If you are a Title IV institution, compliance with the revised Safeguards Rule and implementation of the data security controls set forth in the revised Rule is now a required segment of your annual financial audit.<\/p>\n
The Federal Trade Commission\u2019s (FTC) amendment to the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA) became effective on June 9, 2023. The comprehensive amendment updated data security requirements for financial institutions, including all Title IV institutions of higher education. The U.S. Department of Education has increased enforcement authority by requiring auditors to verify an institution\u2019s compliance with components of the Safeguard Rule.<\/p>\n
In March, the U.S. Department updated the\u00a0Guide for Financial Statement Audits of Propriety Schools and For Compliance Attestation Examination Engagements of Proprietary Schools and Third-Party Servicers Administering Title IV Programs\u00a0<\/i>(\u201cAudit Guide\u201d). The Audit Guide is effective for fiscal years beginning on or after January 1, 2023, and will be in place for all audits conducted in 2024 and beyond.<\/p>\n
The Audit Guide reinforces that Title IV institutions must adhere to the strict cybersecurity requirements set forth in the Safeguards Rule including a requirement to \u201cdevelop, implement, and maintain a written, comprehensive information security program.\u201d The objective is to \u201cDetermine whether the school designated an individual to oversee, implement, and enforce the school\u2019s information security program and whether the school\u2019s written information security program addresses six additional required elements.\u201d<\/p>\n
In addition to verifying that the institution has designated a qualified individual, the auditor must also verify:<\/p>\n
1.<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>The information security program is based on a risk assessment\u00a0that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks;<\/p>\n 2.<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>Design\u00a0and implementation of eight safeguards set forth in the regulation to control the risks the school or servicer identifies through its risk assessment;<\/p>\n 3.<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>Regular testing or otherwise monitoring the effectiveness of the safeguards implemented;<\/p>\n 4.<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>Implementation of policies and procedures to ensure that personnel are able to enact the information security program;<\/p>\n 5.<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>How the school or servicer will oversee its information system service providers; and<\/p>\n 6.<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>The evaluation and adjustment of an institution\u2019s information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the information security program.<\/p>\n An institution\u2019s failure to implement an information security program with the required elements by June 9, 2023 (the effective date of the Safeguards Rule) may result in an audit finding. If an institution has not implemented an information security program with the required elements by\u00a0December 31, 2023, the institution will receive an audit finding and must submit a Corrective Action Plan (\u201cCAP\u201d). Moreover, FSA\u2019s Cybersecurity Team and the Federal Trade Commission (FTC) will be informed of the audit findings regarding the Safeguards Rule and may request additional information to assess the level of risk to student data.<\/p>\n In an Electronic Announcement issued in February 2023 regarding cybersecurity compliance, the Department stated that a finding of non-compliance will be resolved as part of the Department\u2019s determination of an institution\u2019s administrative capability. Additionally, repeated non-compliance may result in administrative action impacting Title IV participation.<\/p>\n","protected":false},"excerpt":{"rendered":" If you are a Title IV institution, compliance with the revised Safeguards Rule and implementation of the data security controls set forth in the revised Rule is now a required segment of your annual financial audit. The Federal Trade Commission\u2019s (FTC) amendment to the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA) became effective on June … <\/p>\n