cybersecurity requirements at [https://ifap.ed.gov/eannouncements/Cyber.html].
Audit Objectives Determine whether the institution designated an individual to coordinate the information security program; performed a risk assessment that addresses the three areas noted in 16 CFR 314.4 (b) and documented safeguards for identified risks.
Suggested Audit Procedures
a. Verify that the institution has designated an individual to coordinate the information security program.
b. Verify that the institution has performed a risk assessment that addresses the three required areas noted in 16 CFR 314.4 (b), which are (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures.
c. Verify that the institution has documented a safeguard for each risk identified from step b above.
Jarret Cummings is Senior Advisor for Policy and Government Relations at EDUCAUSE.
© 2019 Jarret Cummings. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.